Hong Kong claims cybersecurity report on LeaveHomeSafe app to be inaccurate

The HKSAR government has defended its LeaveHomeSafe app against alleged security flaws suggested by a report done by a Polish cybersecurity firm.

According to the report of 7ASecurity released on 26 July 2022, the firm has identified vulnerabilities and implementation flaws of the app during the testing period. The firm claimed that flaws in the app could possibly expose sensitive user information, and it said that the app is unclear on certain aspects, including where and how the app transmits data, containing potential RCE issues, the app's backdoor and its root access. The cybersecurity firm's audit team also proved that the app fails to protect PII at rest and in transit, its visit record weaknesses in transit and at rest, weakened TLS communications, insecure SD card usage and the app's potential of obfuscation. 

The Office of the Government Chief Information Officer (OGCIO) responded in a statement released on 28 July 2022, stating the report is inaccurate and contains unfair accusations.

The spokesman for the OGCIO said: “All data related to personal privacy stored in the app are masked and encrypted. The number of downloads has exceeded eight million since its launch more than one year ago, and as a digital tool commonly used by the general public on a daily basis, no security or privacy-related incidents have been reported.”

"In addition, the OGCIO has repeatedly explained in response to the allegations related to the facial recognition module in May this year and reiterated that the app has never used nor requires any facial recognition function,” the spokesperson added. 

The spokesman stressed that the app strictly follows the policies, requirements and standards of the HKSAR government on information security and privacy protection, and the technical specifications of the app have also been uploaded to the website in an open and transparent manner for public reference. "Prior to the launch of all major updated versions, the app has passed privacy impact assessments, security risk assessments and audits conducted by independent professional third parties to ensure that the app is safe and reliable. Relevant reports have also been uploaded to the website for public reference,” said the spokesman. 

Moreover, each version of the "LeaveHomeSafe" mobile app must pass the stringent reviews of different app stores to ensure the apps available on the stores comply with the requirements of personal privacy protection. The OGCIO has also consulted the Office of the Privacy Commissioner for Personal Data on every new function added to the app to ensure the app complies with the Personal Data (Privacy) Ordinance, according to the statement. 

7ASecurity is an independent organisation responsible for verifying whether the official covid-19 chasing app privacy and security claims, prominently presented on the app homepage, are accurate. It is known that the app has not been professionally audited by any competent security firm before.

Previously in May, the LeaveHomeSafe app also faced some chatter after Factwire, an investigative news organisation which shut down last month, said that after converting the source codes into readable java source files, it discovered LeaveHomeSafe's source code file comprises about 20 folders, containing a subfolder named “reactnative” which further comprises three folders titled “facedetector”, “camera”, and “maskedview” respectively.

Related articles:

HongKongers react to health code system in LeaveHomeSafe app
HK's LeaveHomeSafe app deletes vaccine pass QR codes, government apologises