<https://www.nrk.no/sport/everyone-going-to-the-world-cup-must-have-this-app---experts-are-now-sounding-the-alarm-1.16139267>
Everyone going to the World Cup must have this app - experts are now
sounding the alarm
– It's not my job to give travel advice, but personally I would never
bring my mobile phone on a visit to Qatar.
That's what NRK's head of security Øyvind Vasaasen says after a thorough
review of the apps.
Everyone travelling to Qatar during the football World Cup will be asked
to download two apps called Ehteraz and Hayya.
Briefly, Ehteraz is an covid-19 tracking app, while Hayya is an official
World Cup app used to keep track of match tickets and to access the free
Metro in Qatar.
In particular, the covid-19 app Ehteraz asks for access to several
rights on your mobile., like access to read, delete or change all
content on the phone, as well as access to connect to WiFi and
Bluetooth, override other apps and prevent the phone from switching off
to sleep mode.
The Ehteraz app, which everyone over 18 coming to Qatar must download,
also gets a number of other accesses such as an overview of your exact
location, the ability to make direct calls via your phone and the
ability to disable your screen lock.
The Hayya app does not ask for as much, but also has a number of
critical aspects. Among other things, the app asks for access to share
your personal information with almost no restrictions. In addition, the
Hayya app provides access to determine the phone's exact location,
prevent the device from going into sleep mode, and view the phone's
network connections.
EHTERAZ
– They can simply change the contents of your entire phone and have full
control over the information that is there, is the conclusion of NRK's
security manager.
As part of the media house's preparations for the Qatar WC, he has
reviewed these apps.
Vasaasen is downright frightened by what NRK's security review has
uncovered.
– When you download these two apps, you accept the terms stated in the
contract, and those terms are very generous. You essentially hand over
all the information in your phone. You give the people who control the
apps the ability to read and change things, and tweak it. They also get
the opportunity to retrieve information from other apps if they have the
capacity to do so, and we believe they do.
– You're giving them the opportunity
The security chief explains that it is essentially like the authorities
getting full access to your house.
– You're saying that it is perfectly fine for the authorities to enter
your home. They get a key, and they can get in. You don't know what
they're doing there. They say they might not make use of the chance, but
you're giving them the opportunity. And you would never do that,
Vasaasen points out.
Øyvind Vasaasen leder DAB-arbeidet i NRK.
NRK has asked Bouvet and Mnemonic, two independent IT security
companies, to review the apps and give us their conclusions.
– Can do quite a lot of bad things
The Ehteraz app in particular receives criticism, and it is compared to
the first Smittestopp (Stop Infection) app in Norway.
– It was, after all, a privacy scandal. If someone has slightly more
evil intentions than the Institute of Public Health, then you can do
quite a lot of bad things with the information that the app collects in
the first place, says Martin Gravåk at the Bouvet company.
– He explains that the app tracks where you go, and the mobile phones
that are near you. In this way, they can cross-link the information and
find out who you are meeting and talking to.
– If you're hunting the opposition, gays, or others you don't like, an
app like this will make it much easier for you," Gravåk states.
Arab Cup - Final - Tunisia v Algeria
The Mnemonic company also compares the Ehteraz app with the first
version of Smittestopp.
– The consequences for individuals and groups if data from Ehteraz goes
astray can be significant," says Tor Erling Bjørstad of Mnemonic to NRK.
He has downloaded the apps and analysed what is in the application
packages, and does not think the apps are hair-raising compared to
"normal apps" that most people use.
– At the same time, they process data, particularly linked to GPS and
position, which has a high potential for abuse. In a way, you have to
trust the people who develop or own the apps, and it is not a given that
you particularly want to trust the authorities in Qatar.
However, his technical analysis found no signs that they can actually
change things that are stored locally on the mobile device, but
nevertheless warns that the reason may be that it has not yet been
implemented.
NRK has submitted the findings about the apps' security holes to FIFA.
They tell us that they do not wish to comment on the matter.
– Increases the risk
Naomi Lintvedt, research fellow at the Faculty of Law at the University
of Oslo, has reviewed the apps at the request of NRK.
She agrees with NRK's head of security that there is much that is
problematic, and describes the apps as «very intrusive».
– You cannot consent to parts of the use, just everything. If I
understand the apps correctly, there will also be limited options to
change permissions there. This means that if you want to go to the WC,
you have no choice. This is a mandatory app, with no options," she
points out.
Lintvedt says bluntly that if she were an employer, she would not allow
employees to take their work mobile phone to Qatar.
Even as a private person, she would have been very sceptical about using
her own phone in the World Cup host country.
/– What is the main criticism against these apps, as you see it?/
– They go far too far in terms of what data is recorded and used. They
get far too broad of access to change and take over functionality on
your mobile phone, which appears to be completely unnecessary. It allows
for government surveillance, and since it is Qatar, that has to be
considered as well. This increases the risk that data will be used for
purposes other than pure infection tracking, she believes.
_______________________________________________
nexa mailing list
[email protected]
https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa
