The Open Rights Group (ORG) has raised concerns about a number of security issues it found in all three of the canvassing apps developed on behalf of the UK’s three major political parties.
Labour, the Conservatives, and the Liberal Democrats all offer different digital tools that aim to ease the burden of data entry for door-knocking campaigners looking to register voters’ support.
All data was gathered during the run-up to last year’s general election and the ORG claimed all three parties’ apps had different types of issues affecting them.
The incumbent Labour government’s three web-based activist tools – Reach, Doorstep, and Contact Creator – were investigated. All three are used interchangeably to build a database of voters, complete with specific information about them to aid voter profiling, the ORG said.
The main issue raised by the privacy campaigners here was that various URLs tied to the apps were associated with infrastructure operated by credit reference agency Experian. The ORG said Labour’s privacy policy doesn’t explain the relationship between the data collected in the apps and the degree to which it is shared with Experian.
Its findings were based on limited, static technical analysis. It didn’t acquire login credentials for any of the apps, which ruled out more thorough testing, but nevertheless called on Labour to be more transparent about its relationship with Experian.
Two mobile apps used by Tory campaigners were also analyzed. VoteSource is a data entry tool for canvassers that returned nothing to concern the researchers. However, the party’s Share2Win app was more problematic.
Share2Win essentially sends official Conservative public messaging to app owners, providing them with the functionality to easily share it across their own social media profiles, complete with official party multimedia assets.
Using MobSF, an open source tool that does a basic security-checking job, but isn’t as thorough as the likes of Veracode or Checkmarx, the ORG said it discovered that both iOS and Android versions stored secret credentials, “potentially making it vulnerable to breaches.”
The rights group’s report noted various other issues, such as that different versions of the app were vulnerable to dependency confusion attacks – where external libraries on which the app depends are compromised.
Both Share2Win’s Android and iOS apps lacked privacy controls such as attributes for sensitive personal data and privacy manifest files respectively. The Android version was also able to access Wi-Fi data, which the ORG said could lead to location tracking.
You may also recognize Share2Win from reports circulating before the summer election about how the app was leaking party members’ details.
Various MPs’ phone numbers and home postcodes were leaked via the app, British broadsheet The Telegraph reported, including those of then-security minister Tom Tugendhat, Theresa Villiers, Vicky Ford, Greg Smith, and Sir Desmond Swayne.
Users were able to download a code version of the app’s leaderboard that ranked members by the number of shared party messages. Downloading the leaderboard did not require any technical know-how.
The main issues around the Lib Dems’ MiniVan app centered on its reliance on Google Firebase SDKs. The ORG’s report stated that this “is not inherently problematic, [but] it does point to potential security issues.”
The report went on to cite different pieces of research from the infosec industry concerning Firebase and how platforms built using it are routinely misconfigured, exposing sensitive data to the public internet.
Researchers found at least 900 Firebase-reliant websites were vulnerable in this way back in March 2024, exposing roughly 125 million user records. Likewise, Comparitech estimated that 24,000 Android apps were leaking user data due to Firebase misconfigurations in 2020.
Again, since the ORG wasn’t able to carry out thorough testing of the apps during runtime and researchers didn’t procure logins for all the platforms, more concrete conclusions couldn’t be drawn.
It said the static application security testing methods it used were able to identify issues such as privacy violations, insecure data storage, and potential vulnerabilities. However, due to the absence of valid credentials, it couldn’t observe any potential network-based data leakage, issues related to user interaction with the apps, and some tests may produce false positives and/or negatives.
Findings fall on deaf ears, mostly
Speaking to The Register, an ORG spokesperson confirmed that today’s report would be sent to the Information Commissioner’s Office (ICO) for review and that despite the organization’s efforts to secure a sit-down with parties to discuss the findings, none replied.
Equally, Labour, the Conservatives, and the Lib Dems all failed to respond to The Register’s requests. Sprinklr and NRG VAN, which assisted in the development of the apps used by Conservatives and Lib Dems, also didn’t respond.
The ORG was able to reach the vendors responsible for the Conservatives’ apps, but they claimed the versions examined by the researchers were old and no longer available. Therefore, any negative findings were moot.
“The app versions which were tested were in use during the election period, when the data was collected, and would be the versions downloaded by canvassers,” the ORG countered in its report.
“That appears to confirm that the issues were present during the election period, when the app was in greatest use.”
Speaking in relation to the Data Use and Access Bill progressing through Parliament, James Baker, platform power program manager at the ORG, said: “With trust in our democratic systems at an all-time low, the government should be working to improve the public’s confidence in electoral processes.
“Our report highlights that there is a data arms race to the bottom, pushing parties to make shortcuts in safety and privacy. The answer to this is fair and robust rules and enforcement.
“Instead, the government is doing nothing to make the ICO keener to act. The new data bill proposes to give ministers the power to make arbitrary rules about how our political parties can use our data, potentially timed to favor their own party in an election.
“This will further undermine public trust. We need transparency and a fair set of rules agreed by Parliament and enforced by an independent ICO and Electoral Commission.” ®
