Press play to listen to this article
Western security advisers are warning delegates at the COP27 climate summit not to download the host Egyptian government’s official smartphone app, amid fears it could be used to hack their private emails, texts and even voice conversations.
Policymakers from Germany, France and Canada were among those who had downloaded the app by November 8, according to two separate Western security officials briefed on discussions within these delegations at the U.N. climate summit.
Other Western governments have advised officials not to download the app, said another official from a European government. All of the officials spoke on the condition of anonymity to discuss international government deliberations.
The potential vulnerability from the Android app, which has been downloaded thousands of times and provides a gateway for participants at COP27, was confirmed separately by four cybersecurity experts who reviewed the digital application for POLITICO.
The app is being promoted as a tool to help attendees navigate the event. But it risks giving the Egyptian government permission to read users’ emails and messages. Even messages shared via encrypted services like WhatsApp are vulnerable, according to POLITICO’s technical review of the application, and two of the outside experts.
The app also provides Egypt’s Ministry of Communications and Information Technology, which created it, with other so-called backdoor privileges, or the ability to scan people’s devices.
On smartphones running Google’s Android software, it has permission to potentially listen into users’ conversations via the app, even when the device is in sleep mode, according to the three experts and POLITICO’s separate analysis. It can also track people’s locations via smartphone’s built-in GPS and Wi-Fi technologies, according to two of the analysts.
The app is nothing short of “a surveillance tool that could be weaponized by the Egyptian authorities to track activists, government delegates and anyone attending COP27,” said Marwa Fatafta, digital rights lead for the Middle East and North Africa for Access Now, a nonprofit digital rights organization.
“The application is a cyber weapon,” said one security expert after reviewing it, who spoke on the condition of anonymity to protect colleagues attending COP.
The Egyptian government did not respond to requests for comment. Google said it had reviewed the app and had not found any violations to its app policies.
The potential security risk comes as thousands of high-profile officials descend on Sharm El-Sheikh, the Egyptian resort town, where so-called QR codes, or quasi-bar codes that direct people to download the smartphone application, are dotted around the city.
Participants at COP27 include global leaders like French President Emmanuel Macron, British Prime Minister Rishi Sunak and U.S. Secretary of State Antony Blinken, though such high profile politicians are unlikely to download another government’s app.
The experts who spoke to POLITICO said that much of the data and access that the COP27 app gets is fairly standard. But, according to three of these specialists, the combination of the Egyptian government’s track record on human rights and the types of people who would downloaded the app represent a cause for concern.
Strange and extensive access
Three of the researchers said the app posed surveillance risks to those who download it due to its widespread permissions to review people’s devices, though the extent of the risk remains unclear.
Elias Koivula, a researcher at WithSecure, a cybersecurity firm, reviewed the Android app for POLITICO and said he had found no evidence people’s emails had been read. Many of the permissions granted to the climate change conference app also have benign purposes like keeping people up-to-date with the latest travel information around the summit, he added.
But Koivula said other permissions granted to the app appeared “strange” and could potentially be used to track people’s movements and communications. So far, he said he had no evidence that such activity had taken place.
Not all the experts agreed on the risks.
Paul Shunk, a security intelligence engineer at cybersecurity firm Lookout, said he had found no evidence the app had access to emails, describing the idea that it posed a surveillance risk as “strange.” He was confident the app was not built as typical spyware, pouring cold water on claims the app functioned as a listening device. Shunk said it could not record audio if it was running in the background, which makes it “almost completely unsuitable for spying on users.”
The COP27 app uses location tracking “extensively,” Shunk said, but seemingly for legitimate purposes like route planning for summit attendees. It lacked the ability to access location in the background, based on Android permissions, which would be what the app would need for continuous location tracking, he added.
The other two cybersecurity analysts who reviewed the app spoke on the condition of anonymity to safeguard their ongoing security work and to protect colleagues attending the climate change conference.
“Let me put it this way: I wouldn’t download this app onto my phone,” said one of those experts. Those two the researchers also warned that once the application had been downloaded onto a device, it would be difficult, if not impossible, to remove its ability to access people’s sensitive data — even after it had been deleted.
POLITICO checked the app’s potential security risks via two open cybersecurity tools, and both raised concerns about its ability to listen to people’s conversations, track their locations and alter how the app operates without asking for permission.
Both Google and Apple approved the app to appear in their separate app stores. All of the analysts only reviewed the Android version of the app, and not the separate app created for Apple’s devices. Apple declined to comment on the separate app created for its App Store.
Egypt’s track(ing) record
Adding to rights groups’ concerns is the track record of the Egyptian government to monitor its people. In the wake of the so-called Arab Spring, Cairo has clamped down on dissidents and used local emergency rules to track its citizens online and offline activity, according to a report by Privacy International, a nonprofit organization.
As part of the smartphone app’s privacy notice, the Egyptian government says it has the right to use information provided by those who have downloaded the app, including GPS locations, camera access, photos and Wi-Fi details.
“Our application reserves the right to access customer accounts for technical and administrative purposes and for security reasons,” the privacy statement said.
Yet the technical review, both by POLITICO and the outside experts of the COP27 smartphone application discovered further permissions that people had granted, unwittingly, to the Egyptian government that were not made public via its public statements.
These included the application having the right to track what attendees did on other apps on their phone; connecting users’ smartphones via Bluetooth to other hardware in ways that could lead to data being offloaded onto government-owned devices; and independently linking individuals’ phones to Wi-Fi networks, or making calls on their behalf without them knowing.
“The Egyptian government cannot be entrusted with managing people’s personal data given its dismal human rights record and blatant disregard for privacy,” said Fatafta, the digital rights campaigner.
This article is part of POLITICO Pro
The one-stop-shop solution for policy professionals fusing the depth of POLITICO journalism with the power of technology
Exclusive, breaking scoops and insights
Customized policy intelligence platform
A high-level public affairs network