The EU Exit: ID Document Check app, built on Android and iOS, is widely used by foreign nationals applying to remain in the UK after Brexit, was launched to replace the former 85-page application process.
— Home Office (@ukhomeoffice) November 4, 2019
Users scan their documents and faces, as well as validate their passports with the included RFID biometric chip standard in most EU passports, in addition to submitting contact details for their records.
But Promon, a cybersecurity firm based in Oslo, Norway, said that it found major vulnerabilities allowing hackers to commandeer app processes and information, including facial scans and passports, and data entered into the app such as usernames and passwords.
— Promon (@Promon_Shield) November 14, 2019
The tests were done using the Android platform version, Promon researchers said.
Tom Lysemose Hanson, chief technology officer for Promon, said as quoted by the Financial Times: “The tools we used are typically very easily accessible and require very little technical skill to use. It means any type of bad actor could perform this attack, without sophisticated technical knowledge.
Mr Lysemose Hanson said that there was "very little the end user could do" as the app was managed by the UK government, and that there was a "lot of responsibility on the app makers to provide security measure" due to the "level of trust" needed in managing user data
He added: “Very personal and sensitive information is being handled, and millions of people are using it so you would expect stringent protection measures, similar to banking apps.
Mr Lysemose Hanson also claims that malicious code could be inserted into the app whilst not in use.
But the app had already been tested for several months before being launched, with no security breaches reported. Personal identity information would not be "stored in the app or on the phone" after users finished, according to the app's Google Play Store description.
— Christoph Weißenborn 🇪🇺 (@ch_weissenborn) November 14, 2019
— Kevin Beaumont (@GossiTheDog) November 14, 2019
The UK Home Office responded, stating that it took "the security and protection of personal information extremely seriously
The Home Office said: “The EU Exit: ID Document Check app is regularly tested by independent security firms against all known and emerging threats and adheres to industry best practice on security, performance and accessibility.
It added: "Over a million people have used the app safely and we continually review our systems to ensure that it is kept safe.
Cybersecurity expert Graham Cluley also questioned the findings in his personal blog, stating that researchers were merely stating the obvious that "if a hacker manages to compromise your smartphone or the app then it could do something malicious".
He added: "Err, isn’t that pretty much the case with all programs and computers? If a hacker already has control of the device or has already compromised the app then all bets are off…"