Hong Kong’s government has rejected an overseas cybersecurity firm’s claim that flaws in the LeaveHomeSafe app could expose sensitive user information, saying there have been no security or privacy-related incidents and the report conducted by the company is inaccurate and unfair.
A security audit of the LeaveHomeSafe app published by Polish cybersecurity firm 7ASecurity said it detected vulnerabilities in the software that could allow hackers to access ID numbers, visit records or vaccination and testing information.
The audit, conducted in April and May through reverse engineering, found “significant flaws” in the software security, including three that were designated critical or severe, the firm said in a report published Wednesday.
In response, the Hong Kong government said no registration is required and all data related to personal privacy stored in the app are masked and encrypted. And there had never been security or privacy incidents related to the app.
Facial recognition capabilities identified in the report had already been removed from the app, the government added.
The Office of the Government Chief Information Officer “expressed deep regrets and strongly opposed to the inaccurate report and unfair accusation.”
Researchers from 7ASecurity said they shared their work, funded by the US non-profit Open Technology Fund, in June with the app’s developer, Hong Kong-based Cherrypicks, a subsidiary of Netdragon Websoft Holdings Ltd. Cherrypicks didn’t respond to a request for comment.
Mistrust around the contact tracing app has become a persistent challenge for the Hong Kong government since its rollout in 2020. That has only increased after LeaveHomeSafe became a necessity for checking into most venues, as the primary way to prove users’ vaccination status.
While officials maintain that visit and vaccination records on the app are encrypted and stored only on the user’s device, many remain unconvinced. Health secretary Lo Chung-mau indicated this month that the app may soon require real-name registration, akin to the equivalent app in mainland China. Other officials later walked back those comments.
The audit, conducted in April and May through reverse engineering, found “significant flaws” in the software security, including three that were designated critical or severe, the firm said in a report published Wednesday.
In response, the Hong Kong government said no registration is required and all data related to personal privacy stored in the app are masked and encrypted. And there had never been security or privacy incidents related to the app.
Facial recognition capabilities identified in the report had already been removed from the app, the government added.
The Office of the Government Chief Information Officer “expressed deep regrets and strongly opposed to the inaccurate report and unfair accusation.”
Researchers from 7ASecurity said they shared their work, funded by the US non-profit Open Technology Fund, in June with the app’s developer, Hong Kong-based Cherrypicks, a subsidiary of Netdragon Websoft Holdings Ltd. Cherrypicks didn’t respond to a request for comment.
Mistrust around the contact tracing app has become a persistent challenge for the Hong Kong government since its rollout in 2020. That has only increased after LeaveHomeSafe became a necessity for checking into most venues, as the primary way to prove users’ vaccination status.
While officials maintain that visit and vaccination records on the app are encrypted and stored only on the user’s device, many remain unconvinced. Health secretary Lo Chung-mau indicated this month that the app may soon require real-name registration, akin to the equivalent app in mainland China. Other officials later walked back those comments.