The Malaysian government has released a mobile app that is designed to verify the authenticity of digital health certificates. Called Vaccine Certificate Verifier, the latest version of the app was released just a few days before the rollout of a new update for MySejahtera that has brought together some changes to the digital vaccination certificate.
Released on 20 August, the update v1.0.43 for MySejahtera on iOS and Huawei devices includes some UI changes to the digital certificate as you can see below:
The update has also changed the QR code format of the certificate. In addition to that, it also clearly mentioned the Vaccine Certificate Verifier app for the first time:
In MySejahtera v1.0.42, the QR code can be scanned by any generic QR reader and would lead you to a version of the digital vaccination certificate that is hosted on the Ministry of Health’s website. On another hand, you need the Vaccine Certificate Verifier app to process the new QR format on MySejahtera v1.0.43 although the raw data which seemed to be encrypted can still be read by a generic QR reader.
Once you scan the new QR codes with the Vaccine Certificate Verifier app, here are the results:
Before we continue further, let’s backtrack a bit. Truth to be told, the Vaccine Certificate Verifier app did not always work like this and it is not exactly a newly released app either.
According to the version history of the iOS app, Vaccine Certificate Verifier v1.0.4 was released way back on 5 May while the latest version, v1.0.8 made its way to the depository on 18 August. When we did a background research regarding the app, it led us to a blog post published on 15 July by local developer Anonoz Chong who pointed out that a previous version of the app was nothing more than just a basic QR reader.
This is because the app which we believe is v1.0.6 would just open any QR code without performing any actual verification. Anonoz said this could be a serious security issue as someone could just create a fake certificate, host it on some server, and create a QR code that would lead the Vaccine Certificate Verifier app to the fake certificate.
He even created a 9-second proof of concept video to represent the fake certificate scenario. However, Anonoz noted that the flaw was seemingly fixed within a week after the blog post was published through an v1.0.7 update for the app.
In the Vaccine Certificate Verifier v1.0.8 app, these are the errors that were shown on the app when we scanned the previous QR code of the digital certificate as well as the fake certificate that Anonoz created for the PoC video:
Meanwhile, the description for the Vaccine Certificate Verifier on Google Play, Huawei AppGallery, and iOS App Store stated that the app can also be used to verify digital health certificates from countries that have a mutual recognition agreement with Malaysia. It also noted that the app currently supports certificates from Singapore and the European Union.
Since we don’t have a certificate from there to test out, we are not able to test this claim by the developer of the app. Nevertheless, out of curiosity, we did test the new QR format in MySejahtera’s certificate with verifier apps from European countries such as Portugal, Belgium, Switzerland, and Greece.
As you can see, the number of details that each app shows are different from one another. While these EU apps certainly recognised the new QR format for Malaysia’s digital vaccine certificate, it seemed that a signature issue has rendered our certificate invalid for the time being.
This is not exactly an issue at the moment given that Malaysians are still not allowed to travel to Europe without special approval but we do hope that authorities would be able to tackle this issue before the travel restriction is lifted.
For Android users out there, do note that the MySejahtera v1.0.43 update has not yet been deployed for your platform as of this morning. This is even though the Vaccine Certificate Verifier app itself is already available for Android, so don’t be alarmed if the app said that the QR code for your digital certificate on MySejahtera’s Android app is invalid which is something that we have shown in the earlier part of this article.