Experts and Symantec have found evidence that popular vaccine passport apps hand over personal information with zero encryption, along with other risky behaviors.

Image: Adobe Stock/Ronstik

The digital COVID-19 vaccine passport on your smartphone may be sharing more information than you think, said researchers at Symantec.

Vaccine passport apps are increasingly commonplace in the not-quite-post COVID-19 world we’re now living in. Unfortunately, a lack of anything even related to regulation has left the world of digital passports an incredibly insecure one.

“Employers, restaurants, even the neighborhood bar are relying on this system to be secure, accurate, and to maintain user privacy. The person using the passport is also expecting the same thing,” said Symantec researcher Kevin Watkins. Unfortunately, it seems that’s not the case.

How COVID-19 vaccine passport apps fail to secure data

Digital vaccine passports, Symantec pointed out, use a QR code to share encoded health data with the aforementioned businesses that may want proof of a customer’s vaccine status. The codes are generated using one of two standards: The SMART Health Card Framework, and the Electronic Health Certificate Container Format.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Both standards do something risky with the data their QR codes contain: They encode it, but don’t encrypt it. What that means is that anyone with the QR code provided by the COVID-19 passport app can see all the data it contains.

“At a minimum, the personal data they contain includes the person’s name, date of birth, and vaccine status,” Watkins said. That isn’t the worst of it, though: Watkins said that the real problem is that all of the data provided via a QR code contains the information needed to start working on forgeries of passport apps and the data they contain.

In addition to failing to protect the data encoded by the QR code, 27 of the 40 vaccine passport apps that Symantec tested turned out to have risky behavior typically associated with mobile apps.

A full 43% of the passport apps required access to external storage, 38% operated without HTTPS, a couple apps also disabled SSL CA Validation and transmitted data unencrypted and one even contained hardcoded Amazon credentials.

Passports versus validation apps: Is one more secure?

Symantec also looked at passport validation apps, which are used to verify information presented by a consumer vaccine passport app.

Symantec considered several possible security flaws in validation apps, such as whether the app accessed URLs insecurely, how they transmitted and stored cloud data, and whether they were vulnerable to any of the behaviors discovered in passport apps.

“We looked for the same previously listed risky behaviors in seven validation apps available at the time of this report and found all of them to be safe,” Watkins said. He also noted that Symantec intends to continue testing new versions of both passports and validation apps to see if the flaws are being addressed.

How to safely store digital vaccine data

Watkins said that this is yet another reminder to be wary of apps that claim to protect personal privacy and data.

“Only give apps permission to private data that they require, nothing more. Whenever possible, avoid third-party apps claiming to securely store your vaccination records and instead use digital wallet solutions provided by the major mobile platforms, such as the Apple Health app and Google Wallet,” Watkins said.

SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)

From a developer perspective, Watkins said they should work to implement best practices in regards to data security as fast as possible.

“Protect the users’ private data in the cloud, in transit, and on device. Anything less may compromise your users’ privacy, expose personal medical data, and potentially undermine the legitimacy of their vaccination records entirely,” Watkins said.