Privateness and Safety Evaluation of the IATA Journey Move Android App

We cowl basic questions on this report in an accompanying FAQ.
  • IATA Journey Move (ITP), a worldwide, opt-in app to obtain, retailer, and share digital COVID-19 check certificates for flights, has a crucial flaw in its registration course of which permits an attacker to impersonate one other person, needing solely to know the person’s passport particulars however not possess the passport itself. In accordance with the IATA this subject is the results of an intentional design choice to not confirm user-provided info on its servers to attenuate transmission of delicate private information. This flaw is presently circumvented by requiring customers to current their bodily passports alongside ITP.
  • ITP makes use of a blockchain-based know-how “Sovrin” to confirm the validity and authenticity of user-supplied digital COVID-19 check stories. Sovrin is certainly one of many “Self-Sovereign Id (SSI)” methods. SSI is an rising know-how that goals to interchange standard cloud-based identities with decentralized methods. ITP delegates essentially the most essential certificates issuance operate of SSI to an internet software managed by the corporate Evernym. This design nullifies the benefits introduced by a decentralized system.

Within the wake of COVID-19, governments and corporations all over the world are searching for methods to maximise the protection and safety of airline passengers, the workers of airways and airports, and the broader inhabitants with which passengers work together. These efforts embrace requiring COVID-19 testing, vaccination, or immunization previous to authorizing people for flights. Along with standard paper-based methods, varied digital options catering to this want have been developed by governments. In April 2021, near 50 airways have signed as much as trial ITP. For instance, the European Union developed the EU Digital COVID Certificates, which shops and verifies COVID-19 statuses by QR codes; Doan, a US-based firm, developed a cellular software VeriFL; and the Worldwide Chamber of Commerce developed AOKPass.

The Worldwide Air Transport Affiliation (IATA, a commerce affiliation of the world’s airways) has developed IATA Journey Move (ITP), a COVID-19 digital passport answer led by a world NGO. We performed a safety and privateness audit of the appliance and located two vulnerabilities: an impersonation vulnerability with restricted impression and a server info leak. We additionally discovered that ITP makes use of a non-conventional blockchain know-how in a means that largely neutralizes the advantages of the know-how, leading to a system with safety properties which might be basically the identical as standard server-client methods. This core know-how of the app is carried out by the corporate Evernym. This research provides to rising analysis on safety and privateness points with applied sciences and information privateness insurance policies for monitoring and managing COVID-19 info.

The Worldwide Air Transport Affiliation (IATA) Journey Move (ITP) is a cellular software with the objective of “[i]nforming passengers on what assessments, vaccines and different measures they require previous to journey, particulars on the place they will get examined and giving them the flexibility to share their assessments and vaccination ends in a verifiable, secure and privacy-protecting method.”

As soon as registered, customers are in a position to entry the app’s dwelling display screen:

Determine 1: ITP dwelling display screen

The house display screen contains the next options:

  1. Your Flights: Customers can search the flights they’re planning to take based mostly on carriers, date, and locations. As soon as a flight is chosen, ITP fetches and exhibits the journey necessities (resembling COVID-19 check varieties and check dates) for that vacation spot. These touring guidelines are offered by the IATA Timatic database.
  2. Paperwork: Customers can see their passport particulars and profile picture, which have been entered into the app in the course of the registration course of.
  3. Well being: After customers obtain verified COVID-19 check stories, they will entry them right here.
  4. Privateness: Customers can learn FAQs and see the historical past of their information sharing.
  5. Join: This characteristic is used when the person wants to speak with different events within the ITP ecosystem. It’s most prominently used when the person registers at a laboratory to take a COVID-19 check.

For extra rationalization and screenshots, Ethiopian Airways gives a complete demonstration video of ITP on YouTube.

ITP was efficiently trialed on its first worldwide flight on March 17, 2021. At present, it may be used on chosen flights by partnering airways.

To supply COVID-19 check outcomes, laboratories can register with IATA to affix the “Lab Community.” Laboratories will achieve entry to the “Lab App,” which is a web-based software.

For customers, touring with the ITP entails these basic steps:

  1. Register ITP with their private particulars and passport.
  2. Go to partnering laboratories and register their private particulars utilizing ITP earlier than taking COVID-19 assessments.
  3. Obtain check outcomes from the laboratory within the app.
  4. The app will inform the customers whether or not they’re eligible to journey.
  5. On the airport, workers will confirm the customers’ check outcomes.

Our evaluation combines reverse engineering the appliance and reviewing media stories and documentation from the IATA and Evernym web sites.

“Reverse engineering” is a basic time period used to explain strategies to dissect methods to grasp their inside workings. We used a mixture of static evaluation and dynamic evaluation.

Dynamic evaluation concerned runtime hooking, runtime instrumentation, and community site visitors evaluation. Static evaluation concerned analyzing this system’s supply code to grasp its behaviors and potential behaviors underneath sure situations. In this sort of evaluation, this system sits statically whereas we peek into its components, like taking batteries out of a clock, disassembling all of the gears, then observing the form of every gear.

Runtime instrumentation entails inspecting this system’s state at sure occasions of execution. It permits us to see what information is being handed round by this system at particular factors. Runtime evaluation is like attaching a bell to a spring in a clock: in the course of the clock’s operation, if the spring is actuated, the bell rings. We will deduce the spring’s capabilities by observing when the bell rings.

Runtime hooking takes the concept of runtime instrumentation additional. In runtime hooking, we not solely examine this system’s state, however we additionally change this system’s state or execution movement. For instance, we will hook a operate (“operate” right here may be understood as a small a part of this system) in this system which might usually return false, and alter the operate so that it’ll at all times return true. This course of is analogous to manually spinning gears in a clock to speed up the time that it shows. With the flexibility to change program execution movement, we’re in a position to skip execution of sure components of it or pretend outcomes generated by some operate. A standard software for runtime instrumentation and hooking is Frida, which is this system we used.

Our evaluation solely focuses on the Android model of the app. We didn’t check the iOS model.

Take a look at atmosphere:

  • Android 9 and Android 11
  • IATA Journey Move app
    • Model identify: 1.0.976
    • Model code: 976
    • Downloaded in July 2021
  • Android rooted with Magisk

On this part, we describe ITP’s backend system structure and its use of blockchain know-how.

Figure 2: Architectural diagram shown on the ITP website.
Determine 2: Architectural diagram proven on the ITP web site.

Determine 2 exhibits the interplay between the ITP app and different elements of the ecosystem. The passport particulars and profile photographs gathered in the course of the registration course of are solely processed and saved on the gadget itself. Afterward, when a laboratory completes a person’s COVID-19 check report, it’s despatched to ITP on the telephone for storage, as a substitute of a central server. When airways or border management must see the person’s check report, the person can present it to them on the display screen, or by scanning their QR code to ascertain a “connection”1 to ship it.

