- Report: Unmasked II: An Analysis of Indonesia and the Philippines Government-launched COVID-19 Apps
- Date Published: December 21, 2020
Staysafe PH Android version 0.12
By capturing its network traffic, we observed StaySafe PH accessing a Firebase Database. We were able to identify an authentication token used by the app, and with that token had the ability to access all records from that database.
This vulnerability would allow an attacker to access the backend database used by the app, which contains a user’s universally unique identifier (UUID) and their geolocation coordinates. Using a separate API at https://ws.staysafe.ph/api/v1/me/trace-registrants, we found that we can also query a user’s self-reported health status (normal, having symptoms, etc.) by UUID.
- October 30, 2020 - We emailed Multisys, the Philippines Department of Health, and the WHO Philippines regarding the issues we identified with StaySafe PH. We notified them of our intention to publish this research no sooner than 45 days after the date of this disclosure.
- November 27, 2020 - We received a response from Multisys, stating: “We’re currently doing the necessary adjustments to resolve this issue. Our target date to fix this on December 2, 2020 (GMT +8).”
- December 4, 2020 - We received a response from Multisys, stating: “We’re still ongoing on the necessary adjustments needed to resolve the issue. It just so happened that some minor issues occurred doing the adjustments. But we’re almost done just need to patch some things up. Will update you as soon as we finish this.”
- December 8, 2020 - We received a response from Multisys indicating that they had almost completed their fix of the issues we identified.
- December 10, 2020 - We received a response from Multisys indicating that they had published an app update for Android and iOS.