Cybersecurity experts hack settled status app with devils’ horns to show security flaws

Norwegian cybersecurity company Promon has inserted a picture of devils' horns to demonstrate the se

Norwegian cybersecurity company Promon has inserted a picture of devils' horns to demonstrate the security flaws in the government's settled status app. Picture: Promon - Credit: Promon

A cybersecurity company has inserted a devil icon into the Home Office settled status app to show it is at 'serious risk of malware attack'.

A screenshot of the government app as it appears on the Android app store. Picture: Android

A screenshot of the government app as it appears on the Android app store. Picture: Android - Credit: Android

Norwegian security company Promon said they found "no resistance" in their testing to find numerous security flaws in the EU Exit: ID document check app, which is used by EU citizens in the UK to confirm their identity as part of their applications.

Promon chief technology officer Tom Lysemose Hansen said the app, which is currently only available on Android, lacks "crucial" security measures.

The loopholes potentially allow hackers to steal passport information, passwords and facial scans, says Promon.

The company tested the app's resilience against basic and commonly used attack methods and tools.

You may also want to watch:

Lysemose Hansen told the FT: "The tools we used are typically very easily accessible and require very little technical skill to use.

"It means any type of bad actor could perform this attack, without sophisticated technical knowledge."

Most Read

He added that they had "experienced no resistance".

He continued: "There is very little the end user can do, since this is a government app. There is a lot of responsibility on the app makers to provide security measures here, because of this level of trust.

"Very personal and sensitive information is being handled, and millions of people are using it so you would expect stringent protection measures, similar to banking apps."

The company claims that the app doesn't meet the minimum security standards on resisting these attacks, as set by the Mobile Application Security Verification Standard, although the Home Office said it "adheres to industry best practice".

Promon's testing says that under a malware attack, the app would be vulnerable to data breaches, hijacking and injecting with new code, without the app even noticing.

Such an attack could also modify or add malicious elements to the app, repackage and re-distribute the app, without the app noticing - which is how Promon managed to insert the devil icon into the app while it was running.

"At this time of political uncertainty, the last thing that people who are applying to remain in the UK need, or expect, are concerns around whether their passport information and photo IDs are being stolen by hackers," he said.

"As the app will continue to grow in popularity and demand, with more people fearful of what will happen to them if the UK does leave, it means that it will become increasingly attractive to attackers, with the potential subsequent fallout devastating."

The app has been downloaded more than one million times.

Promon CEO Gustaf Sahlman called on governments "to realise just how dangerous and mobile malware is, and to offer their end users' protection".

The Home Office told the FT: "We take the security and protection of personal information extremely seriously. The EU Exit: ID Document Check app is regularly tested by independent security firms against all known and emerging threats and adheres to industry best practice on security, performance and accessibility.

"Over a million people have used the app safely and we continually review our systems to ensure that it is kept safe."

Become a Supporter

The New European is proud of its journalism and we hope you are proud of it too. We believe our voice is important - both in representing the pro-EU perspective and also to help rebalance the right wing extremes of much of the UK national press. If you value what we are doing, you can help us by making a contribution to the cost of our journalism.

Become a Supporter
Comments powered by Disqus