Cryptographers and information security experts who examined the official mobile app for Israel’s “Green Pass,” a government-validated certificate for Israelis who have received both doses of the coronavirus vaccine, have found a string of flaws that pose a threat to its functionality.
The Health Ministry’s app, called Ramzor (traffic light) in Hebrew, has experienced serious problems since its launch two weeks ago. Complaints about it were reported both in the media and in its customer reviews.
Initially the app was supposed to be extremely simple and quick but the final product, experts and users says, is heavy and slow, taking up a large amount of memory. Moreover, the choice to use closed (as opposed to open) source code and the lack of involvement by security and privacy specialists has also caused concern among developers. Security experts and cryptographers who examined the app’s code have discovered several problems that cast doubts on the reliability of its verification that someone has been vaccinated.
With an open-source app, anyone can examine the original code as the programmers wrote it, before it has been compiled so it can run. But examining a closed-source app, which has already been compiled, is difficult. You can scrutinize communications to and from the app, but you can’t discover everything hidden within the code, for better or for worse.
Those interested in figuring out how it works need to reverse engineer the app. This isn’t an optimal solution - but it can be done, and doing so will help discover some of the app’s underlying code.
- Israel rolls out smart green pass for vaccinated Israelis, but bugs abound
- Experts, policy makers watch Israel's COVID vaccination 'passport' scheme with unease
- A year of discriminatory COVID policy now makes it to Israel's international airport
Prof. Orr Dunkelman of the University of Haifa and Dr. Eyal Ronen of Tel Aviv University, together with information security experts Yuval Adam and Noam Rotem, reverse engineered Ramzor using two programs. Some of their findings are worrying and raise serious questions about the quality of the code and its suitability for the app’s sensitive task.
The researchers found several problems with the app’s code, as well as with the way it verifies signatures on the “green pass” it produces. The developers behind the app, they found, evidently didn’t properly integrate cryptographic algorithms into their program.
The verification process for the QR code the app provides for verification, they found, doesn’t actually match the original specifications published by the Health Ministry. The process was coded in a confusing way, and the developers made the app unnecessarily complicated.
Another problem was the use of a library of cryptographic programs called SpongyCastle that hasn’t been maintained for more than three years and relied on a single developer before then. In other words, even if security breaches or other problems have been discovered in the programs since then, nobody has updated them since.
The app’s developers also left passwords and so-called tokens used in testing in the code itself, and these may also exist in the live app, which may indicate a disorganized development process. This would be one thing if we were talking about an app to rate candy stores. But in a super-sensitive app that has immediate and critical implications for all Israelis, this is a serious problem.
Another discovery they made indicates there is a possibility of an information leak. The problem lies in the process in which the app allows users to reach out to the Health Ministry via the app’s contact page.
Every time you connect to the app, an email is sent to the Health Ministry, which is standard and poses no issue. However, when a message is sent through the app’s contact page, another email is also sent out, but not to an official government mail, but rather to a private Gmail address.
This address is completely private, and it also serves a Facebook account, a Twitter account and other accounts. Moreover, that information about the email account was obtained by checking databases of user names and passwords leaked from various apps.
In other words, the passwords connected to this address have already been leaked. Perhaps these passwords have since been changed and there’s no risk of anyone hacking into that email. But the Health Ministry has no way to verify this as this is a private Gmail account, and not under the state’s direct and immediate oversight.
An investigation revealed that this email belongs to a ministry official involved in the app’s development. For some reason, she opted to receive all queries sent via the app to her personal email. This is a problem, because these requests can include Israelis’ personal and medical information.
It also attests to extremely problematic practices with regard to information security and privacy. All information sent via the app ought to go to the Health Ministry’s servers, not to a ministry bureaucrat’s personal Gmail account, which she also uses to register for apps like MyFitness and MyHeritage. With apologies to Gabriel Garcia Marquez, this is a chronicle of an information leak foretold.
But this email address, which includes the official’s full name, also seemed familiar to me, and after a few moments’ thought, I remembered why: This same official, who doesn’t identify herself as a Health Ministry employee in her personal profile and even claimed that she didn’t work at the ministry, has written to me on Facebook several times. Among other things, she accused me of being venomous and said my reports should never have been published in the paper, but should have been sent directly to the ministry.
Given the researchers’ findings, the question that must be asked is what we ought to do: Should we rely on the app, or should we download the green passport directly from the ministry’s website and use that instead of the app?
For now, I’d advise against using the app until it’s approved by an external information security expert who was involved in the development process - or is at least privy to its full details. Instead, people should go to the ministry’s website and print out a paper version of the green passport, which has a barcode. It’s better to do so at night or early in the morning, because the site tends to crash during peak hours.
I asked the ministry why all the support questions are sent to that particular official and whether the website has been examined by an outside security expert.
The ministry’s response was as follows:
1. Use of some of the libraries stemmed from the fact that the ministry carried out a process of examining and approving every library or tool or algorithm that the development team wanted to use. This approval process hasn’t yet finished for some of the cryptographic libraries that could have been used in the project. We decided not to delay its launch, because the existing solution contains no risks that exceed the damage that would be caused by delaying the release of a solution to the public.
2. Thanks to your reports, a mistake was located in the code (execution of an unnecessary double hash) and has been corrected. This correction will go online in another few days. We’re aware of the implications of this mistake and they will be addressed, both on the side of issuing the documents and on the side of solutions for verifying the documents. It’s important to make clear that this mistake doesn’t constitute a flaw in the security of either the app or the document, nor does it pose a risk for users of the app.
3. The private email of an outside consultant to the project was put into the app’s beta version for the purpose of testing before it officially went up. This address has been changed to an official address of the Health Ministry.
4. The Health Ministry has its own information security team, comprised of several experts in the field. The team’s professionalism has been examined over the years by a large number of people from outside the Health Ministry. Moreover, the ministry has a testing procedure for every project that goes online that includes both internal testing and outside testing by an independent outside company that carries out comprehensive information security tests of products released to the public.
5. We work closely with the Privacy Protection Authority, and in addition, we obtained independent opinions from several sources, including the Privacy Israel organization. The Health Ministry makes sure to get its solutions approved by privacy experts in the architecture stage (in this case, there really was a change in the solution after consulting with independent outside experts) and to give the developers clear instructions about privacy issues as well. The developers’ compliance with these instructions is examined at the end of the process by the information security team and relevant outside bodies.
Privacy Israel, asked to comment on the ministry’s last point, said it did not provide the Health Ministry with an opinion, but merely “sent it a position paper that was posted publicly examining privacy issues in the implementation of a medical passport.”