Major vulnerability shows dangers of mandatory contact-tracing apps

Meant to keep the residents of Qatar coronavirus free, a new mandatory contact-tracing app instead put their privacy at risk. 

The government of Qatar, like many around the world and in the U.S., is pushing contact-tracing apps as a tool in the battle against the spread of the coronavirus. Unfortunately, the Qatar Ministry Of Interior’s mandatory EHTERAZ app exposed users to a wide range of potential violations. 

So found Amnesty International, which on Tuesday reported that a vulnerability in the app “would have allowed cyber attackers to access highly sensitive personal information, including the name, national ID, health status and location data of more than one million users.”

At the heart of the matter was a QR code associated with the app. Each app user received a unique QR code that contained info like whether or not they had the coronavirus, where they were being quarantined, and their name. All anyone needed to access the QR code was a national ID number, which, you guessed it, Amnesty International notes “follow a consistent format” and are easily guessed.

Thankfully, Amnesty International writes the app was patched after the organization alerted authorities, but the mandatory nature of the app along with its excessive permissions created the opportunity for a perfect privacy-crushing storm. 

“This incident should act as a warning to governments around the world rushing out contact tracing apps that are too often poorly designed and lack privacy safeguards,” Claudio Guarnieri, the head of Amnesty International’s Security lab, explained in a statement. “If technology is to play an effective role in tackling the virus, people need to have confidence that contact tracing apps will protect their privacy and other human rights.”

Indeed, even putting aside the security vulnerability, EHTERAZ demands a shocking amount of permission and access to function. According to the Google Play store’s permission page for the app, EHTERAZ not only tracks users’ locations, but can “modify or delete the contents of your USB storage” and “disable your screen lock” (among other things).

An app with this much access, which potentially leaks users data, is a hacker’s dream target — let alone an oppressive regime’s dream tool. 

As officials around the world continue to push for contact-tracing apps, it’s worth remembering that the limited examples we have seen in the real world have been anything but inspiring. Essentially, many contact-tracing apps don’t work and violate users’ privacy at the same time. 

SEE ALSO: Contact-tracing app caught sharing location data with Foursquare

That the people of Qatar were instructed to download an app riddled with security vulnerabilities doesn’t exactly suggest the situation is about to change.