back to article Infosec boffins pour cold water on claims Home Office Brexit app can be easily hacked

Reports that the Home Office's Brexit app contains "serious vulnerabilities" that could expose the phone numbers, addresses and passport details of EU citizens are overblown, say security experts. To date, one million EU nationals have downloaded the Android settled status app, which asks users to take a selfie and scans the …

  1. noboard

    *sigh*

    "These are controls like the app detecting whether the phone has been rooted"

    One day people may wake up to the fact a rooted phone is probably more secure than a stock phone.

    1. tiggity Silver badge

      Re: *sigh*

      Indeed. That comment cannot be upvoted enough.

      Also, with so much junk installed on many phones by default as "system apps" then you often have to root just to be able to claim space back / get rid of unwanted spyware such as FB etc. that they love to preinstall

    2. Anonymous Coward
      Anonymous Coward

      Re: *sigh*

      Not if it's company owned and managed though.

      It's not a case that rooting = knowledgeable user = more secure. A lot of school kids are rooting each others phones for a few quid so they can customise it, doesn't mean they care about security though.

      1. TechnicalBen Silver badge

        Re: *sigh*

        Yeah, because no company ever sold off it's old apps/services, for the new tenures to be less than honest with their add popups (I know it happens to Android handsets, whereas, as iOS is all in house, no "bloatware" to turn into malware).

        1. EnviableOne Silver badge

          Re: *sigh*

          however as its all in house, it has no fresh eyes so you get vulnerabilities like checkm8

    3. cybergibbons

      Re: *sigh*

      Why is a rooted phone more secure?

      1. IGotOut

        Re: *sigh*

        @cybergibbons.

        A rooted phone is not necessarily more secure. However given Android's shonky method of updating combined with many manufacturers apathy, it is almost a given that at some point your phone will no longer receive patches.

        With a rooted phone, most are running custom ROMs that are maintained and updated regularly.

        1. Dan 55 Silver badge

          Re: *sigh*

          Isn't that the wrong way round? A custom ROM can be rooted, but it doesn't have to be. Rooted phones that don't use custom ROMs probably got rooted by an exploit, which is not particularly secure.

    4. Aussie Doc
      Big Brother

      Re: *sigh*

      ^^^This.

      I can't root my phone because one of the main apps I use for payments detects it and announces that it is unsafe so won't function.

  2. Dan 55 Silver badge
    Trollface

    "The app is not [...] capable of noticing whether it is being used in a hostile environment"

    Of course it's being used in a hostile environment, it's being used in the UK.

  3. Will Godfrey Silver badge
    Unhappy

    Seeing as it's Government

    I'd be very surprised if it wasn't as secure as an open field.

  4. osmarks

    This is ridiculous. Your software kind of has to trust the environment it's running on, no real way around that...

    1. Simon Reed
      Mushroom

      You obviously never played corewars. Defensive programming where the program doesn't even trust its own code.

      Happy days.

      So much more fun than working.

    2. Dan 55 Silver badge

      I would hope any local copy of any personal data/photos/scans are encrypted with a key held in the remote database.

  5. Jimmy2Cows Silver badge

    Dons skeptical hat...

    "The EU Exit: ID Document Check app is regularly tested by independent security firms against all known and emerging threats and adheres to industry best practice on security, performance and accessibility.

    Does that really happen or are they just saying it because it sounds good and they know no one can prove otherwise.

    Over a million people have used the app safely and we continually review our systems to ensure that it is kept safe."

    Sounds suspiciously like "We've not heard of any problems yet so it must be secure, right?". That's not the way to do security.

    1. Aussie Doc
      Facepalm

      Re: Dons skeptical hat...

      They're obviously holding it wrong.

  6. Tigra 07 Silver badge
    Meh

    "Maike Bohn, a co-founder of EU citizen campaign group the3million, said: "We are expecting the government to do more than issuing a statement that it takes security very seriously"

    And apparently they are. But you just can't please people like Maike Bohn.

  7. EnviableOne Silver badge

    We take the security and protection of personal information extremely seriously

    if they did they would use a Zero-trust architecture and have these protections in place.

    its reight there in GDPR and NIS Security and Privacy by design and default

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019