Nonetheless, what shouldn’t be proven on the diagram is the supplier of the core transmission and verification characteristic of check stories and passport particulars: Evernym. Evernym is an organization that gives options to subject, transmit, and confirm digital “verifiable credentials.” Verifiable credential is a know-how customary that specifies a machine-readable format for verifiable info. Basically, verifiable credentials2 are digital counterparts to the credentials which might be utilized in our day by day lives; as an example, driver’s licenses are used to say that we’re able to working a motorized vehicle, and college levels can be utilized to say our degree of training. In Evernym’s merchandise, verifiable credentials are carried out with “Sovrin.” Sovrin is a mission consisting of a number of of its personal requirements additional specifying the verifiable credentials format and communications, an open-source software program suite that implements Sovrin requirements, and a peer-to-peer community of computer systems forming the Sovrin blockchain.

Verifiable credentials may be issued on any topic by anybody, and they are often verified with out the verifier needing to work together instantly with the issuer or requiring a centralized authority. Verifiable credentials additionally permit for superior utilization, resembling selective disclosure. For example, if somebody was issued a driver’s license, which accommodates their identify, date of start, and the kind of automobile they’re licensed to function, when attempting to show, they might determine to not reveal their date of start. In verifiable credentials, belief is peer-to-peer, as anybody can subject credentials on any topic, however additionally it is as much as the verifier of the credentials to determine who and what to belief. Verifiable credentials will also be saved offline solely (with no need a replica at a central registry) and transmitted when wanted (as an example, when the prover needs to show to the verifier, the prover can ship the credentials on to the verifier, very like once we current our drivers’ license to a roadside police).

Collectively, verifiable credentials, Decentralized Identifiers, and different digital applied sciences are used as constructing blocks to supply a “Self-Sovereign Id (SSI)” system. It’s usually acknowledged that for an id system to be self-sovereign, customers management the verifiable credentials that they maintain and their consent is required to make use of these credentials. This design reduces the unintended sharing of customers’ private information. SSI is contrasted with a centralized id paradigm the place id is offered by some centralized entities. For example, the OAuth protocol carried out by Google and Fb gives id methods for different purposes to depend on, in order that customers might log in to the appliance with their Google or Fb account.3

Within the case of ITP, verifiable credentials are issued by laboratories to attest the customers’ COVID-19 check outcomes, and likewise by the ITP app put in on the customers’ telephones to attest their passport id. Throughout registration, ITP points a credential testifying that ITP represents the proprietor of these inputted passport particulars (ITP can subject the credential on itself, with out contacting any exterior companies). When ITP establishes a reference to laboratories or border management, customers can share their passport particulars within the type of a verifiable credential. On the laboratories, they subject COVID-19 check outcomes of the check topic id beforehand shared with them, additionally within the type of verifiable credentials. Lastly, on the airport, customers can share their passport verifiable credential (issued by ITP itself) and the COVID-19 check end result verifiable credential (issued by the laboratories), and the border management or airline can confirm that the COVID-19 check end result credential is issued by an authorised laboratory, and likewise that its content material has not been tampered with. Be aware that, the verification course of on the airport that we simply described is just one of many doable strategies that airways and border authorities are literally utilizing. We would not have ample info on the precise verification course of.

Laboratories use the Lab App to obtain customers’ passport id credentials and subject verifiable credentials of customers’ COVID-19 check end result. Evernym has a product known as “Verity Stream,” which is a customizable internet app that permits issuing verifiable credentials from a graphical person interface. ITP Lab App is the primary deployment of Verity Stream. In accordance with Evernym, Verity Stream is “offered on a SaaS foundation, hosted in Evernym’s cloud infrastructure.” Verity Stream was designed to fulfill the wants of laboratories, who are likely to have minimal IT capability.

As for Timatic, it’s a web-based database of journey laws offered by IATA. After the person receives their digital COVID-19 check report, ITP queries the Timatic database to see if the check date, sort, and laboratory fulfills the regulatory necessities of their vacation spot.

A person is required to finish 9 steps to register an account on ITP. In an effort to perceive the crucial flaw we recognized within the ITP registration course of, it’s essential to be aware of every of those 9 steps. This flaw permits an attacker to bypass step 5 and step 8, which in flip permits an attacker to register an ITP account with out possessing a sound passport.

This part gives an outline of the registration course of.

Step 1: Invitation code

On first startup, the app requires customers to enter a 6-digit invitation code. The invitation codes are offered by the airways. We discovered that the invitation code submitted by the person was by no means despatched out of the telephone. Subsequently, the app should know if a given code is legitimate, and it’s probably that the set of legitimate codes is hard-coded someplace within the supply code. We weren’t in a position to find the legitimate codes by way of static evaluation, so we developed a Frida script to intercept the legitimate codes. As soon as the code was identified, we entered it by way of the person interface and have been in a position to cross this step of the registration course of.

Following this evaluation, in July 2021 we discovered that the invitation codes for each the Android and iOS variations of the app have been accessible from Etihad Airways (hyperlink to snapshot) and Azerbaijan Airways’ (hyperlink to snapshot taken in August) web sites.

Often, apps incorporate invitation codes to permit solely invited customers. Having the codes on public web sites defeats this objective. Maybe realizing the error, each airways eliminated the codes from their web sites once we checked on November 15, 2021. In accordance with IATA, the invitation code was launched for 2 causes:

  1. To restrict the variety of simultaneous customers as IATA weren’t but able to scale.
  2. To keep away from passenger disappointment as just some flights for chosen airways taking part within the trial can be found. In any other case they could set up the app and be pissed off to not discover their flight.

Step 2: Signal-in with Google

After coming into the proper invitation code, the app exhibits a login display screen, which requires the person to log in with their Google account:

Figure 3: Text on the bottom says “Log in with Google account”
Determine 3: Textual content on the underside says “Log in with Google account”

On this log-in course of, ITP depends on Google to inform it whether or not the person is authenticated. This design reduces the burden for ITP to implement an full account system, and removes the necessity for customers to create and keep in mind one other set of account credentials.

The app will log the person out after a interval of inactivity. The login requirement goals to forestall different folks from accessing and utilizing the proprietor’s information and id.

Beneath, the login operate is carried out utilizing a service offered by Auth0. The Auth0 service basically serves as a proxy for login requests. This fashion, apps solely must combine with Auth0, with no need to combine with every particular person id supplier. This makes it simpler for app builders to combine a number of id suppliers. (Nonetheless, ITP is just utilizing one id supplier, Google.) Auth0 additionally gives a client-side library for integration into the app, which ITP makes use of.

