The Home Office’s Brexit app, which is designed to allow EU citizens apply for UK residency, is potentially putting over one million users at risk of having their identity stolen, according to a new report.
The app, which requires users to scan their passports and faces as part of the application process, has been downloaded over 1,000,000 times.
Norwegian cybersecurity firm, Promon found that the app floundered when pitted against common attack tools and tactics often used by hackers. The firms’s tests found that the Android app lacks the necessary functionality to prevent malware reading and stealing user information.
“Attackers may modify or add malicious elements to the app, repackage and re-distribute the app, without the app noticing such changes or foreign elements,” Promon said.
“The app is [also] not resilient against code being injected while the app is running, allowing hijacking the app from the inside, by the use of basic and widely spread tools.”
- Disney+ Account Credentials Are Being Sold on Hacker Forums
- Magic: The Gathering Maker Confirms Major Data Leak
- Amazon to Appeal JEDI Contract Decision
“The app is not capable of noticing whether it is being used in a hostile environment, in which the basic security architectures of Android have been broken (as for example a rooted phone).”
It also does not use obfuscation and is vulnerable to even basic spyware designed to gather text entered into the app. According to researchers, the app does not meet the OWASP best practices and is exposing the huge number of EU citizens applying to stay in the UK-post Brexit.
Promon CTO Tom Lysemose Hansen said: “At this time of political uncertainty, the last thing that people who are applying to remain in the United Kingdom need, or expect, are concerns around whether their passport information and photo IDs are being stolen by hackers.”
“As the app will continue to grow in popularity and demand, with more people fearful of what will happen to them if the UK does leave [the EU], it means that it will become increasingly attractive to attackers, with the potential subsequent fallout devastating.”
“We see that too many high-value apps that possess and require personal and critical data run within untrusted environments, like insecure operating systems without necessary protection in place,” adds Promon CEO Gustaf Sahlman.
“Banks have been alert to this threat for many years, with the majority taking the necessary steps to ensure their apps contain the right level of security, and we call upon governments around the world to realize just how dangerous mobile malware is, and to offer their end-users protection.”