That COVID passport app may put your privacy at risk

How COVID passport apps risk your privacy
© Jovanmandic | Dreamstime.com

Even though the world’s attention has shifted to Ukraine, the COVID-19 pandemic is still a matter of concern. Millions of people have already stood in line to get their vaccinations and were issued a certificate as proof. Tap or click here for the places you are most likely to pick up the virus.

There are several ways to keep your paper vaccination card safe, but many have opted for digital versions. This has also contributed to the uptake in digital COVID passports, adopted by several countries as internationally-recognized proof.

It’s a good idea in theory, but it presents several challenges. Read on to see how digital passport apps could cause more harm than intended.

Here’s the backstory

While some states and cities have official digital vaccination apps that contain your details, there isn’t a universally agreed-upon app. This creates a problem, as many such apps are available in the Google Play Store and Apple’s App Store.

In a report from antivirus company Symantec, many of the digital vaccine passports lack the necessary protections to safeguard personal information. There are two standards: the SMART Health Card used in the U.S. and Canada, and the Electronic Health Certificate Container Format (HCERT) used in Europe.

As Symantec points out, you only need a QR code scanner to decode the data on a digital passport as the information is unencrypted. At the very least, this information includes your name, birthdate, and vaccination status.

Vaccine passport security
Credit: Symantec

The company looked at 40 digital vaccine passport apps and found 27 showed signs of risky privacy or security behavior.

  • More than 40% of the apps accessed external storage data on a mobile phone.
  • Over 30% of the apps didn’t require a secure connection to the internet to retrieve data.
  • Two apps sent unencrypted data that hackers could intercept.

While anybody with a QR code scanner can access the data, you must use a specific validation app to verify that the information is tamper-free.

Symantec explained that there are no checks and balances for these apps, as “anyone could use a fake state or medical named issuer URL with fake vaccination record data, and the validation app would blindly pass the person.”

What you can do about it

You might have limited options for presenting your digital passport, but there are ways for you to stay safe and take care of your data. Symantec warns that some apps can show your data on the iPhone or Android’s Wallet, possibly exposing it to hackers.

Here are ways to protect your data:

  • Check which permissions an app needs, and never allow applications to access more data than they should. Check reviews on the app stores to see if other users have reported problems.
  • Avoid using third-party apps for your digital vaccination passport. Instead, only use applications vetted by officials or your mobile phone’s built-in Wallet function.
  • Only download apps from official app stores and never from third-party options. Many of the apps found in third-party app stores can expose your data or contain malware.

Keep reading

Don’t download this COVID app! It’s spreading malware

Keep your COVID vaccine card safe with a holder – A 5-pack is $6 right now

Tags: Apple, Apple iPhone, apps, certificate, COVID-19, digital, malware, pandemic, passport, privacy, security, vaccination card, Vaccinations