As many countries and states open up following lockdowns driven by the pandemic, governments are thinking through how to get a common digital vaccine passport in place to verify the vaccination status of their citizens. For this reason, New York State (NYS) has launched a pilot program in tandem with IBM’s Digital Health Pass to issue digital vaccine passports in the state to allow for travel and more freedom for those who are vaccinated.
User adoption for digital vaccine passports has become a big challenge for many governments. Because COVID-19 contact tracing apps were recently in the spotlight for their lack of security and privacy, it has become clear that the industry needs to create user trust to foster widespread adoption and use of mobile applications.
Did New York’s app developers learn from the challenges that were uncovered with contact tracing apps? After testing the security of the NYS Excelsior Pass Wallet and Pass Scanner apps for iOS and Android, Guardsquare’s initial findings show that there are five major areas of concern that were addressed for these mobile applications:
- Collect the minimum information necessary.
In mobile AppSec, it’s a best-practice to collect the least amount of information necessary to perform the app’s intended function. In the case of NYS, its vaccine passport apps only require a first name, last name, and date-of-birth to get or verify someone's vaccination status. Moreover, the personal information and test results are stored in the form of a QR code that’s verified by a separate pass scanner app that can detect any changes or mismatches.
Takeaway: By not collecting and storing unnecessary information within either the pass wallet or scanner apps, NYS minimizes the chance of leaking personally identifiable information (PII).
- Implement strong cryptographic verification.
JSON Web Token (JWT) operates as an open standard that enables the secure transmission of sensitive data. NYS uses JWTs to secure the communication between its mobile apps and the backend systems that store vaccination records and COVID-19 test results. The JWTs are also signed using the ECDSA algorithm, which ensures malicious actors cannot compromise any QR codes without the private key. This private key or cryptographic signature gets protected by anti-tampering measures, making it difficult for malicious actors to reverse-engineering the app to obtain it.
Takeaway: By decoding and verifying the cryptographic signature of every QR code within the scanner app, NYC prevents attackers from intercepting and modifying QR payloads.
- Deter brute-force attempts using Captchas.
Captchas are challenge-and-response tests to confirm a user’s authenticity. The NYS apps use captchas every two to three requests to ensure users or automated bots cannot continuously enumerate the backend database storing vaccination records.
Takeaway: Using captchas, NYS stops malicious actors from using a brute force approach to finding an identity with a vaccinated status to spoof, and also prevents denial of service (DoS) attacks on its backend infrastructure.
- Use Runtime Application Self-Protection.
Jailbreaking or rooting are techniques that malicious threat actors employ to bypass device restrictions, access sensitive data, or repackage apps. The NYS apps detect and mitigate these dynamic analysis attacks by implementing basic Runtime Application Self-Protection (RASP). RASP and other anti-tampering techniques prevent malicious actors from discovering the private key used for JWT signing or intercepting communication with NYS’s backend systems.
Takeaway: NYS uses basic RASP measures and anti-tampering techniques to protect both its apps and user devices from reverse-engineering or tampering attempts that could negatively impact the reputation and adoption of its digital vaccine passport program.
- Leverage security-focused architecture.
When it comes to security, it’s best not to reinvent the wheel when there are already secure and easy-to-implement solutions available. Instead of building its own cryptographic and obfuscation techniques, NYS leveraged IBM’s Digital Health Pass platform and trusted open source libraries, so its solution had a strong security posture from the beginning.
Takeaway: NYS made security-focused design decisions from the start by using existing security technologies that are proven, which ensured mobile application security and data privacy were at the forefront – rather than an afterthought.
While many contact tracing apps had their flaws, the NYS developers have applied important learnings from the contact tracing apps and designed the vaccine passport apps with security in mind. Future vaccine passport app developers should follow their lead, because we need to deliver strong security to enhance consumer trust and adoption. As governments continue to launch digital vaccine passport programs, prioritizing security and privacy will help encourage widespread acceptance and user adoption.
Grant Goodes, chief scientist, Guardsquare
