About the “easy to hack” EU Exit: ID Document Check app

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

About the "easy to hack" EU Exit: ID Document Check app

Today the Financial Times has published a news story about how the British Home Office’s app for EU citizens applying to live and work in the UK post-Brexit “could allow hackers to steal phone numbers, addresses and passport details.”

It certainly caught my attention. Just yesterday I used the EU Exit: ID Document Check app on my cleaning lady’s Android phone to help her apply for residency. And – to be honest – it was pretty easy to use, once I’d worked out how to change the language of her phone from Romanian to English.

EU Settlement Scheme App Top Tips

Sign up to our free newsletter.
Security news, advice, and tips.

Applicants scan their passport, take a selfie, and use their phone’s NFC feature to read the biometric chip embedded in their passport.

But, according to the FT, Norwegian cybersecurity researchers have discovered flaws in the Android version of the app (they didn’t test the iPhone version):

Promon, a Norwegian cybersecurity company, found major loopholes that allowed them to take control of the app and access any information that was entered into it, including the facial scans and images of passport pages.

They were also able to see information being typed into the app, such as usernames, passwords and other details, and were able to alter information being entered.

“The tools we used are typically very easily accessible and require very little technical skill to use. It means any type of bad actor could perform this attack, without sophisticated technical knowledge,” said Tom Lysemose Hansen, chief technology officer at Promon, who added that they had “experienced no resistance”.

Ok… so it sounds scary that information could be surreptitiously stolen as it is entered into the app… but how would a hacker do this?

Mr Lysemose Hansen said Promon’s researchers had focused on copying and stealing or manipulating data while it was being actively entered into, or processed by, the app. But he added that it was possible to add malicious code to the app while it was inactive that would then help steal personal information when it was subsequently being used.

Oh.

So what the researchers are saying is that if a hacker manages to compromise your smartphone or the app then it could do something malicious…

Err, isn’t that pretty much the case with all programs and computers? If a hacker already has control of the device or has already compromised the app then all bets are off…

Now, if the researchers had described a way in which an attacker might be able to remotely compromise the app or meddle with the phone then that would have been interesting. Or if it had been found that the app was sending sensitive data insecurely which could be intercepted then that would have certainly raised an eyebrow.

And yes, an app could always integrity check itself to see if it had been tampered with, but if someone is replacing your legitimate version of the app with a bogus compromised version there’s no reason why they couldn’t also tamper with the code which checks if it has been tampered with!

So, this doesn’t seem like a big deal to me.

The final word goes to the Financial Times again:

The app was tested for several months before being launched in March and there have been no reports of any security breaches. The app’s page on the Google Play Store states that it is “safe and secure” and that: “None of your personal identity information will be stored in the app or on the phone when you finish using it.”


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.