As vaccines become more widely available and shots reach more arms, software engineers and developers are scrambling to create mobile apps – coined “vaccine passports” or “COVID status certificates” – that will help the public ease into safe travel and events.

These apps represent an intersection (or – depending on your thoughts on the matter – a collision) of healthcare, technology, and privacy rights. The politicization of the virus and the vaccine, vaccine hesitancy, the sensitivity of PHI (personal health information), and equitability concerns surrounding vaccine disbursement have all converged at this end point. In the rush to develop vaccine passports, who’s ensuring the security of the sensitive data they handle? What techniques are being used to safeguard privacy?

Vaccine Passport Technology – How It Works

Vaccine passports will mostly likely be comprised of a unique QR code, likely stored in a digital wallet, that indicates your vaccination status. This data is stored at state health departments, pharmacies and health systems, and APIs would connect your app with their backend systems. This is how your status would be verified along with your identity, then downloaded in some way, generating your QR code. The QR code would then be scanned by another app for entry.

For this to provide the intended benefits, the QR code needs to be trustworthy. That means it should not be possible to generate a fake QR code nor should it be possible to “replay” someone else’s QR code – claiming their vaccination status as your own. Essentially, the QR code must embed a unique code and be time limited.

Security Risks in COVID Status Certification Apps

While vaccine passports have the potential to make it much easier for society to safely return to normal activities, rushing development of any app – especially one that contains sensitive data – comes with inherent risks.

In Israel, the country most advanced in vaccinating its population, users of the government’s “green pass” mobile app can enter theaters, sporting arenas, hotels, and gyms if they can show they’ve had their vaccine shots or recovered from the virus. But cryptographic experts and security professionals have already found a number of vulnerabilities with the app:

  • Vaccine passports are based on outdated code
  • Early generations of the QR codes displayed on the app are easily forged


The key is to stay physically safe while also safeguarding personal data and sensitive information about each app user. One could argue that a long-awaited night out at the bar is not worth the damage of compromised digital health records en masse.

Wide Adoption of Vaccine Passports Will Expand the Risk Surface

Vaccine passports have been touted by both private companies and government agencies as a way to safely return to some semblance of normalcy. While the official stance of the White House is that COVID status certifications will not be federally mandated, the pandemic-fatigued public will likely be quick to adopt the technology.

In Britain, a fiery debate between civil liberties advocates and the government is raging. The country has administered the most successful vaccination program in Europe so far, and the plans to mandate vaccine status are raising fears around data privacy and vaccine inequality.

While some countries are still developing apps and deciding whether to mandate them, others – such as Israel – have been implementing their usage for months. Security vulnerabilities have already been found.

Clearly there is a need to develop technology that helps society return safely to life as we once knew it – but how do app developers ensure that they are prioritizing security in the mad dash to go to market? 

With automated app security solutions – like Verimatrix App Shield –  that include layered protection like environmental checks, code obfuscation, and anti-tamper technology, developers can get the best of both worlds: defense-grade security and a swift time to market.

Security Shouldn’t Be an Afterthought

Whenever health information connected to an identifiable individual is stored, developers will need to develop safeguards for ensuring the security of that data. These safeguards include:

  • Collecting only the minimum data necessary to render the app functional
  • Storing data for as little time as possible
  • Promptly deleting data after functional use
  • Avoiding any undisclosed third-party tracking

To keep the QR code generation safe – whether performed locally or fetched from a server – application shielding technology should be used to stop attackers from reverse engineering the app. This is good practice whenever there is valuable data within an app.

If the QR code is to be generated within the app – as may be required to allow a generation even when there is no internet connection (such as in your favorite basement bar). Then the unique code it embeds must be generated cryptographically. Whitebox technology is required to keep the cryptographic keys safe from an attacker prying open the app code.