Report Developed for the Digital
Transformation Agency
CovidSafe Penetration Test
Table of Contents
Table of Contents .................................................................................................................................... 2
Document Control................................................................................................................................... 4
Key Terms ............................................................................................................................................ 5
Executive Summary ................................................................................................................................. 6
Introduction ............................................................................................................................................ 7
Background .......................................................................................................................................... 7
Objective ............................................................................................................................................. 7
Scope ................................................................................................................................................... 7
Out of Scope ........................................................................................................................................ 7
s 7(2A)(b)
Ionize Risk Register ............................................................................................................................... 12
Issue Summary .................................................................................................................................. 12
Severity Matrix .................................................................................................................................. 13
Mobile testing notes ............................................................................................................................. 16
Architecture, Design and Threat Modelling ...................................................................................... 16
Data Storage and Privacy .................................................................................................................. 16
s 7(2A)(b)
s33
Network Communication .................................................................................................................. 16
Report - CovidSafe Penetration Test
Page | 2
Platform Interaction .......................................................................................................................... 16
Code Quality and Build Settings ........................................................................................................ 16
Resiliency Against Reverse Engineering ............................................................................................ 17
Appendix A: Engagement and Report Context ..................................................................................... 18
Intended Audience ............................................................................................................................ 18
Schedule ............................................................................................................................................ 18
Report - CovidSafe Penetration Test
Page | 3
Executive Summary
During the period between the 24th of April and the 6th of May, Ionize conducted a penetration test
against the CovidSafe source code, mobile applications, and backend infrastructure. The key goals for
testing were to ensure the confidentiality, availability and integrity of user data submitted to the
application. Special focus was placed on potential reputational damage, as, due to its prominence, the
app was likely to be reverse engineered by members of the public, and potentially criticized for any
unusual behaviour.
s 33
Suggested remediation for each of the issues has been included in the report. It is recommended that
all the risks identified are assessed by the organization’s internal risk assessment processes to
determine if further action should be taken.
Report - CovidSafe Penetration Test
Page | 6
Introduction
Background
The Digital Transformation Agency enlisted the help of Ionize to conduct a source code review, mobile
application pentest, and infrastructure analysis of the CovidSafe application.
Objective
The primary objective of the security testing was to provide Digital Transformation Agency with
assurance that the CovidSafe applications are not susceptible to attacks by malicious actors, do not
expose its users to unacceptable risk and do not expose Digital Transformation Agency to reputational
risk.
Scope
s 33
Out of Scope
s 33
Report - CovidSafe Penetration Test
Page | 7
s 7(2A)(b)
Report - CovidSafe Penetration Test
Page | 8
s 7(2A)(b)
Report - CovidSafe Penetration Test
Page | 9
s 7(2A)(b)
Report - CovidSafe Penetration Test
Page | 10
s 7(2A)(b)
Report - CovidSafe Penetration Test
Page | 11
Ionize Risk Register
s 33
Report - CovidSafe Penetration Test
Page | 12
Detailed Issue Summary
s 33
Report - CovidSafe Penetration Test
Page | 14
s 33
Report - CovidSafe Penetration Test
Page | 15
Mobile testing notes
Architecture, Design and Threat Modelling
The application interacts with the AWS API Gateway for registration and uploading of data. This data
can then be viewed by health professionals via a health portal which interacts with a separate AWS
API Gateway s 33
Data Storage and Privacy
s33
This is
acceptable as these tempIDs are anonymised and change frequently.
On Android, all data for this application is stored within the /data/data/<APP Name>/folder. As
such, no other applications on the device can view any data from this application.
s 7(2A)(b)
s33
Network Communication
All communication was conducted over HTTPS. This is a standard configuration for mobile
applications s 33
Platform Interaction
API endpoints were tested against a variety of different web, database, and JSON based attacks. s33
Code Quality and Build Settings
s33
Should new code be added to the solution, the current
Report - CovidSafe Penetration Test
Page | 16
process of auditing code should be used. This will help to reduce the risk of unprofessional code being
published to the public repository, and the subsequent reputational damage that could do.
Resiliency Against Reverse Engineering
No anti-reverse engineering or obfuscation were identified within the applications. This is likely due
to public concerns about what the application is doing on the backend. As such, this application does
not require any protections against reverse engineering.
Report - CovidSafe Penetration Test
Page | 17
From:
s 22
To:
s 22
Cc:
s 22
Subject:
RE: Formalised Report [SEC=OFFICIAL]
Date:
Tuesday, 26 May 2020 9:48:19 AM
Attachments:
image001.png
CovidSafe Mobile Application Penetration Test Report Final.pdf
Hi s 22
,
Thanks for spotting that.
Here is the finalised copy.
Regards,
s 22
.
s 22
s 22
s 22
Document Outline
- Decision 200 2020 Final Decision
- Timeframe for processing your request
- Document no.
- Exemption
- Decision on access
- Description
- Pages
- S 7(2A)(b) and s 33
- Partial Release
- COVIDSafe Penetration Test
- 18
- Irrelevant material removed under s 22 of the FOI Act.
- Release in full
- Email Correspondence
- 3
- Combined FOI 200-2020
