Government rejects report of security flaw in LeaveHomeSafe app


The Hong Kong government has dismissed a foreign cybersecurity firm’s claim that flaws in the LeaveHomeSafe app could expose sensitive user information, saying there have been no security incidents. or confidentiality and that the company’s report is inaccurate and unfair.

A security audit of the LeaveHomeSafe app published by Polish cybersecurity firm 7ASecurity said it detected vulnerabilities in the software that could allow hackers to access identification numbers, visitation records or vaccination information and of testing.

The audit, conducted in April and May by reverse engineering, found “significant flaws” in software security, three of which were designated as critical or serious, the firm said in a report released Wednesday.

In response, the Hong Kong government said no registration was required and all privacy-related data stored in the app was masked and encrypted. And there had never been any security or privacy incidents related to the app.

The facial recognition capabilities identified in the report had already been removed from the app, the government added.

The Office of the Government Information Director “expressed deep regret and strongly objected to the inaccurate report and unjust accusation”.

Researchers from 7ASecurity said they shared their work, funded by the US nonprofit Open Technology Fund, in June with the app’s developer, Hong Kong-based Cherrypicks, a subsidiary of Netdragon Websoft Holdings Ltd. Cherrypicks did not respond to a request for comment.

Mistrust around the contact-tracing app has become a persistent challenge for the Hong Kong government since it was rolled out in 2020. It has only increased after LeaveHomeSafe became a necessity to register in most locations, as the primary means of proving users’ vaccination status.

While officials maintain that visitation and vaccination records on the app are encrypted and stored only on the user’s device, many remain unconvinced. Health Secretary Lo Chung-mau indicated this month that the app may soon require real-name registration, similar to the equivalent app in mainland China. Other officials later backtracked on those comments.

(Journalist and Bloomberg)


Comments are closed.