A HOME OFFICE ANDROID APP designed to help European citizens apply to work and live in the UK post-Brexit - if and when it happens - has a suite of vulnerabilities that could allow hackers to swipe personal data.
The flaws were discovered by researchers at Norwegian cybersecurity firm Promon, which spotted security loopholes that allowed them to take control of the app and access pretty much all the info that was put into it.
Rather than reveal any zero-day flaws or gaping security holes, Promon simply fired a load of commonly used and basic hacking methods at the app to see how resilient it was to cyber attack; a lot of these tools did "often require very limited technical skills to use".
Once the researchers gained access to the EU Exit: ID Document Check Android app, they were able to read, alter, and steal sensitive user information such as phone numbers, passport details, and addresses.
"From our research, we found that the Brexit app on Android lacks crucial security measures, which is hugely concerning when you consider the sensitive nature of the information that users input into it," said Tom Lysemose Hansen, chief technology officer at Promon.
All this sounds rather worrying for users of the app, who already have to deal with the uncertainty of how Brexit turns out; it's now basically the level of ‘will they, won't they' as Friends' Rachel and Ross was, only more tedious and with arguably xenophobic undertones.
But there's a curveball, and one that might put the app's users at ease; to exploit the security loopholes a hacker must have already compromised a device. In other words, basic Android security architecture needs to have been defeated before the app can be hacked, and at that point a heck of a lot more data is at risk.
And Promon's report hasn't exactly won the favour of the University of Surrey's Professor Alan Woodward of the Department of Computer Science, who claimed the story is "almost a tautology".
"Of course, if your device is compromised someone could put something as simple as a keylogger on your device and see what you're inputting," the seemingly antagonised academic told The Register.
"What this does not mean is that there is some dreadful flaw in the the app itself. It would probably apply to many apps you 'tested'.
"If the database were compromised, that would be another matter, but that's not what [the Promon researchers] say. They specifically say the app is vulnerable, but it's a bit disingenuous to phrase it in that way: if your device is vulnerable, so are most of your apps."
As for the Home Office, it seemed to be rather ambivalent towards the whole situation, though it claimed to "take the security and protection of personal information extremely seriously".
"The EU Exit: ID Document Check app is regularly tested by independent security firms against all known and emerging threats and adheres to industry best practice on security, performance and accessibility," a Home Office spokesperson said. "Over a million people have used the app safely and we continually review our systems to ensure that it is kept safe."
So if you're a member of the EU and are looking not to get kicked out of Blighty if the politicians manage to get their act together and deliver Brexit, then you're probably safe to use the app.
Just make sure your phone hasn't fallen into the hands of Claude de Code-Cracker or Hacker Helga before using it. µ
Firm's first high-end speaker gets the thumbs up from us
Yes. Yes you can
A fantastic ultraportable that's almost devoid of innovation
Screen if you want to go faster