Security analysts warn smartphone app for Sharm el-Sheikh climate talks could be used for spying as it has ‘highly intrusive’ access to locations, conversations and images.
Cybersecurity concerns have been raised at the United Nations’ COP27 climate talks over an official smartphone app that reportedly has carte blanche to monitor locations, private conversations and photographs.
About 35,000 people are expected to attend the two-week climate conference in Egypt, and the app has been downloaded more than 10,000 times on Google Play, including by officials from France, Germany and Canada.
Egypt’s Ministry of Communications and Information Technology developed the app for the summit’s delegates.
It is meant to assist attendees in smoothly navigating the conference, but “the government of Egypt may have weaponised the app and now has the ability to surveil all of the summit attendees”, David Bader, an expert in data science and cybersecurity, told Al Jazeera.
Analysts warn the COP27 app can extensively monitor the user’s movement and communications, and is able to read users’ email and encrypted messages, record phone conversations, and even scan the entire device for sensitive information.
Bader noted while the developer states the app does not collect data: “Surprisingly the app does have the strange ability to access the user’s name, phone number and email address, all of the user’s email – with the ridiculous explanation for ‘app functionality’ and one’s photos for ‘account management’.
“Would you want a stranger accessing your private photos, let alone a foreign government?” Bader said, warning there could be more clandestinely going on with the app.
No ‘smoking gun’ on data collection
The majority of apps ask permission to access various aspects of a smartphone, including location for GPS functions or cameras for social media, but users need to be cautious, said Kevin Curran, professor of cybersecurity at Ulster University.
“One has to ask whether each of these permissions are necessary,” Curran said, describing the COP27 app as “highly intrusive”.
“In this case, it is difficult to identify a smoking gun. What we cannot ascertain is whether the Egyptian government is using this for data collection,” Curran told Al Jazeera.
He noted, however, the app could continue to provide information on users even after the climate conference ends on November 18.
According to an analysis of the app by American media group Politico, it can monitor communications even when the device is in sleep mode.
Egypt’s COP27 ambassador Wael Aboulmagd denounced the speculation, telling reporters a cybersecurity assessment was completed and, “I was told how unlikely, or physically or technically impossible” it would be to use the app so intrusively.
Since it is available on Google Play and the Apple Store, those companies “would never allow that” because of security protocols, he added.
“There has been a cybersecurity assessment done and it refuted that completely,” said Aboulmagd.
But Bader warned delegates with the app on their phones remain vulnerable. “Intelligence may be gathered not just about their positions on climate change, but also on trade negotiations, political activities and military operations,” he said.
Some rights activists have criticised the decision for Egypt to host COP27, citing a long track record of cracking down on political dissent. Tens of thousands of people are estimated to have been jailed.
A number of attendees have shared that the WiFi at the climate conference blocks access to websites such as Human Rights Watch and Egypt’s independent outlet Mada Masr, as well as Al Jazeera.
For those concerned about the COP27 app, cybersecurity experts recommend using a “burner phone”, or secondary device, while being aware their conversations and other communications could be monitored.
Those who already have the app should uninstall it as a first step, they say.