The LeaveHomeSafe App:
A Pentest Report
A Blackbox Penetration Test
and a Privacy Audit Conducted Against the LeaveHomeSafe solution
The report outlines the results of a blackbox penetration test and a privacy audit conducted against the LeaveHomeSafe solution. The work was requested by the Hong Kong Democracy Council (HKDC), funded by the Open Technology Fund (OTF), and carried out by 7ASecurity in April and May 2022. A total of 17 days were invested to reach the coverage expected for this project.
During the COVID-19 pandemic, Hong Kong government launched a digital contact tracing application on November 16th, 2020. This project is to address the general concern about the potential security and privacy risks that might be introduced by the LeaveHomeSafe Android and iOS applications. This COVID-19 digital contact tracing application is mandated in all government venues, hospitals, markets, shopping malls, supermarkets and places of worship, among other places in Hong Kong at the time of writing.
As one of the major findings of this report, the LeaveHomeSafe mobile applications were found to be affected by a number of common misconfigurations, including (1) protection of network communications, (2) authentication implementation, (3) protection of data at rest, (4) mitigation of task hijacking attacks, (5) avoidance of screenshot leaks, and (6) general hardening. While no clear privacy violation could be conclusively proven during the audit at runtime, a number of application artifacts, likely inherited from underlying dependencies or simply security vulnerabilities introduced by mistake, were found.