Sicilia Si Cura: a COVID-19 tracking app packed with thousands of useless files
Sicilia Si Cura (GooglePlay) is an Android and iOS application developed by Italian’s administrative region Sicily. The application works in conjunction with the web portal at the address www.siciliacoronavirus.it (since the redirection, if done via HTTPS, is broken, you can access the destination website through this link).
The application has been pushed to all people entering the region after COVID-19 outbreak, although only the website registration is mandatory, while the use of the mobile app is only suggested.
Privacy policy
The privacy policy clearly states that the user will be identified (through username and password), although the GPS location will be used only to check that the app is used from within the region boundaries.
Ionic framework
The developers took advantage of the famous Open Source
Ionic Framework
therefore a static code analysis did not even require any disassembly or reverse engineering technique. The Android APK can just be unzipped. The whole application code (plain javascript, not even obfuscated) can be read with any text editor from the directory /assets/public
This analysis is based on version 4.0 of the application.
Developers had some issue at source code organization
A quick look at the APK content highlights that the developer must have done some weird copy/paste, which led to a massive duplication of resources which left an old copy of the app aside the new one. If you navigate the Ionic web root folder, you’ll see, in the root, 114 files and directories with the very same name but ending with copia
string (copy in Italian). Follows an extract of the listing:
-rw-r--r-- 1 user user 10863 May 19 23:46 96.8e9ad06a1471ce64fedf.js
-rw-r--r-- 1 user user 7514 May 19 23:46 97.25e607a5dc9cb3e2775f copia.js
-rw-r--r-- 1 user user 7514 May 19 23:46 97.25e607a5dc9cb3e2775f.js
-rw-r--r-- 1 user user 7347 May 19 23:46 98.1f700255683a7e19c03f copia.js
-rw-r--r-- 1 user user 7347 May 19 23:46 98.1f700255683a7e19c03f.js
-rw-r--r-- 1 user user 8975 May 19 23:46 99.7359f6dc5f8d2788f05e copia.js
-rw-r--r-- 1 user user 8975 May 19 23:46 99.7359f6dc5f8d2788f05e.js
drwxr-xr-x 4 user user 4096 May 19 23:46 assets
drwxr-xr-x 4 user user 4096 May 19 23:46 assets copia
-rw-r--r-- 1 user user 15168 May 19 23:46 common.92b17c7aab4d8fd9e3dc copia.js
-rw-r--r-- 1 user user 15168 May 19 23:46 common.92b17c7aab4d8fd9e3dc.js
-rw-r--r-- 1 user user 60255 May 19 23:46 cordova.js
-rw-r--r-- 1 user user 502 May 19 23:46 cordova_plugins.js
-rw-r--r-- 1 user user 1443 May 19 23:46 index copia.html
-rw-r--r-- 1 user user 1443 May 19 23:46 index.html
-rw-r--r-- 1 user user 603870 May 19 23:46 main.06ebb2152b08aae3546c copia.js
-rw-r--r-- 1 user user 805615 May 19 23:51 main.06ebb2152b08aae3546c.js
-rw-r--r-- 1 user user 1085 May 19 23:46 manifest.webmanifest
-rw-r--r-- 1 user user 1085 May 19 23:46 manifest.webmanifest copia
-rw-r--r-- 1 user user 13419 May 19 23:46 native-bridge.js
drwxr-xr-x 3 user user 4096 May 19 23:46 plugins
-rw-r--r-- 1 user user 50286 May 19 23:46 polyfills.c14d73f1b822565e96b5 copia.js
-rw-r--r-- 1 user user 50286 May 19 23:46 polyfills.c14d73f1b822565e96b5.js
-rw-r--r-- 1 user user 135199 May 19 23:46 polyfills-es5.5754f59f73a7ca677ba0 copia.js
-rw-r--r-- 1 user user 135199 May 19 23:46 polyfills-es5.5754f59f73a7ca677ba0.js
-rw-r--r-- 1 user user 4924 May 19 23:46 runtime.cf9d9dc84d36c6529a84 copia.js
-rw-r--r-- 1 user user 4924 May 19 23:46 runtime.cf9d9dc84d36c6529a84.js
-rw-r--r-- 1 user user 7951 May 19 23:46 stencil-polyfills-css-shim.b137ecabe6be0c154dab copia.js
-rw-r--r-- 1 user user 7951 May 19 23:46 stencil-polyfills-css-shim.b137ecabe6be0c154dab.js
-rw-r--r-- 1 user user 18449 May 19 23:46 stencil-polyfills-dom.c1aba587344775529d48 copia.js
-rw-r--r-- 1 user user 18449 May 19 23:46 stencil-polyfills-dom.c1aba587344775529d48.js
-rw-r--r-- 1 user user 22139 May 19 23:46 styles.a7db10f0428d93f41127 copia.css
-rw-r--r-- 1 user user 22139 May 19 23:46 styles.a7db10f0428d93f41127.css
drwxr-xr-x 2 user user 57344 May 19 23:46 svg
drwxr-xr-x 2 user user 20480 May 19 23:46 svg copia
Could this be a threat?
The presence of thousands (look at the svg copia
folder content) of useless files is symptom of negligence and poor coding and building best practices.
Let me say that an analysis focused on privacy leaks, is not within the scope of this article (the policy is clear: we track you; you install it and you accept that), although I think that such lack of code organization might highlight other issues at process level, like the absence of any quality assurance test, not mentioning the lack of a code repository/version control system like Git.
All security assessments start from policies, and if they are not applied or, worst, they do not even exist, we can surely talk about an increase of the security risk’s level.
This kind of application are built to track a pandemic outbreak, they build confidence and they require a “trust” relationship between the user and the developer.
I think the above is the manifestation of a lack of professionalism, especially if we consider that this was paid by public funds.