Friday, June 13, 2025
Digital Rights Monitor
  • DRM Exclusive
    • News
    • Court Updates
    • Features
    • Comment
    • Campaigns
      • #PrivacyHumSabKe
    • Vodcasts
  • In Media
    • News
    • OP-EDs
  • Editorial
  • Gender & Tech
    • SheConnects
  • Trends Monitor
  • Infographics
  • Resources
    • Laws and Policies
    • Research
    • International Frameworks
  • DRM Advocacy
    • Exclusives
    • Featured
    • Publications
    • Statements
No Result
View All Result
Digital Rights Monitor
  • DRM Exclusive
    • News
    • Court Updates
    • Features
    • Comment
    • Campaigns
      • #PrivacyHumSabKe
    • Vodcasts
  • In Media
    • News
    • OP-EDs
  • Editorial
  • Gender & Tech
    • SheConnects
  • Trends Monitor
  • Infographics
  • Resources
    • Laws and Policies
    • Research
    • International Frameworks
  • DRM Advocacy
    • Exclusives
    • Featured
    • Publications
    • Statements
No Result
View All Result
Digital Rights Monitor
No Result
View All Result

in DRM Exclusive, News

Analysis highlights privacy concerns in Pakistan Government’s COVID-19 app

Hija Kamranby Hija Kamran
June 11, 2020

June 11, 2020 — An independent French hacker, Elliot Alderson, shared a tweet thread highlighting various issues relating to privacy in the Pakistan government’s app “COVID-19 GOV PK”. Developed by the National Information Technology Board (NITB), this app was launched by the government to track and trace COVID-19 patients in Pakistan.

Alderson, in his tweets, mentions that where he has examined various contact tracing apps from other countries, added that “nothing is ok with this app”. The app, available on Google PlayStore, has already been downloaded by 500,000 people, and contains privacy issues that can seriously threaten their and their information’s safety.

The hacker states that it is not a contact tracing app, instead, a dashboard that allows users to access the number of cases in the country, let’s them do self-assessment, gives radius alerts if the person is in close proximity of a confirmed COVID-19 patient, and gives a pop-up reminder to maintain personal hygiene.

According to the security analysis, when the application is opened, it first connects to the Pakistan government servers with hardcoded credentials. This type of credentials allows for anyone with basic software development skills to be able to access the username and password embedded within the source code in plain text, indicating the insecure nature of the code that makes it vulnerable to various kinds of threats, like DDoS attack. This particular set of credentials is required to establish a connection between the application and the host server.

Alderson also points out that the request sent by the application to the host server covid.gov.pk follows insecure HTTP protocols, instead of HTTPS, making the connection further unsafe for the data that is stored on it. Additionally, the app also stores physical locations of the patients in the form of coordinates on the map. Alderson writes, “Sick people deserve privacy”, and calls it the worst Covid-19 app he has analysed.

NITB responds to privacy concerns

Shabahat Ali Shah, CEO of the National Information Technology Board (NITB), on Tuesday, shared a statement defending the app and called Alderson’s concerns part of the design that do not pose any privacy risks. According to the statement shared by Shah, a very limited personal information is collected by the app, and does not show the exact location of the patients. The three-points statement mentions that the patients give their consent to reveal their coordinates.

The statement outlines that there is no login mechanism in place on the app, and username and password are not part of the workflow of the application. However, Asad Baig, Director and Co-Founder of Media Matters for Democracy, posits that these credentials are not at the user’s end, instead, connects the information on the application with the server of the government of Pakistan. “These login credentials are essential for the connection that is being built between the application and the server every time the information is updated on the app or a user accesses this information. It has nothing to do with users, and everything to do with the app’s security on connection level.” He adds, “On top of the hardcoded passwords, the app does not build a secure HTTPS connection with the server which is another layer of insecurity within the design of the app. Collectively, this is a privacy nightmare waiting to happen any time.”

Rafay Baloch, an Information Security Researcher, responding to Shah’s statement, writes on Twitter that it is insufficient and doesn’t address the concerns raised by Alderson. Baloch adds that there are many privacy issues with the app, including “insecure protection at transport layer for not being able to enforce HTTPS where-by still leaving application vulnerable to MITM (Man-in-the-Middle attack).”

Anas Tipu, a web developer, echoes these remarks and suggests that secure connection is important for any application or website in order to avoid attempts of hacking or other digital attacks. “Instead of making this connection secure, hardcoded passwords coupled with insecure HTTP connection, open the data for security threats, both on the application level and on the server level. This connection should have been encrypted and dynamic so the chances of the data being compromised are less.”

Tags: contact tracingcovid-19COVID-19 Gov PKData protectionGovernment Applicationhardcoded passwordPakistanprivacy
Previous Post

Hamid Mir files complaint against Fayyaz ul Hassan Chohan under S.20 of PECA

Next Post

The Pressure of Being Productive During a Pandemic

Share on FacebookShare on Twitter
Pakistan Warned of Cyberattack Threat Amid Tensions with India

Pakistanis Urged to Secure Accounts After Global Data Leak Exposes 184 Million Credentials

May 27, 2025

‘Pataal Lok’ sequel

May 24, 2025
BRAZIL: X accessible to many again after comms network update

X Back Online in Pakistan After Global Outage

May 24, 2025
No Content Available

Next Post

The Pressure of Being Productive During a Pandemic

About Digital Rights Monitor

This website reports on digital rights and internet governance issues in Pakistan and collates related resources and publications. The site is a part of Media Matters for Democracy’s Report Digital Rights initiative that aims to improve reporting on digital rights issues through engagement with media outlets and journalists.

About Media Matters for Democracy

Media Matters for Democracy is a Pakistan based not-for-profit geared towards independent journalism and media and digital rights advocacy. Founded by a group of journalists, MMfD works for innovation in media and journalism through the use of technology, research, and advocacy on media and internet related issues. MMfD works to ensure that expression and information rights and freedoms are protected in Pakistan.

Follow Us on Twitter

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

No Result
View All Result
  • DRM Exclusive
    • News
    • Court Updates
    • Features
    • Comment
    • Campaigns
      • #PrivacyHumSabKe
    • Vodcasts
  • In Media
    • News
    • OP-EDs
  • Editorial
  • Gender & Tech
    • SheConnects
  • Trends Monitor
  • Infographics
  • Resources
    • Laws and Policies
    • Research
    • International Frameworks
  • DRM Advocacy
    • Exclusives
    • Featured
    • Publications
    • Statements