A Look at Corona Kavach app (v1.1.2)
This article focuses on cyber security perspective of beta version of Corona Kavach app that is yet to be released by Government of India and developed by Ministry of Electronics and Information Technology..
This app never saw the light of day.
Note : Version we tested was 1.1.2. We already reported it to respective officials and they told that some issues were fixed and another version will be released soon(today). So it is safe to release this article.
According to NDTV, the main functionality of the app is to monitor the citizens under quarantine and to provide official notifications to all registered users. We got our hands on the beta version of the Android application. Let’s go by each screen to know more.
NOTE : The app we tested is in beta version. Live app may or may not have these vulnerabilities.
Upon installing and opening the app, it sends an API call to test version of the API as you can see it in below image. It send nothing but the device type.
Following that you will get 4 splash screens showing do’s and don’t and a disclaimer screen.
After that there is a registration screen asking for mobile number to verify.
Here comes the fun part, for testing the application, we used an Android tablet without SIM card and with some modified settings for reverse engineering. The app is reading phone state and getting active subscription list to get the SIM details. Since the tablet doesn’t have SIM it throws NullPointerException while opening the app and crashes abruptly while going to registration screen.
So what I did to bypass this? Let’s see. Since the app is not using the obtained subscription details, we edited the Smali code and returned from function once it gets the list of subscriptions. So it will never iterate and throws exception.
And the app is now opening for registration and I entered a random mobile number to check, intercepted the traffic using burp and voila!
The server sends me the OTP back so the app can verify the OTP. But it send the OTP verification request back to server on verifying OTP. So what’s the purpose of sending the OTP back?. May be it is because of test version. Let’s see how they handle it in live version when it is released.
After registering, the app asks the user to keep the app open/open it often for tracking purpose 😉 and opens up a dashboard which is actually a website.
We can see some of the api’s in the source code.
API’s that triggered me are getByUserMobile and infecteddata, both don’t have any access controls and allows IDOR (Insecure direct object references).
As you can see from the image above the queried mobile number is different and the authenticated mobile number is different. Even worse the second API mentioned above (infecteddata) gives details of all the user’s with their mobile number and location details of the quarantined people.
We checked details found in this API and they are mobile number of doctors who were testing the application. Also we can see some file locations found in the JSON which seems contain the GPS coordinates of the people. But we didn’t see any requests which send GPS information.
Suggest Mitigations:
- Let the server send and verify the OTP. Don’t expose it to client.
- Using authkey is good. But let it do its purpose. Always check if the person requesting the data is authorized to do so.
- Always check and handle Exceptions.
- Obfuscate your code on release.
We hope that the developers will fix these security issues before the app gets released to the public.
DISCLAIMER : The article is not a complete representation of the threats in the system, network and applications.
We have a story on how to reverse engineer Android applications. Check it out in the below link.
Written by
Naveen Sakthivel, CTO
Dotworld Technologies