Step 3: Fingerprint studying

After logging in with Google, the app invokes a system immediate requesting the person’s fingerprint. In accordance with our static code evaluation, the app itself is unable to acquire the person fingerprint on this course of. As a substitute, the working system will solely inform the app if the fingerprint is allowed by the system. If no fingerprint is registered with the system on the time and if the telephone helps studying fingerprints, the system will instruct the person to register one.

Upon subsequent profitable authentication from Google OAuth4, the app at all times requires the person to enter their fingerprint. We imagine this requirement is about up in tandem with the Signal-in with Google requirement, which goals to ensure the individual working the telephone is the proprietor of the telephone.

Subsequent, ITP asks for the person’s consent and settlement to the Phrases & Situations.

Step 5: Profile picture

The app asks the person to take a profile picture utilizing the telephone’s entrance digicam.

We first tried to take a photograph of a clean wall and ship it. The app confirmed a generic error message asking us to strive once more, indicating that the server software program does truly test for a face.

To proceed our check, we used the web site This Individual Does Not Exist , which hosts an algorithm that generates real-looking faces, then took an image of the generated face from ITP. The ITP server accepted the image.

Step 6: Liveness check

The app opens the entrance digicam, and asks the person to “transfer their head, shut their eyes in

entrance of the digicam as instructed.” In accordance with IATA, the liveness check is used to be sure “You aren’t a robotic or one other particular person and to forestall (sic) You aren’t taking an image of an image to enroll.”

When testing this characteristic, we seen the community site visitors was comparatively quiet. Within the Android log output (adb logcat) we seen a variety of messages referencing Google’s Firebase ML Equipment. We subsequently concluded that the liveness check is processed fully on-device, which suggests the video information of the person’s face is analyzed utilizing the gadget’s processor. The results of the evaluation might be both cross or fail. If the result’s “cross,” the app proceeds to the subsequent step.

Due to this attribute, we have been in a position to modify the app to instantly return the “test handed” end result. This allowed us to bypass the liveness check. The modifications we made are detailed within the following part “Bypassing liveness check.”

Step 7: MRZ scanning

Figure 4: ITP instructs the user to scan their passport MRZ.
Determine 4: ITP instructs the person to scan their passport MRZ.

The app opens the again digicam and instructs the person to scan their passport Machine Readable Zone (MRZ). The MRZ is an space on paper passports printed with characters in a selected format. It’s designed to be scanned optically, that’s, a scanner will take a “picture” of the world, and use a pc program to acknowledge characters within the picture, then decode these characters into totally different fields. This course of is called Optical Character Recognition (OCR).

The passport MRZ accommodates the next information:

  • Given identify
  • Household identify
  • Passport quantity
  • Date of start
  • Nationality
  • Intercourse
  • Private quantity (could also be utilized by the issuing nation because it needs)

ITP additionally gives an choice for the person to skip MRZ scanning and enter passport particulars manually.

We tried to enter the information manually, and when saving, we noticed no community site visitors sending the entered information. This end result signifies that the passport information is just saved on-device.

Step 8: Passport NFC chip studying

Figure 5: ITP instructs the user to scan their passport chip.
Determine 5: ITP instructs the person to scan their passport chip.

The app instructs the person to faucet their telephone on their passport NFC (Close to Discipline Communication) chip. The chip is embedded within the passport booklet. A scanner communicates to the chip by sending radio waves to the booklet, which powers the chip and sends instructions on the similar time. The chip processes the instructions and sends again a response utilizing radio waves, which is processed by the scanner to decode information. The chip and its communication observe the ICAO Doc 9303 customary. The chip shops all text-based information that’s printed on the passport, a digitally-encoded profile picture, and digital signatures that helps with verifying the information.

In accordance with ITP’s Privateness Coverage, the profile picture learn from the passport NFC chip might be in contrast with the profile picture taken in an earlier step, and likewise in contrast with the picture taken in the course of the liveness check. This comparability is designed to ensure that the person of the telephone is definitely in possession of the bodily passport booklet, for the reason that person is ready to enter arbitrary information within the earlier step, however it will be a lot tougher for the person to pretend a passport NFC scan.


Figure 6: Usage of passport data from ITP Privacy Policy
Determine 6: Utilization of passport information from ITP Privateness Coverage

To check this step, we developed a Frida script to ship pretend NFC scan outcomes to ITP, which we element in later sections. By doing so, we found that solely the avatar picture contained within the chip was despatched to IATA’s servers, however not the passport particulars. As indicated by its Privateness Coverage, it’s probably in contrast with the profile picture taken in step 5, to verify the individual taking the profile picture is definitely the passport holder.

The passport chip studying gave the impression to be fairly unreliable, barring many customers from finishing registration. This was an issue talked about in lots of Google Play Retailer critiques.

Step 9: Full registration

After scanning the passport chip, the registration is full, and the person is directed to the app’s dwelling display screen.

Abstract of Personally Identifiable Information collected by ITP

By the registration ITP processes the next items of personally identifiable information (PII):

  1. Fingerprint
  2. Full identify
  3. Passport quantity
  4. Date of start
  5. Passport expiry date
  6. Nationality

Private identifiable information despatched out of the gadget contains:

  1. Google account quantity is distributed to Auth0 and Google
  2. The profile image taken in step 5 is distributed to IATA servers
  3. The avatar picture embedded within the passport’s NFC chip is distributed to IATA servers

As described in earlier sections, the liveness check throughout registration is processed fully on-device. Additional, the app doesn’t test the authenticity of the information learn from passport NFC chips. These design flaws allowed us to register an account utilizing fully pretend names, profile footage and different private info. On this part, we clarify our strategies and focus on the impression of this loophole.

Bypassing liveness check

To bypass the liveness check, one must know the way the app works internally in a standard operation movement. By static evaluation we realized that two elements of the app are concerned within the liveness check course of: a view element and a tester element. The view element is answerable for controlling and displaying the person interface, in addition to launching the tester element. The tester element is answerable for truly processing the video stream from the digicam to inform if it passes or fails the liveness check.

Usually, when the tester element completes processing the video and considers the end result handed, it sends a sign to the view element. When the view element receives the “cross” sign, it adjusts the person interface to point out the subsequent registration step, and likewise edits a price within the app’s database to mark passage of the liveness check.

To bypass the liveness check, we merely despatched a pretend “cross” sign to the view element. This sign is achieved by attaching a Frida script to the app.

One solution to stop bypass of the liveness check is to file movies of customers performing specified head-tilting actions, and importing the movies to the server for willpower. Nonetheless, this methodology provides a variety of bandwidth necessities and collects far more information from the person. It additionally may nonetheless be bypassed by customers importing pretend movies.

