Digital proof of vaccination: How secure is user data in vaccination record apps really?

Anyone who has been vaccinated against the SARS-CoV-2 corona virus has been able to receive a digital vaccination certificate free of charge since June 14, 2021. This offers vaccinated people the opportunity to easily prove their vaccination status without having to carry the yellow vaccination booklet with them.

The digital vaccination records contain information on the time of vaccination and the vaccine, the full name and date of birth of the vaccinated person. The vaccination certificate will be provided in the form of a printed QR code at the location where the vaccination was administered. The vaccinated can then scan the issued QR code with the CovPass or Corona warning app and use it as a digital vaccination pass.
With the introduction of the digital vaccination certificate, many citizens initially breathed a sigh of relief. But now the first fears are emerging: How secure is the user data: inside the vaccination certificate apps? mediaTest digital did the test and put the two vaccination pass apps CovPass and Corona-Warn-App under the microscope in terms of data protection.


The CovPass app from the Robert Koch Institute is available free of charge in the popular app stores for Android (v 0.160.7) and iOS (v 1.3.0). Vaccinated citizens can use it to show their digital vaccination certificate if required. The security experts at mediaTest digital happily found that the app does not use any trackers or analysis tools to investigate user behavior. The auditors were also unable to determine whether user data was transmitted to third parties – the app only establishes connections to the app provider. A man in the middle attack was successful, but the application is taking adequate countermeasures. There is therefore no risk of data misuse.
However, users should be careful with their QR code and keep it to themselves, as everyone can download and use the CovPassCheck app. Scans a: e User: into any vaccination certificate (QR code) with this app, shows this information such as the first and last name, date of birth as well as the vaccine and vaccine status of the person behind the QR code. However, this is not a bug in the app, but rather the system behind it.

See also  EURO 2020 - how Germany can land on which place - EURO 2020 - football


The official corona warning app of the Robert Koch Institute has been accompanying German citizens through the pandemic for over a year and is available to them for Android (v 2.3.4) and iOS (v 2.3.3) in the app stores Available. It not only informs users about potential risk encounters and provides the function of a contact diary and event registration. Recently it has also been showing the digital vaccination certificate. The auditors found that the app fortunately does not use any analysis or tracking tools. Furthermore, the application is likely to only process collected data locally and not transmit it to third parties. However, since the full functionality of the app was not available to the testers during the test run (no QR code), this is initially only an assumption. At the request of the user, data can be encrypted and sent to the health department in order to support the responsible employees in following up the contact chain in the event of an infection. It is not foreseeable what will happen to the stored data, since the respective system manufacturers (Apple and Google) provide the core function of the application.

The conclusion of the safety experts on the digital vaccination certificate

The mediaTest digital data protectionists recommend the use of the digital vaccination certificates in the CovPass and Corona Warning app, not only because of their benefits in combating the pandemic. Also for reasons of data protection law, users can use them with a clear conscience. Citizens should, however, treat the QR code they have been given very confidentially and not photograph it or the like, as the Covid certificates can be scanned and read by anyone using the CovPassCheck app.

See also  How Microsoft is luring European governments into the cloud



Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.