We set about performing comprehensive security tests of the EU COVID-19 international vaccination certificates. Their protection is, in a word, reliable and protection of personal data within the system of these certificates is also as effective as possible. We also found that the security of the Tečka and čTečka mobile apps is of a sufficiently high quality.
Analysis of the European COVID certificate, which is designed to prove a person’s health status in relation to the Covid-19 disease, shows the high level of cyber protection provided by the system. Tečka and čTečka, the two official domestic apps for management and control of digital COVID-19 vaccination certificates, are also transparent and secure. This is the outcome of the investigation performed by our colleagues from the Security Assessment Division.
“Both apps are written and built according to the current trends and rules which we recommend to our clients,” says our colleague Martin Musil from the position of Mobile Security Specialist. According to him, the only shortcoming is the fact that the production versions of the Tečka and čTečka apps for the Android platform contain hyperlinks to the testing environment of the Ministry of Health or the Institute of Health Information Systems. These are publicly accessible and could potentially serve as a place for hackers to launch their attacks.
However, it still does hold true that none of the problems associated with COVID certificates which have been made public so far are attributable to sophisticated attacks on these apps. The current cases of fraud are made possible in part by some obvious security flaws in the certification servers in individual EU countries, by outdated computer systems in doctors’ surgeries and also by error on the part of specific responsible persons, including staff at vaccination centres.
One of the important findings for the security of users is that the čTečka app does not store the signatures of scanned certificates or even the entire QR code locally in its memory, but only records the number of certificates checked and their status. “Simply put, there is no risk that civil servants, service employees or entrepreneurs in the hospitality industry could collect the checked certificates of visitors and then use them in an illegal manner,” added our colleague, Martin.