Faking a passport NFC scan

Just like the liveness check, the passport NFC scan is carried out with a view element and a tester element. The tester element first launches a NFC scan by sending a “scan request” to the system NFC service. (Within the meantime, it additionally sends a sign to the view element telling it to point out the “scanning” message.) Upon finishing the scan, the system NFC service returns the uncooked information, which is parsed by the tester element into varied passport information fields and the profile picture. Then, a completion sign known as “PassportDataFetched” is distributed to the view element. Totally different from the liveness check, the completion sign on this case additionally accommodates the passport particulars. After receiving the passport particulars from the PassportDataFetched sign, the view element compares them with the information obtained from the sooner MRZ scanning (or handbook entry). If the information information match, the app concludes the person is in possession of the bodily passport booklet, which fulfills the registration standards.

To bypass the passport NFC scan, we despatched a pretend PassportDataFetched sign to the NFC scan view element, which is analogous to how we bypassed the liveness check. Solely on this case, we have to moreover assemble pretend information and fasten them with the sign.

In our pretend information, we made certain that:

  1. The passport expiry date is sooner or later.
  2. The profile picture accommodates the identical face that we provided in an earlier registration step, as a result of this profile picture might be despatched to the server for comparability.

Our script efficiently faked a passport NFC scan, ensuing on this display screen:

Figure 7: Success message after faking a passport NFC scan
Determine 7: Success message after faking a passport NFC scan

 An answer that stop attackers from faking passport scans is to add the entire information together with digital signatures learn from the passport NFC chip to the server, and test the signatures on the server (the test shouldn’t be carried out on the consumer as a result of in that case it will even be prone to modification by faking a “test handed” standing). NFC passports present such digital signatures permitting the readers to test the authenticity of the information (figuring out whether or not the learn information is equivalent to the information initially issued by the nation authority), known as Doc Safety Object (SOD). The method of authenticating information utilizing the SOD is laid out in ICAO Doc 9303 Half 11 Chapter 5.1 “Passive Authentication.” And the general public keys which might be wanted for authentication may be discovered within the ICAO PKD Grasp Checklist. Information authentication drastically will increase the issue to pretend passport information, whereas concurrently giving the server entry to extremely delicate private info.


The power to bypass liveness check and passport NFC scan permits an attacker to register ITP accounts solely needing the sufferer’s passport particulars, however not the bodily passport. If ITP accounts are used as the only id credential in physical-world conditions, attackers will be capable of use another person’s id to hold out these actions. There are three conditions that require the traveler to show their id:

  1. Registering with a COVID-19 check laboratory earlier than taking a check
  2. Checking in on a flight
  3. Passing border management

We inquired with IATA concerning every of those conditions. IATA responded that the impersonation assaults in these conditions are usually not possible both as a result of the digital passports weren’t used or as a result of bodily passports have been additionally checked. (IATA’s full response is listed in Appendix 1.)

When registering with a laboratory, IATA notes that “bodily passports are required to make sure that the individual current on the lab is the individual holding the telephone, exhibiting the bodily passport permits the lab agent to confirm that the identify and the passport image match the small print obtained on the Lab App display screen and the face of the individual in entrance of them.

When checking in to a flight, IATA explains that no airways are utilizing the digital passport characteristic for passenger test ins.

After disclosing the problems with the liveness test we discovered IATA is conscious of the restrictions and that these have been “a enterprise choice”. They word that:

“we might implement a better degree of face matching and stronger controls to forestall bypassing the biometrics or to validating the passport authenticity, however in the meanwhile, we don’t need the app for use to cross border controls nor to interchange them, subsequently these safety ranges are usually not required. They make the person expertise very tough and the onboarding onto the app painful, At present, the precedence is given to ease the passenger journey expertise by permitting them to make sure that they’ve all of the required journey paperwork for his or her journey (well being certificates) – the app is an assistant to the passenger, not a controller”.

The outcomes of the liveness check and passport NFC scans, and passport particulars, are used to create a “digital passport” in ITP. This characteristic is talked about on the primary webpage of ITP, the place IATA states one of many functionalities of the app: “Permits passengers to (1) create a digital passport”. In a press launch, IATA states “World requirements acknowledged by governments to make sure verified id and check/vaccine info” as one of many key design parts of ITP, underneath which it additional explains the digital passport characteristic:

“Verified id: A government-issued ePassport is used to confirm the id of the person. It additionally serves to create a digital illustration of the person’s passport to permit the data to be despatched electronically in a secured means that’s linked to their verified id. The important thing to this are world requirements developed by the Worldwide Civil Aviation Group (ICAO) which match biometric passport information and a selfie taken by the person. This creates a Sort 1 digital journey credential (a verified digital establish**) according to ICAO requirements”.

ITP doesn’t comprise a digital passport module on its dwelling display screen. We expect the digital passport is probably going solely referring to a verifiable credential (i.e., a file) that accommodates the passport particulars entered throughout registration. The verifiable credential could possibly be despatched over to a verifier when wanted.

From the internet web page descriptions and FAQ doc, it gave the impression of certainly one of ITP’s targets is to interchange bodily passports.5 If this was the case, the impersonation vulnerability we discovered would have a a lot wider impression. Nonetheless, we discovered this was not the case after our correspondence with IATA clarified that “…in the meanwhile, we don’t need the app for use to cross border controls nor to interchange them…”

In accordance with ICAO requirements, Digital Journey Credential (DTC) Sort 1 is derived from an current journey doc and the traveler should have their bodily passport (eMRTD) of their possession whereas touring.

In abstract, regardless of its descriptions, the ITP digital passport presently solely serves as an unverified digital model of the bodily passport. It’s presently solely used when the person registers with a COVID-19 testing laboratory to take a check. And, on this state of affairs, in keeping with IATA’s response to us: “bodily passports are required to make sure that the individual current on the lab is the individual holding the telephone, exhibiting the bodily passport permits the lab agent to confirm that the identify + the passport image match the small print obtained on the Lab App display screen and the face of the individual in entrance of them.”

After an account is created, the person’s subsequent step is to go to a laboratory to check for COVID-19 an infection. To ensure that the laboratory to ship check outcomes to the person’s ITP app, the person should first register their account with the laboratory. On this part, we first clarify the person movement, then current our evaluation of its inside workings.

Upon arriving, the person must scan a QR code offered by the laboratory, as may be seen in IATA’s demonstration video. The QR code scanner may be launched by urgent “CONNECT” on the ITP dwelling display screen.


Figure 8: The user scans a QR code provided by the laboratory.
Determine 8: The person scans a QR code offered by the laboratory.

 The QR code factors to a URL which accommodates info wanted to ascertain reference to the laboratory. ITP will fetch that info, which features a record of knowledge gadgets required by the laboratory to register the person, and ask if the person want to share these information gadgets, as seen within the screenshot under.

