Hacking fears raised over Home Office residency app

Users could risk putting personal data in peril

An app designed by the Home Office to assist European Union citizens looking to remain in the United Kingdom after Brexit has been revealed to have serious weaknesses which could allow the theft of users' private data, the Financial Times has reported.

The EU Exit: ID Document Check app was introduced earlier this year, to replace the 85 page written application form and so far has been downloaded by more than one million of the 3.5 million EU citizens in the UK.

It allows users to submit photographs of their documentation, and the biometric chips in EU passports allow Home Office officials to check their validity, with facial recognition technology from a company called iProov ensuring that names and faces match up.

But when experts from Norwegian cybersecurity company Promon tested out the Android phone version of the app, they found flaws allowing them to see and potentially alter data as it was typed in, and to view passport information.

The first iPhone version of the app was not launched until the middle of October, shortly before the supposed Brexit deadline, which was then delayed for the third time, and even that was only usable on the most recent iPhone 8 model, launched in autumn 2017. Older phones would be able to use it following the next iPhone software update, the Home Office said.

A grassroots movement for European citizens in the United Kingdom called the Three Million said that the iPhone app still left many potential users "out of the loop", as just under 50 percent of UK smartphones are Apple, but of that number, only one in three are iPhone 8 or newer.

"Very personal and sensitive information is being handled, and millions of people are using it so you would expect stringent protection measures, similar to banking apps," said Promon's Chief Technology Officer Tom Lysemose Hansen.

"The tools we used are typically very easily accessible and require very little technical skill to use. It means any type of bad actor could perform this attack, without sophisticated technical knowledge.

"There is very little the end user can do, since this is a government app. There is a lot of responsibility on the app makers to provide security measures here, because of this level of trust."

No previous security problems had been reported since the app was launched in March, after a period of testing, and it is billed as "safe and secure" on the Google Play Store. Its last external security test was carried out in September.

"Over a million people have used the app safely and we continually review our systems to ensure that it is kept safe," said a spokesperson for the Home Office.

"We take the security and protection of personal information extremely seriously. The EU Exit: ID Document Check app is regularly tested by independent security firms against all known and emerging threats and adheres to industry best practice on security, performance and accessibility."