The Hong Kong government’s Covid-19 contact-tracing app contains privacy and security risks that could jeopardise the safety of users’ personal information, a cybersecurity firm has said.

Poland-based company 7ASecurity conducted an independent security audit on the LeaveHomeSafe app between April and May, upon the request of Hong Kong Democracy Council, a US-based pro-democracy lobbying group founded by overseas activists.

leavehomesafe vaccine record
A page for users to add their vaccination and Covid-19 test records on the LeaveHomeSafe app. Photo: Almond Li/HKFP.

The company spotted 12 security and privacy flaws, of which three were classified as critical or high-level vulnerabilities. The most critical weakness, according to 7ASecurity CEO Abraham Aranguren, could allow attackers to intercept the app’s data collection process and gain access to users’ information, including their identity card number, phone number and Covid-19 vaccination status. This problem only affected devices using the Android operating system.

Aranguren told HKFP that the app’s security compared poorly to other commercial products. “Nowadays, it’s very rare in a mobile [penetration test] to have items with high or critical security [issues],” Aranguren said. Penetration tests simulate cyberattacks to evaluate a system’s security.

Most of the vulnerabilities did not seem “intentional,” but rather suggested “sloppiness” by the developer, Aranguren said. But he questioned why Hong Kong authorities had claimed that the app passed previous security and privacy checks, citing a government press statement released last February saying that a “privacy impact assessment” had been conducted by “independent third parties.”

Facial detection

The company also found facial detection elements identified as “libraries,” which in programming language means market-available pre-written codes.

It was the second time such a feature was spotted in the contact tracing app. In May, now-defunct investigative outlet FactWire reported that a React Native facial detection module was found on the LeaveHomeSafe app. The government later said the facial detection function was indeed bundled with the code which enables the phone’s camera to scan things, but said it would ask the developer to try to remove the recognition feature to allay any concerns over privacy.

Covid-19 vaccine pass leavehomesafe
Photo: GovHK.

However, two facial recognition libraries were found during 7ASecurity’s audit, including the React Native one and a Google one. Aranguren said while it was not uncommon for developers to keep these libraries in their code even if they were not meant to be activated, their presence could still raise eyebrows.

leavehomesafe facial recognition code
Photo: Screenshot via 7ASecurity.

“The main question is why is it there, right?… It was unclear why these were not removed. So the whole problem here is the trust issue because there’s political concerns,” Aranguren said.

When use of the LeaveHomeSafe app was made mandatory to enter restaurants, some residents expressed their concerns over the security of their data. “I am worried about my personal information, but since it’s now a requirement… I have no other choice,” one diner told HKFP last year.

Aranguren said the company was not able to verify whether the libraries were activated or not. He added authorities and app developers should make LeaveHomeSafe an open source app.

“If the application is open source, there was no obfuscation, and there were no facial recognition artifacts, then case for privacy would be pretty much dead because there would be [transparency]… everybody would be able to read the code, so you could argue that they are not trying to hide anything.”

‘Unfair allegation’

The Office of the Government Chief Information Officer (OGCIO), which is responsible for the operation of the LeaveHomeSafe app, hit back at 7ASecurity’s “inaccurate report” and “unfair allegation” in a statement last Thursday.

The OGCIO said protection of personal privacy has always been the prime objective, adding that all data related to personal privacy stored in the app was masked and encrypted. It also addressed the issue of the facial recognition feature.

leavehomesafe vaccine record
Photo: Almond Li/HKFP.

“The OGCIO has repeatedly explained in response to the allegations related to the facial recognition module in May this year and reiterated that the ‘LeaveHomeSafe’ mobile app has never used nor requires any facial recognition function. The relevant facial recognition module has also been removed already as pledged,” the statement said.

Responding to an enquiry from HKFP regarding requests to make LeaveHomeSafe open source, a spokesperson from the OGCIO said that the “primary purpose of opening up the source code of government applications is to facilitate industry development through the re-use of program codes,” an objective that was “not applicable to ‘LeaveHomeSafe’.”

“We are of the view that opening up the source code of the app will only introduce additional security risks without apparent benefits. For example, it will make it much easier for lawbreakers to develop fraudulent ‘LeaveHomeSafe’ apps. As such, we have neither the intention nor the plan to open up its source code,” the spokesperson continued.

7ASecurity said it had sent the government and app developer the full report in June – one month ahead of its public release – and had only received an automated acknowledgement. Aranguren said several follow-up requests had been sent but the authorities never responded or offered to fix things.

The OGCIO did not confirm whether it had received the report from 7ASecurity, nor did it disclose which independent third parties had conducted security checks.

covid-19 covid shopping mall qr code
A shopping mall LeaveHomeSafe QR in Hong Kong on Tuesday, March 2. Photo: Kyle Lam/HKFP.

The LeaveHomeSafe app was introduced in November 2020 to improve government contact tracing efforts amid the Covid-19 pandemic. The government has repeatedly stressed that the use of the app is voluntary, however, LeaveHomeSafe has become mandatory to enter an increasing number of venues, including but not limited to restaurant, gyms, bars and pubs.

As of Sunday, Hong Kong has recorded 1,353,994 Covid-19 infections and 9,503 related deaths since the pandemic began.

Support HKFP  |  Policies & Ethics  |  Error/typo?  |  Contact Us  |  Newsletter  | Transparency & Annual Report | Apps

Help safeguard press freedom & keep HKFP free for all readers by supporting our team

contribute to hkfp methods
childrens vaccine
social distancing
what to do if you get covid
vax pass
face masks
rapid test buying guide
Bobby Covid book 2
support hong kong free press generic

Almond Li is a Hong Kong-based journalist who previously worked for Reuters and Happs TV as a freelancer, and as a reporter at Hong Kong International Business Channel, Citizen News and Commercial Radio Hong Kong. She earned her Masters in Journalism at the University of Southern California. She has an interest in LGBT+, mental health and environmental issues.