Figure 9: ITP asks if the user wants to share data with the laboratory.
Determine 9: ITP asks if the person needs to share information with the laboratory.

In our case, clicking the “SHARE DATA” button resulted within the error message “We have been unable to get info from that url.” This was probably as a result of the QR code from the video is just for demonstration. To advance our investigation, we tried to search for different URLs utilized by laboratories in manufacturing. We seen the QR code from the demonstration video truly contained the URL “”, and it redirects to an extended URL “…”.

Primarily based on the statement that “” is a URL shortening service, and that URL shortening companies normally produce quick URLs in the identical format, we developed a program to scan all 5-character “A” to “Z” mixtures underneath We have been in a position to uncover many extra URLs. One URL that we discovered was, which redirects to “…”. The “label” on the response confirmed “G42 Abu Dhabi,” which is a COVID-19 testing laboratory within the United Arab Emirates. From IATA’s record of “Lab Community companions,” G42’s emblem can be listed.

We generated a QR code containing the URL we simply discovered and used ITP to scan it. ITP displayed an identical display screen which listed the identify “G42 Abu Dhabi” and the requested information gadgets. We clicked “SHARE DATA.” This time there have been no error messages, which exhibits that we have now efficiently registered with the laboratory.

With the community communication captured on this course of, we recognized that ITP was utilizing the Aries protocol, which is a protocol constructed on prime of HTTP and JSON Internet Encryption (JWE), designed to transmit verifiable credentials. Numerous API calls to Evernym have been additionally made.

The Aries protocol makes use of JWE to construct one other layer of encryption on prime of the HTTPS that we have been already in a position to intercept and decrypt. Theoretically, we’re additionally in a position to decrypt the JWE encryption, nonetheless, this may be a tedious process. Subsequently, we determined to proceed our evaluation based mostly solely on the Aries protocol documentation, which paperwork the communication steps intimately, and the Evernym product documentation, which paperwork the API name capabilities and codecs offered by Evernym.

By learning the documentation, we pieced collectively the steps that have been concerned when ITP registers with the laboratory:

  1. The person scans a QR code offered by the laboratory. The QR code accommodates a URL resulting in an invite to share information with the laboratory. The invitation additionally accommodates fundamental details about the inviter and the information fields it requests the person to share. Upon receiving the invitation, ITP exhibits the invitation on display screen for the person to determine whether or not to share information.
  1. The person clicks the “SHARE DATA” button. ITP will then encrypt and ship these requested information fields to the laboratory. ITP additionally must make itself reachable for future messages from the laboratory. Nonetheless, the gadget operating ITP could possibly be switched off and develop into unreachable. Subsequently, ITP contacts Evernym to provision an always-online program known as a “cloud agent.” The cloud agent acts like a mailbox: it receives all messages destined to ITP and shops them till ITP comes on-line to fetch them. With the information despatched again to the laboratory, ITP additionally instructs the laboratory to ship all future messages to the cloud agent.

These steps full ITP’s registration with the laboratory.

Receiving check outcomes

Since we didn’t truly go to the laboratory and take a COVID-19 check, we have been unable to check additional interactions in observe. We clarify the next process based mostly on what we realized learning the Aries protocol documentation and Evernym product documentation.

After the laboratory completes processing the person’s COVID-19 check outcomes, it generates a check end result certificates in verifiable credentials format and indicators the certificates with its distinctive digital signature. Then, the certificates is distributed to the person specified cloud agent. The cloud agent shops the certificates till ITP comes on-line and fetches the certificates. Be aware that the cloud agent is unable to see the certificates content material as a result of it’s encrypted.

We didn’t discover public info documenting how the verification process works in observe. Thus, we additionally depend on our static evaluation and studying of Aries and Evernym documentation to reconstruct the verification process. Subsequently, the process outlined on this part could also be totally different from what is definitely carried out by verifiers.

As soon as ITP receives the certificates, it’ll retailer the certificates in its native database. When a verifier must confirm the certificates, the person should additionally “join” with them by urgent the “CONNECT” button and scanning the QR code offered by the verifier. As soon as the QR code is scanned, the information fields requested by the verifier, which now might embrace fields from the COVID-19 check certificates, are exhibited to the person. The person wants to verify sharing by urgent a button. This motion sends the requested information fields over to the verifier.

To confirm the information, verifiers will test the digital signature hooked up with the information and fetch info from the Sovrin blockchain to ensure the information obtained (COVID-19 check certificates) had not been revoked by the issuer (laboratory).6 The supposed verifiers of ITP customers’ COVID-19 check outcomes are airways and border controls, in keeping with IATA.

We additionally found that Evernym gives a web-based “Airline App,” which could possibly be utilized by airways to confirm ITP customers’ COVID-19 check outcomes. Nonetheless, when requested concerning the Airline App, each IATA and Evernym said that to their information it’s not presently utilized by any airways.

IATA offered no additional particulars apart from that “Verifiers are utilizing the Verifiable Credentials know-how offered by Evernym to authenticate and validate the information obtained.”

Primarily based on this info there are two probably strategies that the verifiers are presently utilizing to confirm ITP customers’ COVID-19 check certificates. First, verifiers might ask the person to point out the digital COVID-19 certificates they obtained in ITP and visually examine the person’s display screen. This methodology is extraordinarily unreliable and will permit solid certificates to slide previous the test, as a result of as we have now proven, it’s technically doable to change ITP’s execution movement. An attacker might alter the show logic of ITP and present a certificates that appears legitimate on display screen, and even use extra rudimentary strategies like modifying a screenshot of ITP.

Second, verifiers might depend on a standalone “verifier software” operating on computer systems or telephones. The standalone software would independently confirm the certificates with out counting on a centralized authority like Evernym to inform it the solutions. Since ITP follows the verifiable credential and Sovrin open requirements, so long as the verifier software additionally follows the requirements, it will be capable of accurately confirm certificates (given a listing of trusted issuers). In our research of verifiable credentials and Sovrin specs, we didn’t discover severe loopholes permitting forgery of certificates or improper verification of certificates. So, if the verifier software is carried out carefully in keeping with the requirements, it ought to be capable of accurately confirm certificates and spot solid ones. Nonetheless, the usage of a standalone verifier software is only hypothetical, as we didn’t see any point out of one thing comparable all through our analysis.

There’s additionally a possible verification methodology that doesn’t contain ITP in any respect: checking the customers’ paper COVID-19 check certificates. In our correspondence IATA careworn to us that even when utilizing ITP, “Airways don’t lose the flexibility to confirm COVID-19 check outcomes by way of different strategies, together with visible inspection of offered documentation.”

The verification course of is essential to any reliable credential system. Out of the three doable verification strategies above, solely the second methodology truly makes use of the technical ensures of verifiable credentials to enhance system trustworthiness. Within the different two situations, the verifiable credentials know-how is fully sidelined. It might have made little distinction to system trustworthiness if verifiable credentials know-how have been fully faraway from it.

