Open in app

Sign in

Write

Sign in

Campaign Apps Ghana 2020

Tactical Tech
7 min readApr 30, 2021

--

Trackers, Vulnerabilities and Take-Overs

Part 1: Elections — There’s An App for That
Part 2: Why Investigate Election Apps?
Part 3: Campaign Apps Ghana 2020
Part 4: The National Resistance Movement App and Digital Politics in Uganda

Despite Ghana’s Electoral Commission registering close to 30 political parties, the country has been dominated by two rival parties since democratisation in the early 1990s. In December 2020, both the National Democratic Congress (NDC) and the New Patriotic Party (NPP) contested the country’s general election and fielded campaign apps within their digital campaign strategies to connect with the 17 million voters. A search of the Google Play Store and the Apple App Store for these two parties resulted in the following five apps of interest:

This selection already unveils some complexity to the ecosystem and the subsequent research, including:

  • multiple apps per party
  • different types of publishers/developers according to the publicly accessible details on both Google’s and Apple’s app platforms:
    - in-house party developers
    - third-party consultant services, such as the internationally active VoteRockit, LLC or Ghana-based Blema Media Consult
    - individual developers
  • insights into user and device permissions requested by the apps
  • their privacy policies are a mixed bag

Charles

For this research, we used Charles, a digital forensics and web debugging proxy application which allows a user to configure a device to access the Internet via Charles in order to see what is being sent and received between device and servers on the web. Through it we were able to see what servers the apps were reaching out to and what data was being transmitted through the use of the app.

Centralised Trackers via Appypie

We initially analysed the NPPDashBoard and NDC Official App and found that both apps made network requests to appexecutable.com and that both apps were based on an identical app framework. This domain is associated with Appypie, a self-styled “No-code Web & Mobile Application Development Platform”, registered in the United States with the vast majority of its developers based in India, according the company’s LinkedIn profile.

By using this albeit convenient app generation framework, both apps package trackers pre-loaded by Appypie. However, while the data from these trackers is accessible to Appypie, it is not accessible to the app developers themselves. Through this choice of tech implementation, the two major political parties are facilitating the capture of tracking data to a third party, Appypie, while at the same time not being able to access that data themselves. In this case, it appears that Appypie is the real winner by receiving tracking data from users from two rival parties.

Extract of the two apps’ manifests showing identical tracking codes.

No Command or Control

Moving on to the next set of apps, our investigation discovered that both ‘Official NDC App’ and ‘NPP APP Ghana’ had lost total control over their respective App API endpoints, meaning that data added by a user to the app was being transmitted to servers not controlled by the app’s developers.

Official NDC App

If a user attempts to sign up within the ‘Official NDC App’ downloaded from the Google Play Store, they are prompted to submit sensitive user information such as their full name, email, phone number, membership ID (it is unclear whether this translates to a national identifier), and password. However, despite the user’s best efforts the app will return a 403 Forbidden response, i.e. a network error, because of the misconfigured API endpoint.

When we inspected the network requests made when a user attempts to sign up or log in, we found that the aforementioned sensitive data is passed to “ndcmobile.com” over an insecure http request. This is considered substandard security configuration as this information could be viewed by anyone with access to the network, through a classic man-in-the-middle attack — a household technique where a third party scans and intercepts the network traffic between a device and a server.

A mobile phone store based in Vietnam […] could potentially have access to emails, names, phone numbers and passwords of all users who have attempted to login or sign up to the app

However, the story gets worse. It appears that “ndcmobile.com” is no longer associated with the NDC party of Ghana. Instead, it now directs to a mobile phone store based in Vietnam. If this company wished, it could potentially have access to emails, names, phone numbers and passwords of all users who have attempted to login or sign up to the app during the election period since the NDC party lost control of this domain.

ndcmobile.com as it appeared in 2018, according to web.archive.org.
ndcmobile.com as it appeared at the time this research was conducted.

