The 2020 US Presidential election is fast approaching and both candidates are currently using mobile apps as a means to raise funds and reach out to potential voters. However, new research from The App Analyst has revealed that both apps contain security flaws and privacy issues that could leave voters at risk.
The Vote Joe app used by the Biden 2020 Presidential campaign was found to be leaking potentially sensitive information about voters including their political affiliations and past voting choices. Additionally, the campaign’s iOS app failed to enforce email verification which means that non-US citizens could have signed up and accessed its data.
With the Vote Joe app installed, voters can promote the campaign to their contacts by sending pre-typed promotional text messages and they can also provide information about the users in their contacts to the apps creators. During its research though, The App Analyst found that anyone could potentially compromise the data harvested by the app’s creators by creating fake contacts with false information in their contacts.
“When a user syncs their contacts with the Vote Joe App they will be presented with a corresponding voter entry from the Biden campaigns voter database. The contact data then enriches the database entry and is stored to help solicit their vote in the future. An issue occurs when the contact in the phone does not correspond with the voter but the data continue to enrich the voter database entry. By adding fake contacts to the device a user is able to sync these with real voters.”
Collecting voter data
The Vote Joe app also contains publicly available voter registration records which are corroborated with an intelligent service called Target Smart whose VoterBase product contains the contact and voting information of over 191m voters and 58m unregistered voting age users. The service’s predictions are made available in the app using its API endpoint.
The App Analyst discovered that the API endpoint providing information to the Biden campaign’s app was also returning some additional fields. Not all of these fields were visible in the app’s interface but users could find a way to access Target Smart’s proprietary voter data which exposes past voter choices.
The team behind the Vote Joe app was notified by The App Analyst regarding the security flaws it contained at the beginning of September and the developers quickly received a patch to fix the issues in the iOS version of the app.
While the Vote Joe app contained its set of problems, so too did the app created and distributed by the Trump 2020 campaign. The Trump campaign’s app was found to be exposing hardcoded secret keys for the Twitter and Google services it used back in June and in August, it was discovered that the app was collecting large amounts of user data.
Creating and distributing a mobile app is a great way to reach voters and get a candidate’s message out. However, collecting too much data about voters can leave their privacy at risk while also putting a candidate’s campaign on the line as if this data were to leak, the campaign that collected it would be responsible.