Let’s review app security: FinPandem – Crowdsourced COVID-19 heatmap

At the moment of writing this post it has been ~9 hours since FinPandem released a demo video of their product, apparently developed by Tarento (Indian, Finnish and Swedish company, who knows where the app is developed ) and Coredo.

Quickly after a release the app started raising some questions in Finnish infosec communities:

Naturally this made me curious too, so I started reviewing how the app works, and how reliable it looks like.

Overral function of the app

Shortly the app is used to submit the end-user location data automatically, even during the background to a Google Firebase database.

Overrral security

The app can not be found via Google Play Store, neither Apple Appstore. It is insecurely delivered via 3rd party websites via a Google Drive link for Android and via Appcenter.ms for iOS.

Both options require either enabling untrusted sources to allow app installation or specialized applications to allow installation thus endangering the end-users for mistakes.

General statistical analytic results and other details

The app (Android version) seems generally harmless. It’s really simple in fact and uses Google Firebase for storing location information of the end-user.

However depending on the accuracy of the heatmap there is a privacy concern on possibility to de-anonymize the end-user based on the heatmap, especially in sparsely populated areas of Finland which are plenty to be found.

Careless end-users might accidentally endanger themselves for cyberstalking and other crimes.

The app also tries to prevent the phone from sleeping, therefore leading to much bigger battery consumption than normally.

Did it work then?

Partly, the heatmap function of the app froze during the testing with different emulators and with a real up-to-date phone.

About the website and domain

There is no privacy policy available on the website of https://www.finpandem.fi/ and generally everything on the website seems to be made really in rush. Even the contact email address listed there is a @gmail.com ending address.

It’s really worrying that Google isn’t listed as a data subprocessor of this app.

The domain for the app has been registered today on the writing day of this article and is holded by Coredo Oy based on public whois -data.

Leave a Reply

Your email address will not be published. Required fields are marked *