In April, South Korea began requiring all visitors and residents arriving from abroad to isolate themselves for two weeks. To monitor compliance, they had to install an app whose name in Korean means Self-Quarantine Safety Protection. As of last month, more than 162,000 people had downloaded the app, which tracks users’ locations to ensure they remain in designated quarantine areas. Violators might be required to wear tracking wristbands or pay steep fines. In May, Mr. Rechtenstein returned to his home in Seoul from a trip abroad. While self-isolating at home, he became curious about the government’s seemingly simple app and what extra features it might have. That prompted Mr. Rechtenstein to peek under the hood of the code, which is how he discovered several major security flaws. He found that the software’s developers were assigning users ID numbers that were easily guessable. After guessing a person’s credentials, a hacker could have retrieved the information provided upon registration, including name, date of birth, sex, nationality, address, phone number, real-time location and medical symptoms. Mr. Rechtenstein also found that the developers were using an insecure method to scramble, or encrypt, the app’s communications with the server where data was stored. Instead of HTTPS, the security standard used by apps like Gmail and Twitter, the app used an encryption key written directly into its code. Doing so meant hackers could easily find the key and decode the data if they had tried. It also meant the key did not change depending on the message being sent or on the user sending it. The key was also far from random: It was “1234567890123456.” [...] Over time, the government also asked Mr. Jung’s team to add surveillance functions to the app, which officials said increased their workload and prevented them from spending time hunting for security flaws. [...] “We were simply overwhelmed with work,” said Koo Chang-kyu, a South Korean official. Continua su https://www.nytimes.com/2020/07/21/technology/korea-coronavirus-app-security... (best viewed without JavaScript ;-) Giacomo