The “Your Flights” module permits customers so as to add their flights, question the journey necessities for his or her locations, and robotically test if the COVID-19 check taken meets the journey necessities. If the person has not entered their upcoming flights earlier than registering with the laboratory, the interface will immediate them to take action.

Including a flight entails 4 steps:

  1. The person clicks “Add a flight” within the “Your Flights” module.
  2. The app queries its “airways API” for a listing of taking part airways. The airways API returns two sorts of airways that are utilizing totally different “handlers”: “INTERNAL” handler and “COLLINS” handler. The “COLLINS” handler probably refers back to the TransAction passenger administration software program produced by Collins Aerospace. The record of airways is introduced to the person as an choices record.
    1. If the person selects an airline utilizing the “INTERNAL” handler, a date picker might be proven for the person to pick their flight date.
    2. If the person selects an airline utilizing the “COLLINS” handler, a textual content enter field is displayed for the person to enter their reserving reference code.
  3. The app queries its “flights API” with information entered within the earlier step, to acquire a listing of flights for person choice.
    1. For the “INTERNAL” handler, the service code and date of flight are despatched.
    2. For the “COLLINS” handler, the reserving reference code, household identify, and given identify are despatched.
  4. The app queries the Timatic API with the flight chosen. The API returns the journey necessities, and the app exhibits them on a popup. (We might solely check this step with airways utilizing the “INTERNAL” handler, since we would not have a flight reserving reference code.)

In step 3, when testing the “COLLINS” handler, we seen that it sends the person’s household identify and given identify together with the reserving reference code:

GET /flight?service=NZ&bookingIdentifier=MFB7EH&familyName=SAMPLE&givenNames=DANIEL&date=2022-01-17T00:00:00Z HTTP/1.1
Authorization: [SNIP]
Connection: shut
Settle for-Encoding: gzip, deflate
Person-Agent: okhttp/4.9.0

These private information appear to be essential to fetch the person’s flight reserving particulars, which might be used later in step 4.

In step 4, we captured an HTTP request sending the person’s start date, nationality, and passport expiration date to the IATA server:

POST /guidelines/timatic-check HTTP/1.1
Authorization: [SNIP]
Content material-Sort: software/json; charset=UTF-8
Content material-Size: 220
Connection: shut
Settle for-Encoding: gzip, deflate
Person-Agent: okhttp/4.9.0

{"origin":"AUH","vacation spot":"MXP","departureDate":"2022-01-31T08:55:00","birthDate":"1970-11-11","nationality":"CAN","service":"EY","flightNumber":"81","passportExpiry":"2030-01-01","arrivalDate":"2022-01-31T12:10:00"}

This private information appears to be essential to test the entry necessities.

The non-public information despatched in step 4 shouldn’t be specified within the privateness coverage, nor anyplace on the person interface. This information switch subsequently might come as a shock to most customers and runs counter to the mannequin of sharing private information with laboratories, during which customers are prompted to supply their consent.

We found an info leak vulnerability within the profile picture add API, which known as when the person uploads their profile picture throughout registration. If we intercept and modify the request content material to comprise malformed picture information like this request:

PATCH /picture/ HTTP/1.1                                                                                                                                                         
Authorization: [SNIP]                                                                                                  
Content material-Sort: software/json; charset=UTF-8                                                                                                                                                                      
Content material-Size: 398711                                                                                                                                                                                             
Connection: shut                                                                                                                                                                                                  
Settle for-Encoding: gzip, deflate                                                                                                                                                                                     
Person-Agent: okhttp/4.9.0


We obtain a “HTTP/1.1 400 Dangerous Request” response from the server containing the error message and further info:

{"standing":400,"message":"Request has invalid picture format","stack":"InvalidImageFormatException: Request has invalid picture formatn    at Request.extractError (/app/node_modules/aws-sdk/lib/protocol/json.js:52:
27)n    at Request.callListeners (/app/node_modules/aws-sdk/lib/sequential_executor.js:106:20)n    at Request.emit (/app/node_modules/aws-sdk/lib/sequential_executor.js:78:10)n    at Request.emit (/app/     
node_modules/aws-sdk/lib/request.js:688:14)n    at Request.transition (/app/node_modules/aws-sdk/lib/request.js:22:10)n    at AcceptorStateMachine.runTo (/app/node_modules/aws-sdk/lib/state_machine.js:14:    
12)n    at /app/node_modules/aws-sdk/lib/state_machine.js:26:10n    at Request. (/app/node_modules/aws-sdk/lib/request.js:38:9)n    at Request. (/app/node_modules/aws-sdk/lib/request.  
js:690:12)n    at Request.callListeners (/app/node_modules/aws-sdk/lib/sequential_executor.js:116:18)","code":"InvalidImageFormatException","identify":"InvalidImageFormatException"} 

The response not solely specified “Request has invalid picture format,” but additionally confirmed us the precise strains of server-side software program code and path names of the supply code information (i.e., a “backtrace”) at which this test was carried out and failed. This info shouldn’t be vital for the consumer to operate and is taken into account delicate to the server. Whereas this info doesn’t comprise any private information and discovery of it doesn’t instantly result in a server compromise, it might nonetheless help exploitation.

We disclosed this vulnerability to IATA on November 18, 2021. On November 26, IATA communicated to us that the vulnerability had been fastened, which we confirmed.

We analyzed ITP’s Privateness Coverage and Phrases & Situations. The Privateness Coverage outlined the assessments that distributors must endure; nonetheless, it didn’t point out Evernym in any respect, who implements the core operate of ITP. The coverage didn’t record any of the information processors we discovered, which incorporates at the least Evernym, Collins Aerospace, Auth0, and Google, in keeping with our findings. In accordance with the GDPR, information controllers shall present info on the recipients of the non-public information.

Additionally, to our understanding, ITP’s Privateness Coverage covers solely the scope of the app and doesn’t cowl situations resembling when customers use ITP to share their info with laboratories and airways. Nonetheless, in these situations, ITP gives no mechanism for the laboratories and airways to point out customers their privateness insurance policies. It might be as much as these recipients to implement strategies outdoors of the app to current privateness insurance policies to the customers.

Digital passport design and caveats

Our analysis exhibits that it’s doable to create impersonated ITP digital passports. In our disclosure engagements with IATA they said:

“We’re conscious of the limitation of the liveness test and this can be a enterprise choice.

We might implement a better degree of face matching and stronger controls to forestall bypassing the biometrics or to validating the passport authenticity, however in the meanwhile, we don’t need the app for use to cross border controls nor to interchange them, subsequently these safety ranges are usually not required. They make the person expertise very tough and the onboarding onto the app painful.

