DIIA: Government mobile application tested by ISSP, checked by bug bounty community

diia-government-mobile-application-tested-by-issp


ISSP experts conducted a penetration test for the Ukrainian government of the DIIA mobile application, which is part of the national “State in a Smartphone” program. This multifunctional application provides Ukrainian citizens with immediate access to their photo IDs, driver’s licenses, and other documents. It also allows them to pay fines and register a business with a few clicks. DIIA has over one million users on Android devices (according to Google Play), while the App Store does not disclose information about the number of users on iOS devices.


The developer of the DIIA app, the Ministry of Digital Transformation of Ukraine, recognized the need to test it for vulnerabilities to prevent attacks from malicious actors. ISSP was selected to carry out this work as a participant in the USAID Cybersecurity for Critical Infrastructure in Ukraine program. DIIA mobile apps for both platforms as well as the environment (API and back end) were tested for vulnerabilities, logical flaws, and other security weaknesses.

“It was a very challenging project with heavy responsibility since the apps we tested are of national scale for a country of more than 40 million people,” says Artem Mykhailov, the enterprise solutions director at ISSP. “We decided to execute the project in two tracks. Two independent teams were performing the test with a short delay one after another. This helped us to eliminate human error and enhance the out-of-the box thinking approach. Two heads are better than one. We eventually were very pleased that the public bug bounty program demonstrated nearly zero results.”

The high level of the ISSP pentest was proven when the application was submitted to the Bugcrowd bug bounty program for additional tests. The Bugcrowd platform offers ethical hackers cash prizes for discovering undocumented vulnerabilities. Bug bounties are used by world-famous companies. For example, Apple, Mastercard, and Tesla have asked the bug bounty community to double-check their products. In the case of the DIIA application, 27 independent testers looked at the app and only four small vulnerabilities were found.


If you are interested in learning more about our penetration testing methodology, please fill out the form and our representative will get back to you within 24 hours:

 

Back