NPP APP Ghana

When looking at ‘NPP App Ghana’, we found similar issues. Here, the app’s API domain, the server that communicates with the app, “nppapp.com”, was no longer registered to an owner and thus freely available for purchase on the open market. In order to prevent a similar domain takeover to the one we saw with ‘Official NDC App’, we purchased nppapp.com for 15€ in order to secure it and keep it from falling into the wrong hands. Further research across the web of keyword “nppapp” revealed that there was indeed a functioning ‘NPP App’ API URL hosted at “nppapp.net”. Attempts to access this site with some well-known WordPress exploits failed — hopefully indicating that this site had been properly secured. In all likelihood, the owners of NPP App Ghana for iOS had misconfigured their app to use nppapp.com instead of nppapp.net. This mistake could have allowed anyone owning nppapp.com to compromise devices running the app, for example by executing arbitrary javascript code. By purchasing the domain, our project, instead of a malicious actor, took control of the API endpoint.

As we now controlled the domain we were curious about the activity it would be receiving and thus fitted it with a static image of the NPP logo and added Google Analytics to monitor connections as well as server access logs in the run up to the election. Examining the server logs revealed that the site had previously hosted content through WordPress and that the site was the target of numerous, likely bot attacks, including thousands of attempts to access the WordPress admin panel used to log in to the website. We also found evidence of the use of a known backdoor log-in script used to hack vulnerable WordPress sites.

The logs that we were able to keep show that the attacks failed and were likely a result of automated scanners probing the website for vulnerabilities rather than a targeted attack. It nevertheless shows how vulnerable poorly maintained web infrastructure can be and that election-focused digital assets are targets, too.

Reflections & Handing Back Control

In concluding this analysis we handed control of the ‘NPP App Ghana’ back to its developers by setting up a 301 redirect from nppapp.com to nppapp.net. In effect we are redirecting the app’s traffic away from the website we purchased and to the intended website set up by the app developers. During this time, we were never contacted by the app’s developers, leading us to conclude that the misconfigured domain was not noticed or prioritised. At the time of writing, the identified issue with ‘Official NDC App’ remains.

Poor technical implementations can have an impact on the integrity of the election campaigns

Considering that these apps deal with election materials and voter information, poor technical implementations can have an impact on the integrity of the election campaigns. Furthermore, in the case of ‘NPP App Ghana’, it is impossible to know whether a vulnerability was exploited prior to our purchase of the app’s web domain. The fact that a simple configuration error could have left users of the this election-focused app at the mercy of malicious actors during an election season is concerning. In the case of ‘Official NDC App’, it is theoretically possible that user data is still making its way to a mobile phone store in Vietnam.

While we did not identify a security vulnerability within ‘NPPDashBoard’ and ‘NDC Official App’ as such, the fact that both apps are based on the same third-party app architecture, including the pre-configured tracking technology, makes it important to consider whether applications of a political nature which deal with voters’ personal data should be treated with a higher degree of scrutiny and awareness for their users.

Concluding Note

At the time of writing and prior to publication, all developers of the apps subject to this research have been contacted by our research group informing them of this investigation and our concerns. This text will be updated in the event that the developers respond.

— — —

Part 1: Elections — There’s An App for That
Part 2: Why Investigate Election Apps?
Part 3: Campaign Apps Ghana 2020
Part 4: The National Resistance Movement App and Digital Politics in Uganda

Varoon Bashyakarla is a data scientist at Tactical Tech. His work explores the datafication of politics.

Gary Wright is a researcher at Tactical Tech, examining the uses of digital technologies in politics and their impacts on society.

The App Analyst is a digital security researcher with a specialty in auditing mobile apps for privacy and security vulnerabilities. Follow The App Analyst’s work here and here.

Data
Elections
Ghana
Campaign
Apps

--

--

Tactical Tech

Written by Tactical Tech

4.3K Followers

Tactical Tech is an international NGO that engages with citizens and civil-society organisations to explore and mitigate the impacts of technology on society.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams