Vaccinated people have recently been able to prove their immunization via smartphone app – for example when traveling, in restaurants, at the hairdresser or in museums. The promise: Get out your phone, start the app, present the QR code – done.
Currently, about 34 million people in Germany are already fully vaccinated and can apply for the digital vaccination certificate. You can get the necessary certificate in pharmacies, doctor's offices or vaccination centers. The necessary control apps for smartphones are available free of charge from the usual app stores.
But how secure is the data kept in these apps? And how useful is the digital vaccination certificate at all? IMTEST, the consumer magazine of FUNKE Mediengruppe, commissioned AV-Test, a renowned laboratory for security services, to investigate these questions.
Digital vaccination certificate via app: Three providers in check
After the second vaccination, everyone receives a vaccination certificate from the vaccinating general practitioner or specialist or via the respective vaccination center. On it there is a so-called QR code. The square block codes are ideal for transferring a small amount of data quickly and easily. Specifically, in this case, it is all the data recorded when the vaccination certificate was ied: Vaccination status, date and dose of vaccinations, last name, first name and date of birth.
The QR codes can currently be read with just three apps scan:
- Corona Warning App (CWA),
- CovPass (like the warning app published by the Robert Koch Institute, RKI) and
- Luca app from Culture4Life.
Subsequently, the digital vaccination record thus generated can then be kept in the apps.
The security experts at AV-Test took a close look at the three offerings. The incoming and outgoing connections to and from the apps were analyzed and checked for potential data theft Vulnerabilities examines. The lab also checked the app source codes and the data protection declarations.
Justified criticism of the Luca app
Ever since its release, the Luca app has been under constant fire. However, the app itself is less at the center of criticism than the underlying overall approach. For example, completely fictitious data or names, addresses and phone numbers of other people can be entered during registration.
In addition personal data data is not stored on the smartphone itself, but on the operator's servers. How secure they are there, only the German provider Culture4Life itself knows.
Warning app with minor weaknesses
Good: The app, developed by the German software group SAP and Deutsche Telekom AG Corona warning app does not require registration and thus does not collect or send any directly personal information such as name, address or phone number. This means that it can be used completely anonymously and without registration.
In addition, according to the AV-Test analyses, the app offers a high security standard. Communication via the Internet, for example, is always secure and encrypted according to the current state of technology. The data stored on the smartphone is also well protected.
What is questionable, however, is the Android app's dependence on certain Google services, whose full functionality and implementation remain Google's secret.
What is insecure: According to the security company GDATA, the RKI's Corona warning app does not check the signatures for the digital proof of vaccination. In principle, anyone can forge a certificate that looks genuine at first glance.
In addition, while both RKI apps handle with care the User data Nevertheless, data theft is still possible here: anyone who photographs the QR code during the check can later evaluate the data it contains, such as name and date of birth.
CovPass app secure all around
The CovPass app, also released by the RKI, is basically a stripped-down version of the Corona warning app, limited to the vaccination certificate function alone.
From the point of view of security and data protection, this is a positive development, as it means that less data can be sent and collected. In addition, the CovPass app do not depend on Google services. So if you want to digitally secure your vaccination record alone, it's best to download the CovPass app.
Yellow vaccination book additionally advisable when traveling
With CovPass and Corona warning app, Germany has implemented the European certificate and is already connected to the so-called European gateway server. The digital vaccination certificate can therefore be cross-border use.
However, to be on the safe side and not to be rejected, the yellow vaccination book in paper form should be taken along as a precaution when traveling. The ID card or a passport for identification must be carried anyway.
Conclusion: This vaccination card app comes out on top in the test
The vaccination certificate apps from the RKI – especially the CovPass app – offer high security standards. However, both the CovPass and Corona warning apps allow user data to be read from photographed QR codes. Unauthorized persons should therefore not be able to view them. The Luca app is not suitable for storing the digital vaccination certificate – the data protection concept leaves too many questions unanswered.
1. Place: CovPass app / IMTEST test winner ie 07-2021
- Info under: digital-impfnachweis-app.de
- Price: free of charge
- Slimmed-down version of the Corona warning app with a focus on vaccination certificate functionality. Thus still fewer attack surfaces.
- + No weaknesses discovered around security and data protection.
- – Apart from vaccination passport administration, no other functions.
- Result: very good 1.2
2. Place: Corona warning app
- Info under: coronawarn.app/en
- Price: free of charge
- With a special module for the digital vaccination card. Due to the many functions of the app, there are some points of attack.
- + General security and data protection at a high level.
- – On Android phones: Background services from Google.
- Score: very good 1.4
3. Place: Luca app
- Info at: luca-app.de
- Price: free of charge
- Digitally captures visitor data required in many states. But has various security weaknesses.
- + Encrypts transmission of user data to the provider.
- – Inadequate concept for storing location information.
- Score: satisfactory 3.0