At present, the precedence is given to ease the passenger journey expertise by permitting them to make sure that they’ve all of the required journey paperwork for his or her journey (well being certificates) – the app is an assistant to the passenger, not a controller”.

IATA’s statements present that ITP digital passports weren’t designed to be as reliable as a bodily passport. This design choice is comprehensible since it will require far more private info to be despatched over to the server for verification to achieve the identical degree of trustworthiness as bodily passports. This extra publicity will increase the chance of knowledge breaches.

Nonetheless, this limitation makes the identify “digital passport” deceptive, as a result of it shouldn’t be trusted on the identical degree as bodily passports. Verifiers should not take the digital passport as reliable info and at all times confirm the bodily passport. Failure to take action will permit impersonation to go unchecked. Up to now, based mostly on IATA’s statements, every time the ITP digital passport is used, bodily passports are at all times checked. Nonetheless, as ITP expands to extra airports and probably different use circumstances, verifiers should take care to ensure bodily passports proceed to be verified.

For the reason that digital passport have to be cross checked with a bodily passport throughout id verification, it basically serves no safety objective. In different phrases, there can be no lack of safety if the digital passport was fully omitted from the method.

Centrally-managed non-public signing keys and Lab App

Laboratories taking part within the ITP program subject digital COVID-19 check certificates utilizing the Lab App, which is an internet software offered by Evernym on a SaaS (Software program as a Service) foundation. Issuing requires the certificates to be digitally signed utilizing a personal key. Every non-public key has a corresponding public key, which could possibly be used to confirm whether or not a signed certificates is genuine (i.e., signed by the non-public key). By correspondence with Evernym, we realized that the Lab App shops and manages the non-public keys on behalf of the laboratories.

Storing non-public keys within the Lab App basically provides Evernym full management over the certificates issuing course of. If the Lab App was ever compromised, it could possibly be used to subject rogue certificates. Even when it’s working usually, Evernym will be capable of see the total content material of the communication between the laboratories and the ITP app, which incorporates passport particulars and COVID-19 check outcomes. Though this isn’t a vulnerability itself, it does nullify many of the advantages introduced by the peer-to-peer verifiable credentials know-how, and make the system similar to a traditional centralized system.

If ITP laboratories retailer and handle their non-public keys on their very own, and subject certificates utilizing these keys, no central authority would be capable of know something concerning the issued certificates nor the non-public info of the certificates holders. If one laboratory’s key was compromised, different laboratories wouldn’t be affected. Nonetheless, a person laboratory is unlikely to own the technical experience to guard the non-public keys on the identical degree as a central administration authority like Evernym. These difficulties are a central problem in selecting between a centralized and decentralized system structure.

We lack the technical particulars on ITP’s implementation to confirm check outcomes. If a centralized internet software much like the Airline App was used, Evernym can be answerable for each the issuing and verification of COVID-19 check stories. In comparison with the standard paper-based issuing and verification system, this design consolidates the ability held by the issuer (laboratories) and verifier (airways and border management) into one entity. Even when a standalone verifier software was used, based mostly on IATA’s statements, it’s nonetheless utilizing the know-how offered by Evernym, and that also provides Evernym a variety of management. The standalone software might malfunction, or be biased in the direction of trusting certificates issued by Evernym’s Lab App.

Briefly, ITP’s present low-level system structure is decentralized; nonetheless, it’s encapsulated by a centralized high-level interface. If operated by way of the centralized interface, the system possesses the identical set of safety and privateness properties as standard centralized methods.

One probably cause for why Evernym carried out a centralized interface is to take away the burden on laboratories to securely handle their non-public keys. Additionally, laboratory workers want a easy and steady graphical interface to add check outcomes, which could possibly be achieved extra simply with a centralized interface slightly than a peer-to-peer consumer program.

For the reason that low-level system is predicated on an open peer-to-peer customary, anybody with technical capabilities might theoretically construct a appropriate consumer. To our information, Evernym’s Lab App can be only a standard-complying consumer to the peer-to-peer protocol. When laboratories really feel the necessity, they will swap to totally different shoppers that permit them to handle their very own non-public keys.

The way forward for Self-Sovereign Id (SSI)

Aside from COVID-19 passports, SSI have many different use circumstances. Eventualities the place the necessities of a id system may be mapped onto the next mannequin may be carried out with SSI:

  • there’s a credential that must be proved by the prover
  • a credential may be issued by an issuer to the prover
  • a verifier must confirm authenticity and integrity of the credential offered by the prover

These options make SSI extremely versatile. For example, it may be used to subject diplomas, monetary statements, driver’s licenses, entry permits (to a constructing or nation), and lots of extra. This versatility attracts implementers in numerous fields to judge the adoption of SSI, or to interoperate with it. For example, there have been discussions on how the Pan-Canadian Belief Framework7 drafted by the Digital ID & Authentication Council of Canada (a impartial discussion board) can map to SSI fashions. The federal government of British Columbia, Canada can be trialing “OrgBook,” a listing service (of legally registered organizations) based mostly on Hyperledger Indy, a SSI platform. Inside the European Union, there are additionally experimental SSI-based id system tasks that intention to interoperate with nationwide id methods, such because the European Self-Sovereign Id Framework (ESSIF).

The issues we present in ITP are usually not inherent to SSI, however slightly particular to this implementation of SSI. Nonetheless, an incorrectly carried out occasion of SSI might consolidate much more management to at least one entity than standard paper-based methods.

SSI know-how is presently in its early adoption part and there are only some distributors offering appropriate software program. Whoever controls the implementation additionally controls the system. The decentralized and standardized nature of Sovrin solely ensures a degree competing floor for various implementations, however doesn’t essentially stop one implementation from turning into dominant. In ITP, we see such implementater’s energy being consolidated into one entity. Sooner or later, third-party audits, reproducible builds, and personal key administration all must work collectively to forestall abuse of the implementer’s energy. However most basically, implementers of certificates issuance methods and verification methods must be separated for the complete system to be reliable.

Whereas SSI has potential, additionally it is complicated. In ITP’s case, we discovered that the mixing with SSI gives little sensible enchancment on decentralization, person management of private information, or trustworthiness of the credentials. These issues present that not all SSI-based methods are extra reliable and higher defend person privateness over standard ones and analysis continues to be wanted to enhance SSI-based methods.

Sovrin versus Public Key Infrastructure (PKI)

The utilization situations of SSI talked about within the earlier part overlaps with the utilization situations of Public Key Infrastructure. PKI is a extra standard know-how that’s presently broadly used, resembling in verifying the id of internet sites. These similarities posit the choice of utilizing PKI to implement ITP options as a substitute of Sovrin. In comparison with PKI, utilizing Sovrin appears to introduce a variety of complexities, most notably, a blockchain community.

