The Hong Kong government has slammed a report by an overseas cybersecurity firm as “inaccurate” after the company claimed the city’s “Leave Home Safe” Covid-19 risk-exposure app was vulnerable to data leaks and phishing attacks.
The Office of the Government Chief Information Officer on Thursday issued a statement that maintained the mobile app was safe and reliable, adding it had passed various risk assessments and audits by independent professionals.
“Protection of personal privacy has always been the prime objective in the app’s design, development and use. No registration is required and all data related to personal privacy stored in the app is masked and encrypted,” the government body said.
The statement followed the release of a report on Wednesday by Poland-based 7Asecurity which claimed to have uncovered at least 12 vulnerabilities in the risk-exposure app that could lead to phishing attacks or data leaks.
The cybersecurity firm also suggested the app may not have been properly checked by a “competent security firm”, adding the software also had the “presence of face recognition code”.
But the government office said it was “strongly opposed to the inaccurate report and unfair accusation”.
“The number of downloads has exceeded 8 million since its launch more than one year ago, and as a digital tool commonly used by the general public on a daily basis, no security or privacy-related incidents have been reported.”
A spokesman for the body also reiterated that the “Leave Home Safe” app, which was first introduced in late 2020, had strictly followed government requirements on information security and privacy protection.
He added that the app’s
facial recognition function had never been used and was removed in May.
“Prior to the launch of all major updated versions, the app has passed privacy impact assessments, security risk assessments and audits conducted by independent professional third parties to ensure that the app is safe and reliable,” he said.
Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said elements of 7Asecurity’s report was based on outdated data.
“The face recognition saga was back in May and the module had been removed since,” he said, adding he was satisfied with the transparency of the government’s security and privacy risk assessments.
“The relevant reports have been uploaded online for public reference.”
The project by 7ASecurity was sponsored by the US Open Technology Fund, an independent non-profit organisation that advocates counteracting repressive censorship and surveillance.
The fund is supported by a grant from the United States Agency for Global Media, an independent agency of the US government, which also oversees Voice of America, Radio Free Asia and the Office of Cuba Broadcasting.