Please stop hard-wiring AWS credentials in your code. Looking at you, uni COVID-19 track-and-test app makers

Albion College has a plan for students to return safely to campus this fall amid the COVID-19 coronavirus pandemic. It involves being tracked by an app that, at least until a few days ago, appears to have been insecure.

The Michigan institution announced its plan on July 28, which calls for testing coordinated by Testing Centers of America and the use of a health monitoring app called Aura Sequential Testing.

"All students will utilize Aura, an app developed by Nucleus Healthcare, that organizes the College’s COVID-19 testing and public health approach," Albion said in a statement. "The app will ask for daily health self-monitoring inputs prior to campus arrival in August and will offer daily reminders about common public health measures that everyone should be taking."

The idea has not proven all that appealing. A petition created by "concerned parents of Albion" was posted four days ago to Change.org in the hope of getting the school to reconsider its policy. It objects to the plan which requires students, but not staff, to remain on campus for 14 weeks and be subjected to tracking, data gathering, and work restrictions.

"This protocol that STUDENTS ONLY are required to sign and abide by says that they will download an app that tracks their locations, that they will not leave campus for 14 weeks, agree to give Albion College medical information that is none of their business and that they will not have jobs off campus," the petition says.

Perhaps more concerning is that the Amazon Web Services access keys for the backend servers of the Android version of Aura were, it is claimed, accessible within the app's code. The credentials were found by an Albion College student, who asked to be identified by her Twitter handle Q3w3e3. The keys could, we're told, be used to access the app's backend data and virtual machines in the Amazon-hosted US-West-2 region, including people's COVID-19 test result and medical insurance information.

Q3w3e3, who said she made her Twitter account private following media inquiries about her posts, told The Register in a phone interview that she found the hardcoded AWS credentials stored within the Android app.

And she said it's quite possible the stored data has already been compromised because there are bots that regularly scrape the App Store and Google Play for apps with hardcoded credentials to exploit.

Q3w3e3 said she tried twice to report her security concerns to the maker of the application, though her calls were ignored. She also claims to have raised the issue with Albion College. But instead of receiving a direct response, the school appears to have sent out a general message reassuring its community that the app is safe.

Shortly after she posted about the flaw, a new version of the Android app was uploaded on Thursday, August 13. The AWS keys are no longer present in that version, Q3w3e3 said.

Aura collects quite a bit of data: identity information, contact information, technical information, demographic information, profile information, usage information, and marketing and communication information.

Nucleus did not respond to a request for comment. But the company claims in the Aura privacy policy that its app is HIPAA compliant.

Q3w3e3 expressed doubts about the company's ability to keep user data private, noting that the corporate entity named in the privacy policy, Nucleus Careers, LLC, is a recruiting company focused on machine learning and AI.

"They have no history I can find in secure healthcare," she said. "When it comes to the [Albion] policy, I think it's a good idea," said Q3w3e3. "But it needs to be well-implemented."

Albion College did not respond to a request for comment. ®