The National Identity Management Commission (NIMC) reportedly has a mobile app that allows registered citizens to generate their National ID card. But our investigation reveals that this might have been used to steal people’s private credentials.
On the surface, it seemed like the Nigerian government wanted to optimise the National Identification card collection process which has dragged for more than a decade.
A tweet that probably drew Nigerians’ attention to the seemingly new development claimed to have gotten it done in a few minutes.
Thank you @MBuhari
I just downloaded my National ID card online in less than 3minutes. 🤸🤸
Go and get yours too ✌️ pic.twitter.com/J62ruFgs1O
— Jerry koko Durojaiye 🕗 (@kokomatic) August 15, 2020
It outlined the processes involved which included a link to download a mobile app. The app, named Mobile Web Service (MWS: NIMC MobileID) supposedly powered by NIMC, was available on Google Playstore and Apple store.
Typically, the information quickly began to get attention on the social media platform, but after the excitement, it began to draw other emotions like frustration and confusion.
There were a series of complaints on Twitter and on the app’s review page on the app store. Most of these complaints were either about getting another person’s information or encryption errors.
As at press time, the app no longer exists on the mobile app stores. While there’s no verified reason behind this move, it confirms a number of suspicions.
If this isn’t a case of NIMC plucking out a faulty system, it could be that the supposed tech team behind the app found a way to cover their tracks.
What is clear, however, is that a lot of data has been exposed to risk. Meanwhile, Techpoint Africa reached out to the Commission for clarification without any response.
What’s it about MWS?
The result of our investigation showed that the app was released on Google Playstore on July 15, 2019. And as of August 15, 2020, there were already more than 10,000 downloads.
We also noticed that app reviews dated back to August 2019 even reflected unresolved issues. Asides this, the most recent update, which probably drew the attention of most Nigerians, took place on July 31, 2020.
On the app’s description, it was stated that another update for version 2.0 — the current version was 1.90 — was set to be released by August 2020. The app claimed that the Federal government of Nigeria will release an official press statement informing citizens of the mobile application after the update.
While this came with its own confusion, we scoured the NIMC official website for any hint of this claim but found none. Apparently, the only national ID detail you can get digitally is by dialing a USSD code — *346# — to get National Identification Number (NIN).
Based on reactions on social media, Nigerians were more worried about the faulty app than the credibility or even an important issue like data privacy.
What could have gone wrong and why you should be worried?
Despite the similarity in the web interfaces, we discovered that the MWS: NIMC MobileID website is a subdomain — https://m.nimc.gov.ng/ — of the official website of the NIMC — https://www.nimc.gov.ng/. Asides the concern of whether or not the former is official, there’s no link on the official site redirecting to the MWS website.
Since the NIMC handles large datasets, this could have been a case of information mix up. However, the high number of complaints, even after a supposed second upgrade in July, gives cause for alarm.
How this app was able to get the information of some people right is not clear. Recall that something similar occurred where details of some African tertiary institutions were exposed.
Unscrupulous entities can easily harvest data from one source and upload it on another platform to probably mine for more data.
In a previous report, we revealed how Nigeria ranked the second-highest victim of Cybercrime globally in 2020.
Given the government’s silence on this recent event, it is expected that some steps will be taken to salvage what has happened whether or not the Commission has something to do with it.
Meanwhile, as Nigeria works towards achieving a unified database, it should also put data protection plans in place.
Subsequently, we recommend that users should download apps only from trusted developers. Ordinarily, there should be a link to the developer’s website on the app store to do this, but when it is not, check the Internet to verify.
UPDATE [AUGUST 17, 2020]: NIMC released an official press statement. Here’s an excerpt:
Our attention has been drawn to several complaints about the NIMC Mobile App. We will like Nigerians to be aware that the App is a novel innovation by the Commission, but it is yet to be officially approved for public consumption.
The app is still in the test environment and currently being fine-tuned to give users the best experience with adequate privacy and data security safeguards. Once the test stage is concluded, the Commission will issue a formal statement regarding its usage by our esteemed NIN registered persons.
In the same vein, we want to assure Nigerians of the security of their data. The data is securely encrypted both in transit and at rest.