Sicilia Si Cura: a COVID-19 tracking app packed with thousands of useless files

Sicilia Si Cura (GooglePlay) is an Android and iOS application developed by Italian’s administrative region Sicily. The application works in conjunction with the web portal at the address www.siciliacoronavirus.it (since the redirection, if done via HTTPS, is broken, you can access the destination website through this link).

The application has been pushed to all people entering the region after COVID-19 outbreak, although only the website registration is mandatory, while the use of the mobile app is only suggested.

Privacy policy

The privacy policy clearly states that the user will be identified (through username and password), although the GPS location will be used only to check that the app is used from within the region boundaries.

Ionic framework

The developers took advantage of the famous Open Source Ionic Framework therefore a static code analysis did not even require any disassembly or reverse engineering technique. The Android APK can just be unzipped. The whole application code (plain javascript, not even obfuscated) can be read with any text editor from the directory /assets/public

This analysis is based on version 4.0 of the application.

Developers had some issue at source code organization

A quick look at the APK content highlights that the developer must have done some weird copy/paste, which led to a massive duplication of resources which left an old copy of the app aside the new one. If you navigate the Ionic web root folder, you’ll see, in the root, 114 files and directories with the very same name but ending with copia string (copy in Italian). Follows an extract of the listing:

-rw-r--r-- 1 user user  10863 May 19 23:46 96.8e9ad06a1471ce64fedf.js
-rw-r--r-- 1 user user   7514 May 19 23:46 97.25e607a5dc9cb3e2775f copia.js
-rw-r--r-- 1 user user   7514 May 19 23:46 97.25e607a5dc9cb3e2775f.js
-rw-r--r-- 1 user user   7347 May 19 23:46 98.1f700255683a7e19c03f copia.js
-rw-r--r-- 1 user user   7347 May 19 23:46 98.1f700255683a7e19c03f.js
-rw-r--r-- 1 user user   8975 May 19 23:46 99.7359f6dc5f8d2788f05e copia.js
-rw-r--r-- 1 user user   8975 May 19 23:46 99.7359f6dc5f8d2788f05e.js
drwxr-xr-x 4 user user   4096 May 19 23:46 assets
drwxr-xr-x 4 user user   4096 May 19 23:46 assets copia
-rw-r--r-- 1 user user  15168 May 19 23:46 common.92b17c7aab4d8fd9e3dc copia.js
-rw-r--r-- 1 user user  15168 May 19 23:46 common.92b17c7aab4d8fd9e3dc.js
-rw-r--r-- 1 user user  60255 May 19 23:46 cordova.js
-rw-r--r-- 1 user user    502 May 19 23:46 cordova_plugins.js
-rw-r--r-- 1 user user   1443 May 19 23:46 index copia.html
-rw-r--r-- 1 user user   1443 May 19 23:46 index.html
-rw-r--r-- 1 user user 603870 May 19 23:46 main.06ebb2152b08aae3546c copia.js
-rw-r--r-- 1 user user 805615 May 19 23:51 main.06ebb2152b08aae3546c.js
-rw-r--r-- 1 user user   1085 May 19 23:46 manifest.webmanifest
-rw-r--r-- 1 user user   1085 May 19 23:46 manifest.webmanifest copia
-rw-r--r-- 1 user user  13419 May 19 23:46 native-bridge.js
drwxr-xr-x 3 user user   4096 May 19 23:46 plugins
-rw-r--r-- 1 user user  50286 May 19 23:46 polyfills.c14d73f1b822565e96b5 copia.js
-rw-r--r-- 1 user user  50286 May 19 23:46 polyfills.c14d73f1b822565e96b5.js
-rw-r--r-- 1 user user 135199 May 19 23:46 polyfills-es5.5754f59f73a7ca677ba0 copia.js
-rw-r--r-- 1 user user 135199 May 19 23:46 polyfills-es5.5754f59f73a7ca677ba0.js
-rw-r--r-- 1 user user   4924 May 19 23:46 runtime.cf9d9dc84d36c6529a84 copia.js
-rw-r--r-- 1 user user   4924 May 19 23:46 runtime.cf9d9dc84d36c6529a84.js
-rw-r--r-- 1 user user   7951 May 19 23:46 stencil-polyfills-css-shim.b137ecabe6be0c154dab copia.js
-rw-r--r-- 1 user user   7951 May 19 23:46 stencil-polyfills-css-shim.b137ecabe6be0c154dab.js
-rw-r--r-- 1 user user  18449 May 19 23:46 stencil-polyfills-dom.c1aba587344775529d48 copia.js
-rw-r--r-- 1 user user  18449 May 19 23:46 stencil-polyfills-dom.c1aba587344775529d48.js
-rw-r--r-- 1 user user  22139 May 19 23:46 styles.a7db10f0428d93f41127 copia.css
-rw-r--r-- 1 user user  22139 May 19 23:46 styles.a7db10f0428d93f41127.css
drwxr-xr-x 2 user user  57344 May 19 23:46 svg
drwxr-xr-x 2 user user  20480 May 19 23:46 svg copia

Could this be a threat?

The presence of thousands (look at the svg copia folder content) of useless files is symptom of negligence and poor coding and building best practices. Let me say that an analysis focused on privacy leaks, is not within the scope of this article (the policy is clear: we track you; you install it and you accept that), although I think that such lack of code organization might highlight other issues at process level, like the absence of any quality assurance test, not mentioning the lack of a code repository/version control system like Git.

All security assessments start from policies, and if they are not applied or, worst, they do not even exist, we can surely talk about an increase of the security risk’s level.
This kind of application are built to track a pandemic outbreak, they build confidence and they require a “trust” relationship between the user and the developer.
I think the above is the manifestation of a lack of professionalism, especially if we consider that this was paid by public funds.

See Also