Undisclosed face detection code in Hong Kong app turns out to be bundling error
LeaveHomeSafe, a contact-tracing app built and deployed by the Hong Kong government to reduce cases of Covid, apparently is safe to leave home with.
An investigative news publisher in the Chinese territory reports that it had found inactive biometrics-based facial detection code in LeaveHomeSafe’s source code.
According to FactWire, it is likely that the code in question resided in an open-source framework called React Native. Developers can put the framework in their apps. The framework contained code that would tie into a phone’s camera.
LeaveHomeSafe works by recording QR codes posted at venues for contact tracing. The camera module seems to have come with some face-detecting functions that should have been stripped.
The camera code only tied to the rear-facing cameras, not the front-facing lenses, making it unlikely to be a hidden surveillance feature.
News publisher The Standard reports that a deputy government CIO went on a radio program to say the biometric feature in question was never activated. It was unintentionally bundled with the camera code, and it will be removed in a planned app update.
It is not a paranoid reaction in Hong Kong to think of surveillance on finding undisclosed capabilities.