The principle advantages of Sovrin over PKI are:

  1. Checking revocation standing of a certificates with out contacting the issuer or a government. In PKI, checking certificates revocation standing usually requires the checker to contact the issuer of the certificates or a government, which comes with a privateness threat.8

  2. Selectively disclose (proof) info on a certificates. Utilizing Sovrin, the certificates holder can show to the verifier solely chosen attributes on the certificates. For example, when proving oneself to be COVID-19 detrimental, the COVID-19 check certificates holder can determine to reveal solely the identify and check end result, with out the start date. When numerical attributes are concerned, resembling folks’s ages, one may even use Sovrin to show that they’re “over the age of 18,” with out disclosing the precise age, although this functionality was not utilized in ITP. In PKI, one cannot confirm partial info from a certificates.

It’s unclear if Sovrin’s advantages over PKI are well worth the complexities additionally launched by it, since it’s tough to estimate the complexities and value of a hypothetical, alternate ITP constructed with PKI. Nonetheless, our analysis exhibits the technical points the place Sovrin differs from PKI.

Assortment and monitoring of digital info to validate id and COVID-19 standing will proceed to be required as corporations and airways impose and implement COVID-19 protocols. Our research highlights ongoing privateness points and questions for the way these applied sciences are designed and managed.

Particular because of Masashi Crete-Nishihata, Christopher Parsons, Siena Anstis , Adam Senft, and Miles Kenyon. Funding for this analysis was offered by foundations listed on the Citizen Lab’s web site. Analysis for this mission was supervised by Masashi Crete-Nishihata and Professor Ron Deibert.

Appendix 1: IATA’s response to our questions

Be aware: we changed the IATA consultant’s identify with “IATA”.

Thanks for following up with us, we recognize the transparency.

Listed below are the solutions to your questions:

First half:

  1. We perceive that in the meanwhile, you do not need the app for use to cross border controls. Nonetheless, the digital passport continues to be used to register the person with laboratories. Are bodily passports additionally verified on this course of?

    IATA: Sure. Bodily passports are required to make sure that the individual current on the lab is the individual holding the telephone, exhibiting the bodily passport permits the lab agent to confirm that the identify + the passport image match the small print obtained on the Lab App display screen and the face of the individual in entrance of them.

  2. IATA: N/A as reply to 1 is Sure.

Second half:

  1. Why is an invite code required to make use of the app? We seen that the invitation code was beforehand accessible on Etihad Airline’s web site (hyperlink to snapshot) however is now taken down.

    IATA: The invitation code was launched previous to the launch of the trial for two causes:
    – To restrict the variety of simultaneous customers as we weren’t but able to scale.
    – To keep away from passenger’s disappointment as just some flights for chosen airways taking part to the trial can be found. In any other case they could set up the app and may be pissed off to not discover their flight.

  2. Why is the person required to bind their Google account when registering?

    IATA: First, we don’t retailer nor log this account info. Nor on iOS nor on Android.
    The rationale is to make sure that the individual presently utilizing the app is the individual proudly owning the information saved throughout the app, to make sure privateness.
    On the identical telephone, if individual A is establishing Journey Move, they received’t have entry to individual B information if they’ve as effectively an account on the gadget.

  3. Are there any airways which might be utilizing the digital passport characteristic for check-ins?

    IATA: No.

  4. Describe IATA’s relationship with Evernym for the event of ITP. Is the event of ITP outsourced to Evernym? Or does IATA have its personal improvement crew who integrates the code offered by Evernym into ITP?

    IATA: IATA owns the Mental Property of the Lab App. Evernym develops the Lab App following IATA’s necessities and operates the platform.

  5. How is the Lab App managed? We perceive that the Lab App is developed by Evernym; does Evernym additionally deal with its daily operations?

    IATA: as per level 4, Evernym operates the Lab App on manufacturing. The onboarding of Labs onto the Lab App is managed and managed by IATA. It isn’t public.

  6. How does a verifier confirm an ITP person’s COVID-19 check end result? Evernym gives an Airline App for verification functions, is it presently utilized by any airways throughout the ITP Initiative?

    IATA: Verifiers are utilizing the Verifiable Credentials know-how offered by Evernym to authenticate and validate the information obtained.
    Airways don’t lose the flexibility to confirm COVID-19 check outcomes by way of different strategies, together with visible inspection of offered documentation.

    IATA: The Airline App exists, IATA shouldn’t be concerned in it and, so far as I do know, shouldn’t be utilized by any airline.

  7. Who’re the supposed verifiers of ITP customers’ COVID-19 check outcomes?

    Airways and Border Controls.


Appendix 2: Evernym’s response to our questions


Thanks a lot for the inquiry about Verity Stream. Under are the solutions to your questions.




Is the ITP Lab App one occasion of Verity Stream?


Is Verity Stream designed to be hosted on-premise or within the cloud?

It’s offered on a SaaS foundation, hosted in Evernym’s cloud infrastructure.

Does Evernym handle the Lab App for IATA, or does Evernym solely present the Verity Stream program for IATA to deploy and handle on their very own?

Evernym gives Verity Stream on a SaaS foundation, and IATA distributes entry to labs which they contract with.

How are non-public keys managed throughout the usage of Verity Stream?

Evernym shops non-public keys on behalf of customers of Verity Stream in an encrypted “pockets” database on our infrastructure.

Does Verity Stream have entry to the customers’ (laboratories’) non-public keys?

Since it’s a internet software which we host for our clients, Verity Stream makes use of non-public keys assigned to them to subject verifiable credentials on their behalf after they instruct it to utilizing the person interface. Entities who would like to handle their very own keys can nonetheless take part within the ecosystem by implementing the identical workflows utilizing the identical open protocols.

If Verity Stream has entry to customers’ non-public keys, and will get compromised by attackers, what measures are in place to forestall attackers from issuing rogue credentials utilizing the stolen non-public keys?

The non-public keys themselves can be very tough to exfiltrate in such a means that they could possibly be utilized by an attacker to subject credentials from their very own infrastructure. The information within the pockets database are segregated and encrypted on a per-user foundation, and even when that have been defeated, figuring out which key pertains to a given lab whose check outcomes are legitimate for a specific passenger journey would require entry to information which solely IATA has. If any breach have been to be detected, IATA would invalidate the record of legitimate signing keys that their app accepts, and we might create new keys for every of the labs within the system.

Are there any precise cases of airline corporations utilizing the Airline App in manufacturing? What about airports and border authorities?

Verity Stream has been utilized in Airline App configuration for trials and demos, however shouldn’t be presently utilized in manufacturing by any airways. For manufacturing, the vast majority of airways have pursued API integration both instantly or by way of their chosen platform supplier.



Supply hyperlink