Shortly before the end of 2023, we received a request from the Cottbus fire department for a security analysis of a mobile application that is to be used in practice by rescue workers and must therefore not pose a security risk to the cell phones of the men and women on duty. Of course, we were happy to be of assistance here. And not just because the application is a useful tool for dealing with child emergencies.
The application in question is the Android app “Pedi Help”. It includes useful overviews and calculators that provide emergency services with important data quickly and easily in emergencies involving children. The age, weight and height of the child can be easily set and the required information can then be displayed or calculated accordingly. For example, it can be determined in seconds what the child’s normal vital signs should be, how respiration equipment should be used or what dose of pain medication is permissible – even a complete layperson can immediately understand why the application can be useful for more than just the emergency services.
We took a look at version 2.5 of the application (com.CreaBooSoft.PediHelp) and subjected it to the usual static and dynamic tests. First of all, however, it must be said that although the application is highly interesting for emergency services for obvious reasons, from a security point of view it actually represents the exact opposite for us. To avoid any misunderstanding: This is excellent news for anyone who wants to use “Pedi Help”!
The application is relatively unexciting for us because, in principle, it does not implement any functionality that can be attacked, intercepted or otherwise easily manipulated: There is no mandatory online communication that could be attacked, no user accounts (or data) that would need to be protected and no access to or collection of sensitive data. In the test, we were only able to observe communication with Unity servers and Google. Unity is the development environment with which “Pedi Help” was realized. The fact that pseudonymized usage data is collected here for analysis and retargeting purposes is nothing unusual. The static analysis accordingly identifies the associated tracker Unity3D Ads in the app code and the use of the smartphone-specific advertising ID can be traced in the code. In terms of security, however, this is not a problem. At most, there might be concerns from a data protection perspective.
Which brings us to data protection. As I said, we can prove through the practical tests that usage data is sent to Unity and Google. You can certainly criticize this, but you also have to realize that this is basically the case with every Android application these days. Google always has the option of accessing such data anyway and the presence of “just” one other tracker can almost be described as exemplary. In addition, the developer has no other choice after choosing Unity3D as the development environment, which inevitably brings the tracker into the app.
Overall, there is nothing more to add from a security point of view and for the reasons mentioned: Whether on private or company cell phones, whether in WiFi or offline – we were unable to identify any realistic scenario during testing in which the use of the “Pedi Help” app could have any significant malicious potential. Good news for the paramedics of the Cottbus fire department and all those who simply want to be prepared!