Bsafe app not so safe

Sharon Mathala

• It’s a matter of national importance and urgency- court papers

Two security researchers have dragged Presidential Task-force Coordinator, Kereng Masupu, Director of Health Services Malaki Tshipayagae , Branstorne enterprises (PTY) LTD, and the Attorney general to court over the vulnerability and safety of the Bsafe application.

The urgent application was made this Tuesday at the Gaborone High Court before Justice Christopher Mokwadi Gabanagae.

- Advertisement -

The applicants, Itumeleng Ditlhotlhole and Samuela Molaodi, are of the view that the Bsafe app exposes its user’s personal information.

Bsafe is Botswana’s official contact tracing app for COVID-19 pandemic.

It is available on android, a mobile operating system and through a web application served through a web browser at universal resource local (URL) https://web.covid19bw.centre/login. It is a tracking tool that is used to identify people who have been at a certain location.

According to court documents seen by The Voice, the app relies on the user checking in at a particular location by scanning a QR code or giving out their national identity number.

“The contact tracing app would then store this information to be later used to identify who has been where based on travel history.”

The applicants say they decided to take government to court as they are registered users of the Bsafe app. They contend that by profession they are trained and equipped with the knowledge and skills to identify vulnerabilities on computer applications.

- Advertisement -

“These issues may be identified by reverse engineering application or actively scanning an application.”

The security researchers explained in their submission that “inspect element is a web browser functionality that shows the innards of a webpage such as its source code, the images and CSS that form its design, the fonts and icons it uses, the javascript code that empowers animations and the networks interactions. This functionality is publicly available on all web browsers”.

According to one of the applicants, whilst inspecting the network interactions of the Bsafe application homepage under the network tab, “it came to my attention that editing the date parameters in order to get my travel history between certain dates returned a response which contained information of people I do not know, most of which was personal information.”

Further inspecting the app the security researchers say they opened other pseudo accounts in order to verify their investigations.

“Whilst logged in with the pseudonymous user, I repeated the edit process described above but instead changed the number field, I edited the pseudonymous user’s mobile number to a mobile number used by my real account, that is 7 ******* and it returned some of the personal data that I registered for the Bsafe application with,” one of the applicants stated.

- Advertisement -

They further argue that they shared with the task force the vulnerabilities of the Bsafe app with the hope that they would facilitate a resolution to the vulnerabilities and safeguard user personal information of Batswana, but all in vain.

The applicants further tell the court in their urgent application that because the app is also available on the internet, it means hackers from across the world have access to personal data of Batswana and “with the internet it is possible to access almost any information, communicate with anyone else in the world and so much more.”

“Further, anyone can be a registered user of the application regardless of where they are situated because the application does not validate any of the registration details given to it, that is how I was able to register a pseudonymous account with random details to verify the vulnerabilities and at no point did I have to confirm that my mobile number exists, whether my email address works or that I am who I say I am,” further states the court documents.

“It is clear that any registered user of the Bsafe application who is logged into their profile on the web application can view data of multitudes of other users without authentication to those user’s profiles.”

The case returns October as both parties were given more time to file further documents. The applicants want the Government interdicted from making the app web application with immediate effect. They also want the Government to carry out a privacy impact assessment of the app and delete all personal data that the app currently has.

Leave a comment