A cybersecurity company has inserted a devil icon into the Home Office settled status app to show it is at ‘serious risk of malware attack’.
Norwegian security company Promon said they found “no resistance” in their testing to find numerous security flaws in the EU Exit: ID document check app, which is used by EU citizens in the UK to confirm their identity as part of their applications.
Promon chief technology officer Tom Lysemose Hansen said the app, which is currently only available on Android, lacks “crucial” security measures.
The loopholes potentially allow hackers to steal passport information, passwords and facial scans, says Promon.
The company tested the app’s resilience against basic and commonly used attack methods and tools.
Lysemose Hansen told the FT: “The tools we used are typically very easily accessible and require very little technical skill to use.
“It means any type of bad actor could perform this attack, without sophisticated technical knowledge.”
He added that they had “experienced no resistance”.
He continued: “There is very little the end user can do, since this is a government app. There is a lot of responsibility on the app makers to provide security measures here, because of this level of trust.
“Very personal and sensitive information is being handled, and millions of people are using it so you would expect stringent protection measures, similar to banking apps.”
The company claims that the app doesn’t meet the minimum security standards on resisting these attacks, as set by the Mobile Application Security Verification Standard, although the Home Office said it “adheres to industry best practice”.
Promon’s testing says that under a malware attack, the app would be vulnerable to data breaches, hijacking and injecting with new code, without the app even noticing.
Such an attack could also modify or add malicious elements to the app, repackage and re-distribute the app, without the app noticing – which is how Promon managed to insert the devil icon into the app while it was running.
“At this time of political uncertainty, the last thing that people who are applying to remain in the UK need, or expect, are concerns around whether their passport information and photo IDs are being stolen by hackers,” he said.
“As the app will continue to grow in popularity and demand, with more people fearful of what will happen to them if the UK does leave, it means that it will become increasingly attractive to attackers, with the potential subsequent fallout devastating.”
The app has been downloaded more than one million times.
Promon CEO Gustaf Sahlman called on governments “to realise just how dangerous and mobile malware is, and to offer their end users’ protection”.
The Home Office told the FT: “We take the security and protection of personal information extremely seriously. The EU Exit: ID Document Check app is regularly tested by independent security firms against all known and emerging threats and adheres to industry best practice on security, performance and accessibility.
“Over a million people have used the app safely and we continually review our systems to ensure that it is kept safe.”