Home Office app for EU citizens vulnerable to hackers

'Little technical skill' needed to breach app built to help EU nationals settle in the UK

An app developed by the Home Office to help EU nationals apply to live in the UK post-Brexit can be exploited by hackers to steal sensitive data.

Flaws in the 'EU Exit: ID document check' app could allow an attacker to take control of the app or get a glimpse of the information being entered into it in real-time, including a copy of the applicant's passport, according to cyber security firm Promon.

The app was developed last year to replace the previous laborious 85-page process that EU nationals would have had to undergo to apply for residency in the UK.

When downloaded, users can submit scans of their passports to the Home Office, and the app checks whether these are valid by reading the biometric chip.

The app also holds details like names, addresses, and telephone numbers, and verifies identity via facial recognition.

Advertisement - Article continues below
Advertisement - Article continues below

All this information is vulnerable, according to the researchers, who did not reveal specific vulnerabilities in the app, rather they tested its resilience against basic and commonly used attack methods and tools.

"The tools we used are typically very easily accessible and require very little technical skill to use. It means any type of bad actor could perform this attack, without sophisticated technical knowledge," Promon CTO Tom Lysemose Hansen told the Financial Times (FT)

"There is very little the end user can do, since this is a government app. There is a lot of responsibility on the app makers to provide security measures here, because of this level of trust. Very personal and sensitive information is being handled, and millions of people are using it so you would expect stringent protection measures, similar to banking apps."

The researchers learned they were able to take control of the app and access information that was entered, including images of passports and facial scans. They could also spy on information as it was being entered, such as user passwords, and were able to alter data too.

A Promon spokesperson told IT Pro that in worst-case scenarios, where malware has been launched and distributed, attackers can modify or add malicious elements to the app, repackage and redistribute the app, without the app noticing any changes.

Advertisement - Article continues below

This is because the app lacks basic safeguards that prevent it from reading and stealing sensitive information – which also allows vulnerable code being injected into it while it's running.

Related Resource

Leveraging advanced analytics to detect user security threats

Deliver a unified, contextual, and secure digital workspace

Download now

Moreover, the app isn't capable of noticing whether it's being used in a hostile environment, and cannot detect if an attacker is analysing the app while it's running.

Several of these attack scenarios can be carried out on both rooted and non-rooted devices, the spokesperson added, although there has been no evidence of attacks yet occurring.

The facial recognition functionality, meanwhile, has been provided by the Home Office's supplier iProov, which involves matching a user's selfie against the image read from their passport chip.

The Home Office previously ran into problems with its app last year after it emerged that the software wasn't compatible with iOS. Promon researchers only examined the Android version of the app, although it's now operational on Apple's operating system too.

Advertisement - Article continues below

"We take the security and protection of personal information extremely seriously," a Home Office spokesperson said.

Advertisement - Article continues below

"The EU Exit: ID Document Check app is regularly tested by independent security firms against all known and emerging threats and adheres to industry best practice on security, performance and accessibility. Over a million people have used the app safely and we continually review our systems to ensure that it is kept safe."

The Home Office added there have been no known security breaches of the app to date, and that the last external security review took place as recently as September 2019.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now

Most Popular

public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020