Is the core of Apple Health sour?

by Jorge del Prado

In 450 BC the king Artaxerxes of Persia sent his cupbearer Nehemiah on an important trip. In order to grant safe passage the King gave him a letter, on which was addressed “to the governors beyond the river”. The king was requesting safe passage as Nehemiah travelled through their distant lands, creating the first ever passport.

Ever since passports have been used to grant freedom of movement across the globe. Today over 150 countries have progressed beyond paper passports to adopt biometric e-passports speeding up the immigration process and improving  security.

Since the Pandemic of 2020/21 however, passports have taken on a new function, one of declaring your health status. Now big tech and think-tanks are coming up with solutions for the scoping, storage and issuance of these new ‘Health Passports.’

Tony Blair the former UK Prime minister has recently said:

“Allowing international travel to resume safely means we must take all possible steps to limit the spread of new COVID–19 variants. We urgently require an internationally-recognised system of health passes enabling travellers to quickly and easily prove their health status, in a secure and privacy-preserving way... The G20 group of nations should commit to establish a network of globally interoperable health passes, and set up the working groups needed to deliver it.”

On September 20th 2020, Apple launched iOS 15 with a bunch of new exciting new features. Among these new features there is one that caught our attention, Apple is natively supporting storage of Health Credentials in the Health app and from iOS 15.1 this will also be in the Apple wallet. Pretty cool, huh? It is cool, indeed, very useful and with a great user experience as you would expect from Apple, there is a serious downside though. 

If you have travelled abroad since the pandemic started or if you have attended a football match or a play at the theatre. You will know that in most of these situations you are required to prove your vaccination status or to show a negative test result.

Examples of how this is done are:

  • Travelling:  When you travel abroad the airlines are responsible to verfify that you have the right documentation to board the plane, if they fail they are fined. For that reason Covid documents are scrutinised in greater detail. They will check your vaccination status (or test) and they will check your identity matches the paper or digital document you show them.  Do they check if the document is valid? NO. They do a visual check and if they don’t see anything strange they will assume it’s valid. Do they read the QR code on the document? NO. There are too many different types of QR codes to read each with their own apps so they don’t bother.
  • Other community uses: Football matches, restaurants, gyms… They usually check your credentials visually, on paper or on your phone. Do they check an identity document alongside the credentials? NO. Do they check if the credentials are valid? NO. We should remember these guys want people quickly through the doors so they are often indifferent when checking credentials.

I understand this is new for all of us and it’s far from perfect but we are generating messy processes in which the opportunity for fraud is significant.  Apple support for credentials is great but people tend to trust Apple - in fact Apple is the most recognised brand in the world, overtaking Amazon in 2021. So people naturally trust something you show inside an Apple app,  like your vaccination credentials.

Does Apple check if credentials are genuine? The answer is again, NO. They check the format and if the signature looks valid but it is nearly impossible to know if the source of the credentials is valid. Without Big Brother confirming what a valid source is, the origin of the vaccination or test is simply assumed.

Does Apple check if the credentials are yours? The answer is yet again NO. The fact is they keep it open, so you can store credentials from different people if you want. This is risky as you can find credentials to download off the internet that could technically be stored in anyone’s wallet.

In summary, a decent programmer could create fake credentials for ‘Donald Duck’! They could attend concerts, football matches or Disney on Ice with these fake credentials stored in their Apple Health App!  In a more serious scenario this savvy developer could create fake credentials with their actual name on the record and travel abroad, even if they’re not vaccinated. Authorities would trust this as genuine as it’s in the right format and stored in the Apple Health app along with a nice green check that seems to indicate that the credentials are genuine.

This is how we successfully created a vaccination certificate for Donald Duck and added it to the Apple Health App: https://youtu.be/A1dZNrQlA8A

We understand this a version 0 of a process that will be improved along the way. What is less certain is if the actors involved in this process (security guards, airlines etc.) know that having health credentials in the Apple Health App doesn’t guarantee that it they’re genuine or even yours.  

Hopefully you can see from in this article, that certainty about what is being presented in the Apple Health App is far from assured and everybody should be aware of it, to avoid fraudsters eroding trust in the whole process just as it’s getting started.

Gone are the days where a kings seal is enough to grant free passage, even Apple’s globally recognised logo should not provide this type of imputed authority. We need verifiable credentials secured with biometric identity verification if these new types of ‘passports’ are to have the same longevity as the traditional passports started all those centuries ago.

We use cookies and other similar technologies to improve your browsing experience and the functionality of our site. By clicking "Accept", you consent to the storing on your device of all the technologies described in our Cookie Policy. We urge you to read our Privacy Policy and Terms of Use to better understand how we maintain our site, and how we may collect and use visitor data.