On September 1, the Ministry of Public Health launched Ma3an – Together Against Corona, a contact-tracing application intended to stop the spread of Covid-19. After a preliminary review, SMEX found that although the application collects limited personal data, it contains a few security flaws.
The Ministry of Public Health, in collaboration with the Faculty of Health and Sciences at the American University of Beirut (AUB), initially announced the launch of Ma3an on July 16 and released it in both the App Store and the Google Play store at the beginning of September. Functionally, the application utilizes Bluetooth and the Bluetooth administration permission to let users know when they have come in close contact with other users who have tested positive for Covid-19. When the application is activated it collects “contact data,” which includes “an encrypted user ID; random and temporary codes generated by the server; Bluetooth signal strength of other Ma3an users with whom you come into contact; date and time of contact.”
Across the world, governments have launched contact-tracing applications to limit the spread of the virus. However, many of the applications, including the ones launched by Bahrain, Kuwait, and Qatar, came under scrutiny for collecting the geolocation of users, fundamentally tracking them and violating their right to privacy. Moreover, the Qatari application initially had a security flaw that could have exposed this sensitive information to third parties.
Although Ma3an takes proactive measures to safeguard users’ privacy, the application, which was built by local mobile developer TEDMOB, has a few basic security flaws, leaving it vulnerable to third parties. After an initial static analysis by our digital security team, we found that the application lacks encryption and leaves users of older Androids potentially exposed to a 0day vulnerability. Many files in the application are hardcoded, which means that sensitive information, including administrator’s usernames and passwords, could be accessible to malicious actors. Likewise, the application’s SQL database, which executes raw SQL queries remains vulnerable to SQL injection attacks, or attacks that could let malicious third parties access sensitive information of both users and administrators. To minimize the risk of SQL injections, stronger input validation and dual signature techniques are required.
Additionally, the application’s V1 signature is not able to protect it from a zero-day vulnerability, known as Janus, which could affect users’ with Android 5.0 through 8.0. In an effort to reach more users, the application allows Android users with older versions to run the application; however, these users could become victims of a malicious attack that would enable a third part to send malicious content and framed data to the user’s device.The malicious content could give attackers the ability to access, upload, and reconfigure other data on the user’s phone.
- We sent a list of security recommendations to the Ministry of Public Health.
- We suggest that individuals with Android 5.0 to 8.0 avoid using the application if the device does not have the Android security update released in December 2017. You can check how to view the most recent update on your device here.