Securing Vaccine Passport Applications

The single most valuable document today is a COVID-19 vaccination card. That golden ticket is the passport to a ‘normal’ life. If you are lucky enough to have one of those cards, however, you know already how awkward they are to carry around. And carrying one also means risking its loss. But since it is likely we are all going to have to show proof-of-vaccination to resume activities like flying or entering the workplace, expect to see a flurry of vaccination passport apps offered soon.

With any app that shares and stores sensitive PII, especially medical data, security will have to be a high priority in app development. This, in itself, will be a particular challenge for developers and organizations, because security and privacy have traditionally been an afterthought in the app development process. Mobile apps are increasingly becoming a favorite target for hackers because they are so vulnerable. This results in a serious data leakage problem for apps, which could lead to unsecured vaccine data.

The Value of Vaccine Passport Data

Any time there is aggregation of personal health data for use by a third party on a connected, digital device, there is reason for concern. Health data remains one of the most sensitive and highly sought after targets of cybercriminals, as Terry Ray, SVP and fellow with Imperva, pointed out.

“Beyond a simple ‘vaccinated’ or ‘not vaccinated’ message, the app will likely need to host other identifiable information — such as name, date of birth and other identifiable information that a foreign country can use to uniquely identify travelers,” Ray said in an email interview. “As the scope of retained information within the app grows, it becomes easier to personally identify the individual, and that’s when data becomes a rich target.”

Ray predicted attackers will be highly motivated to target vaccine passport apps, especially in their early days, because the apps likely won’t be tested as thoroughly as other, more established apps. The rush to get them to market so users can get on with their ‘normal’ lives is too great.

“Also, given the potential expansive user base of this app, attackers will be motivated by the volume of data they could acquire,” Ray added. Before the pandemic, for example, nearly 100 million Americans traveled internationally. Maybe those numbers won’t be that high in the coming months, but people want to start traveling again. If travel means needing a passport app, download volumes are going to be high.

The Risks to Passport App Security

Securing a mobile application is not the same as securing a web application that relies on SSL or TLS browser connections; it requires writing secure code from the start.

“Additionally, the data utilized and stored by the app needs to be in a secure repository with database security controls that are monitoring data access,” Ray said. Preventing data leakage is going to be a must, and the way to do that is to secure the data itself, rather than relying primarily on securing the endpoints. Attack risks against vaccine passport apps will also depend on how the app is built and operated.

Ray expects to see disruption and data theft attacks to be most common – DDoS attacks against the passport provider, for example, preventing access to the information at critical times. Or apps that ask for too much personal information from the user. Apps requiring third-party API or JavaScript connections are also a breeding ground for supply chain attacks.

“Third-party API connections create an opportunity for a code or command injection attack where legitimate and certified software becomes exposed because of a compromised third-party provider. As we’ve seen over the past several weeks and months, these types of sophisticated attacks can be difficult to detect and stop,” Ray said.

Preventing data leakage is going to be vital when these vaccine passport apps roll out. Security must be part of the development process from the very beginning. The rise in API vulnerabilities and exposure of sensitive data is not to be overlooked in development.

“For developers, this means that prioritizing API security is a must,” said Ray. “Further, organizations have to think differently about application protection. They need to identify runtime application behavior, such as whether third-party code is responsible for unwanted access and traffic.”

Overall, the fundamental focus must be on securing the data. By using controls that monitor access, add governance and protect data, opportunities for threat actors to compromise a third-party API connection or vulnerability to exploit the flaw for greater damage will decrease, and opportunities to return to normal will flourish.

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 271 posts and counting.See all posts by sue-poremba