WTF?! If you were hoping to attend the World Cup in Qatar next month, you might be rethinking your plans once you find out what the country will require of you. To enter the country, travelers must download two apps. Both function similarly to spyware and grant Qatar authorities permissions that security experts find questionable.
Qatar is a small country located on the Arabian Peninsula in Western Asia. It serves as the host for this year's FIFA World Cup, scheduled to run from November 20 to December 18. Most notably, it is the first time the World Cup has been hosted by an Arab nation and only the second that has ever been held entirely in Asia.
Thousands of football fans are expected to descend on the region over the next couple of months to witness some live World Cup action. However, the country has raised serious concerns with cybersecurity researchers by "requiring" visitors to download apps that give officials overbearing rights to the data on their phones.
Øyvind Vasaasen, Head of Security at NRK, says it's a deal-breaker for him.
"It's not my job to give travel advice, but personally, I would never bring my mobile phone on a visit to Qatar," said Vasaasen.
The apps in question are called "Ehteraz" and "Hayya." Vasaasen and other researchers, including Bruce Schneier, have equated it to spyware.
Ehteraz is a covid-19 tracking app available for iOS and Android. The software is troubling because it asks for permissions far beyond the norm. Unsurprisingly it wants to track users' precise location through Wi-Fi and Bluetooth, which seems somewhat reasonable. After all, it is a covid-tracking app.
However, after Vasaasen conducted a thorough review of the software, he found that Ehteraz wanted much more than tracking capabilities. The app can also "read, delete, or change all content" on the user's phone. It can override any other installed software and prevent the phone from entering sleep mode. Additional permissions include the ability to make outgoing calls and the disabling of the device's lock screen.
Hayya is also available on the Apple App Store and Google Play. At first glance, seems to be a much more benign app primarily used to track matches and access Qatar's free metro system. However, demanding visitors to install what appears to be helpful mobile software raised red flags.
Upon inspection, Vasaasen discovered that Hayya also had some startling conditions. For one, it has permission to share information from the phone with virtually no restrictions. It also tracks the user's location, can prevent the device from entering sleep mode, and can view the user's network connections.
Vasaasen says that between the two apps, the Qatar government has complete control over the data stored on a device, including the ability to alter or delete information.
"When you download these two apps, you accept the terms stated in the contract, and those terms are very generous. You essentially hand over all the information in your phone," Vasaasen said. "You give the people who control the apps the ability to read and change things, and tweak it. They also get the opportunity to retrieve information from other apps if they have the capacity to do so, and we believe they do."
The apps are primarily controlled by the Institute of Public Health --- part of the Ministry of Interior, which is genuinely interested in preventing the spread of covid in the country. However, the permissions it is asking for go well beyond what is needed to do that. Vasaasen says that by agreeing to the terms, users are giving the authorities the "opportunity" to abuse the rights handed to them. It's like handing them the keys to your home.
"You're saying that it is perfectly fine for the authorities to enter your home," the security head explains. "They get a key, and they can get in. You don't know what they're doing there. They say they might not make use of the chance, but you're giving them the opportunity. And you would never do that."
While Bruce Schneier finds the apps unsettling and the permissions ridiculous, he says it's unclear how Qatar can enforce the rule and make thousands of visitors download the spyware.
"I don't know how mandatory this actually is," Schneier commented in his blog. "I know people who visited Saudi Arabia when that country had a similarly sketchy app requirement. Some of them just didn't bother downloading the apps and were never asked about it at the border."