On September 1, the Ministry of Public Health launched Ma3an – Together Against Corona, a contact-tracing application intended to stop the spread of Covid-19. After a preliminary review, SMEX found that although the application collects limited personal data, it contains a few security flaws.

The Ministry of Public Health, in collaboration with the Faculty of Health and Sciences at the American University of Beirut (AUB), initially announced the launch of Ma3an on July 16 and released it in both the App Store and the Google Play store at the beginning of September. Functionally, the application utilizes Bluetooth and the Bluetooth administration permission to let users know when they have come in close contact with other users who have tested positive for Covid-19. When the application is activated it collects “contact data,” which includes “an encrypted user ID; random and temporary codes generated by the server; Bluetooth signal strength of other Ma3an users with whom you come into contact; date and time of contact.”

If a user tests positive for Covid-19, they are responsible for uploading the positive test to the application, though the app notes that Ministry of Public Health officials may call users and to ensure that they have uploaded their positive test. When the positive test is successfully uploaded, the application sends a notification asking to upload the user’s “contact data.” According to the privacy policy, the application automatically deletes the record of the contact data after 21 days.

Across the world, governments have launched contact-tracing applications to limit the spread of the virus. However, many of the applications, including the ones launched by Bahrain, Kuwait, and Qatar, came under scrutiny for collecting the geolocation of users, fundamentally tracking them and violating their right to privacy. Moreover, the Qatari application initially had a security flaw that could have exposed this sensitive information to third parties.

Unlike the controversial Bahraini, Kuwaiti, and Qatari applications, which rely on users’ location to trace contact between individuals, Ma3an, which is voluntary, uses bluetooth to track contact between users. On iPhones, the application only requests permission for Bluetooth, including the administration permission, and push notifications. On Android, however, the application does request user location data. According to the MoPH’s privacy policy, location is necessary for the application to function on older Androids, but the location data will not be uploaded to Ma3an’s servers.

Security concerns

Although Ma3an takes proactive measures to safeguard users’ privacy, the application, which was built by local mobile developer TEDMOB, has a few basic security flaws, leaving it vulnerable to third parties. After an initial static analysis by our digital security team, we found that the application lacks encryption and leaves users of older Androids potentially exposed to a 0day vulnerability. Many files in the application are hardcoded, which means that sensitive information, including administrator’s usernames and passwords, could be accessible to malicious actors. Likewise, the application’s SQL database, which executes raw SQL queries remains vulnerable to SQL injection attacks, or attacks that could let malicious third parties access sensitive information of both users and administrators. To minimize the risk of SQL injections, stronger input validation and dual signature techniques are required.

Additionally, the application’s V1 signature is not able to protect it from a zero-day vulnerability, known as Janus, which could affect users’ with Android 5.0 through 8.0. In an effort to reach more users, the application allows Android users with older versions to run the application; however, these users could become victims of a malicious attack that would enable a third part to send malicious content and framed data to the user’s device.The malicious content could give attackers the ability to access, upload, and reconfigure other data on the user’s phone.

We will continue to analyze the application and alert users if we observe any changes to the existing privacy policy.

Recommendations

  • We sent a list of security recommendations to the Ministry of Public Health.
  • We suggest that individuals with Android 5.0 to 8.0 avoid using the application if the device does not have the Android security update released in December 2017. You can check how to view the most recent update on your device here.

This page is available in a different language العربية (Arabic) هذه الصفحة متوفرة بلغة مختلفة