Egypt's COP27 Summit App is a Cyber Weapon, Experts Warn (politico.eu) 28
Western security advisers are warning delegates at the COP27 climate summit not to download the host Egyptian government's official smartphone app, amid fears it could be used to hack their private emails, texts and even voice conversations. From a report: Policymakers from Germany, France and Canada were among those who had downloaded the app by November 8, according to two separate Western security officials briefed on discussions within these delegations at the U.N. climate summit.
Other Western governments have advised officials not to download the app, said another official from a European government. All of the officials spoke on the condition of anonymity to discuss international government deliberations. The potential vulnerability from the Android app, which has been downloaded thousands of times and provides a gateway for participants at COP27, was confirmed separately by four cybersecurity experts who reviewed the digital application for POLITICO. The app is being promoted as a tool to help attendees navigate the event. But it risks giving the Egyptian government permission to read users' emails and messages. Even messages shared via encrypted services like WhatsApp are vulnerable, according to POLITICO's technical review of the application, and two of the outside experts.
Other Western governments have advised officials not to download the app, said another official from a European government. All of the officials spoke on the condition of anonymity to discuss international government deliberations. The potential vulnerability from the Android app, which has been downloaded thousands of times and provides a gateway for participants at COP27, was confirmed separately by four cybersecurity experts who reviewed the digital application for POLITICO. The app is being promoted as a tool to help attendees navigate the event. But it risks giving the Egyptian government permission to read users' emails and messages. Even messages shared via encrypted services like WhatsApp are vulnerable, according to POLITICO's technical review of the application, and two of the outside experts.
But, it's OK (Score:1)
Because a GOVERNMENT did it, not some individuals.
Re: (Score:2)
We’ll hold them accountable in some roundabout way, they’re burning diplomatic capital on stunts like this.
It’d be great if we could just march in and arrest Egypt for the CFAA but how on earth do you propose that would work?
Crappy article (Score:5, Informative)
This article quotes wildly disagreeing opinions about how dangerous or benign this app is. Unfortunately the authors neither have the technical knowledge to weigh in with a conclusion, nor did they provide the readers enough information to make their own decision.
What are the permissions? What is the basis for claiming the app would have sensitive access even after it's uninstalled?
Save some time and just close this page now. There's not even anything to discuss.
Re: (Score:1)
It's a bad article that raises valid concerns but then puts undue blame on Egypt. Political leaders really should not be putting any nation's app on their phones. But it raises a lot of questions about what that actually includes. If anything, this app could probably be used by Egypt against its own citizens involved with the event who might be planning climate-related protests and it's likely the main target of any spying they might do.
The US can just issue a National Security Letter and demand the same
Re:Crappy article (Score:4, Insightful)
It's a bad article that raises valid concerns but then puts undue blame on Egypt.
If the concerns are valid then who is more to blame than the nation which created the malware? Answer, nobody.
The US can just issue a National Security Letter and demand the same bad code go into a commercial app and nobody will ever know.
Oh, look! Whataboutism!
Re: (Score:2)
If the concerns are valid then who is more to blame than the nation which created the malware? Answer, nobody.
I don't think there's any agreement that they've done anything. That was my point. We don't have to blame them for doing something nefarious to just have a practice of not installing unnecessary government-sponsored apps.
Oh, look! Whataboutism!
It was already whataboutism. The problem really is universal and pointing the finger at a single country misses the whole entire point.
Re: (Score:2)
I've never met an app that was so valuable that I would try it if there was suggestions of spying from it.
I would say, even if they haven't nailed it, there's enough buzz that people should probably just not use the app.
BTW, this will also start to tell app devs and sponsors that if their app is abusive, it might get very little usage.
y'all 'appy now? (Score:2)
I installed an app for a UK hardware chain once (screwfix) and it's effectively just the same as you get in the browser only worse so i binned it. The intent of the app providers is nefarious in both cases though i had hoped the screwfix app would offer better search facilities or something like that.
Re: (Score:2)
Most apps these days are just WebViews. If they at least pin a native menu system on it, and heavily cache the graphics in the download package (even though an HTML5 manifest will do that too) it will still be somewhat useful. But it's a way to get a better unique identifier that the web won't give you. Usually though they just want to send notifications (which web can do but it's easier to say no).
Re: (Score:2)
They are web apps. But most of them have the ability to cache things like the conference schedule, which is very handy when you realize that the conference wifi isn't really able to cope with ten thousand attendees trying to watch netflix because the sessions are so boring.
Re: (Score:3)
Browsers already have caches.
A standard that says, "please keep my cached data locally even after leaving the page because I will refer to it when I come back later and may be disconnected from the network at that time" is a lot simpler and more secure than running an entire native app locally, just so it can store files.
Re: (Score:2)
You should forward your suggestion to Google. I'm sure they will be happy to receive it.
Re:y'all 'appy now? (Score:5, Insightful)
Microsoft tried adding Windows-only ActiveX to webpages. It ws a task of Hercules to crush that shit. But we did.
Finally, by the mid-2000's -- just before the advent of "smart phones" -- we had a more or less universally interoperable WWW. I could use a given website to check my email, read news, share files, play games, or do whatever on any of my Linux, Solaris, Windows, or Mac devices.
Then "native apps" and "app stores" became a thing. And all that hard work by hundreds of thousands of us was neutralized.
Fuck Apple. Fuck Google. And fuck the skull of Microsoft [imgur.com]
Re: (Score:2)
+10
Re: (Score:1)
In fact with concepts like service workers and indexdb the web is a very capable application delivery platform.
Wouldn't government officials... (Score:2)
... use essentially disposable/wipeable phones while they're at a conference? After all, a gathering of politicians from all over the world would be playtime for any black hats never mind the ones paid by the host nation. You can guarantee that russia and china would be gathering and hacking as much intel as they could at these sorts of events as well as countries nominally on "our side" such as the US and isreal.
Re: (Score:3)
Seems to me like the best option would be one of the few phones with a removable battery, and when you're done with an event the phone gets analyzed by the NSA for signs of snooping, then it gets imaged and the image filed and stored, and finally the battery removed and the phone itself filed and stored (with an appropriate retention period.) The waste is unfortunate, but from a national security standpoint it seems wisest since you can't know if there's some trojan built into the device which was enabled d
Re: (Score:1)
If it’s so bad why don’t you go to a cooler forum?
Re: FUD? (Score:1)
Re: FUD? (Score:1)
Weaponized app or plain stupidity? (Score:3)
There has been a long history of apps asking/requiring permissions that they don't need, simply due to the stupidity of the coders not considering what they are actually doing and asking for everything.
OTOH such a meeting would be a target rich environment for various intelligence agencies. But without further proof you can't really say what the cause is.
OTTH (third hand) Por qué no los dos?
Re: (Score:2)
There has been a long history of apps asking/requiring permissions that they don't need, simply due to the stupidity of the coders not considering what they are actually doing and asking for everything.
OTOH such a meeting would be a target rich environment for various intelligence agencies. But without further proof you can't really say what the cause is.
OTTH (third hand) Por que no los dos?
indeed. then again, a government issuing an official app for an international high profile event that anybody can reverse engineer and find overreaching or even using exploits ... without even reading tfa i'm betting on bullshit.
i have little doubt governments routinely spy on their own citizens and on foreigners, but this isn't how any of that spying works.
Re: (Score:2)
You're confident the Egyptian government is more competent than that? Is there any basis for such confidence? (I don't know much about Egypt)
You mean like (Score:1)
Bugged smartphone app (Score:1)
Cause that's what we do
Big deal. (Score:2)