Is the Luca app safe? Interior Ministry rejects closer examination by BSI
Luca app. (Photo: Wirestock Creators / Shutterstock)
The state of Hesse wanted the BSI to comprehensively check the popular Luca app and the infrastructure behind it. The Federal Ministry of the Interior rejected the request. Why?
The Luca app recently reached the 20 million user mark. In June, nine million people are said to have downloaded the app. The news caused a shake of the head among security experts. The Chaos Computer Club (CCC), for example, demanded that the Luca app be buried in view of numerous security deficiencies. So far, 13 federal states have bought licenses for Luca. Cost point: over 20 million euros. Hessen had also struck. Now the state wanted to commission a review of the system – in vain.
Contents
BSI is not allowed to scrutinize the Luca app
As Spiegel Online reported first, the Federal Ministry of the Interior has forbidden the requested Federal Office for Information Security (BSI) to carry out the comprehensive testing of the app and system requested by Hessen. This is possible because the BSI reports to the Ministry of the Interior. The Ministry of the Interior confirmed the refusal to the Spiegel. The explanation: The countries are contractual partners of the Luca app. And the guarantee of IT security is the subject of the manufacturer’s service.
In plain language: Hessen would have to request such a test directly from the Luca app makers. According to Golem, such source code checks or penetration tests could be carried out by appropriately specialized companies, which can also be BSI-certified. Culture4Life, which is behind the Luca app, could commission this service. Other federal agencies would also use this procedure.
BSI criticism of dealing with security deficiencies
However, the BSI had already put the Luca app under the microscope. According to Golem, this was only done in connection with the agency’s app testing portal – from external providers. In May, the BSI publicly criticized the way Luca app operators deal with recurring vulnerabilities. However, the office later stated that it would continue to concentrate its resources “on the intensive and development-accompanying examination of the Corona warning app”, as Golem writes. The Corona-Warn-App received new functions with the version 2.7 presented on Monday. The app now checks whether the certificates are genuine.
