STAYAWAY COVID is the name of the Portuguese app for contact tracing.

I was curious about exploring the inner workings of the app, so I applied for becoming a beta tester in order to have access to it before its launch.

Access was quickly granted and, after installing and getting to know the application, I decided to decompile its binary and take a look at its code. It is generally fairly easy to decompile an Android application package (.apk). In fact, there are some online decompiler services where you can place the .apk file and download a .zip with the decompiled source code.

I did not spend much time investigating the app, because the truth is that it is not very complex. It serves its purpose well and is not cluttered with unexpected features. In addition to examining the source code of the app, I used Frida together with a proxy to listen for network requests and the fact is that it does not seem to perform any call to external servers except to interface with Google Exposure Notification API, to retrieve app configuration data and whenever an user wants to declare himself as having tested positive for COVID-19.

However, what did call my attention as a potential security flaw was a particular line of the following BuildConfig.java file:

The file BuildConfig.java holds a class automatically generated by the Gradle build tool so that the app code can inspect information about the build.

One of the variables defined in this file is called FIREBASE_CLI_TOKEN, meaning that it holds an access token to Firebase services. This token can be used with the Firebase Command Line Interface (CLI) Tools to test, manage and deploy a Firebase project from the command line. This includes being able to:

At first sight this seemed dangerous. This particular token provided access to some Firebase projects from Keyruptive (one of the companies responsible for developing STAYAWAY COVID) as well as to a Firebase project named STAYAWAY COVID. Could it be that this token allowed a malicious user to access and alter the backend services that support this application? For example, changing the app configuration for all users and setting a very low alerting threshold, so that everyone thinks they are likely to be infected and therefore causing a massive spike in requests for COVID-19 testing?

No, that was not the case. Having established contact with the app developers about this issue I was informed that Firebase was not being used in any backend component. It was only used to help distributing test versions of the app rather than as a data repository. Nevertheless, having a Firebase access token exposed to the public is still a security flaw which could allow access to read or alter potentially sensitive data in any of the 5 Firebase projects it gave access to.

The issue was promptly resolved the day after my report. The token was invalidated and new tokens are no longer being mistakenly bundled in the Android Application Package file.

I find it important to have multiple pairs of eyes reviewing software, especially in the case of contact tracing apps where its success depends on having a large userbase and where privacy concerns are a big topic. In my investigation, the security issue I found did not have any impact on the STAYAWAY COVID app itself, however different code reviewers may always find other concerns. On very positive news, the source code of the application is now available, so security researchers or generally curious people can freely analyze it.