Anybody who wants to book Randox’s day 2 lateral flow test is required to use its App to verify results, but Android users are required to disable important security features before they can download it.
While the App is available for iPhone users on the App store it is not yet available as an approved app on Google Play for Android users.
Instead, Randox tells customers to enable the ‘Install from Unknown Sources’ option on their phone. Which? Data security experts advise that you should almost never do this. Customers who forget to switch off this permissions setting leave themselves open to risks such as identity theft, ransomware, financial scams and other malware.
Downloading Apps outside of the App Store or Google Play store in this way is known as ‘sideloading’. While there’s no reason to suspect that there’s anything wrong with the Randox App itself, it has not been vetted by Google and if you don’t switch off the ‘unknown sources’ option after downloading it you remove a crucial protection for your phone.
Lateral flow tests needed for foreign travel
Most people entering the UK are now required to take a lateral flow test two days after they arrive, even if they are fully vaccinated. Those who are not fully vaccinated still have to take a PCR test on day 2 and day 8 after their arrival.
This replaces the old system where all travellers had to take an expensive PCR test.
Test results have to be checked by the provider. Most ask users to upload a photograph of their result or to send it by email. Randox requires users to download its App, called Certifly, in order to be able to use the service.
Scam risk for Randox App users
CertiFly has very poor reviews of just 1.5 stars on the App store but the fact that it’s available there suggests that Apple are happy that it doesn’t pose a security risk.
The issue for Android users is not the App itself but that they are forced to switch off their phone’s security in order to install it. This poses risks.
‘A lot of mobile malware is delivered this way,’ says Which? expert Andrew Laughlin. ‘They often target big apps that are not available on Play’.
He thinks that there is even a risk of fraudsters setting up fake ‘download Randox’s testing App’ links on the internet to trick customers into downloading their own illegal App instead.
‘Their phone could get infected with malware, they could end up getting phished or their data targeted,’ he says.
This is exactly what happened to some users when the video game Fortnite was released but before it was available for Android. ‘There were loads of dodgy links encouraging people to download the ‘official’ Fornite app that was actually full of malware,’ says Andrew. ‘You could easily see someone hijacking Randox’s search and saying ‘download Randox testing app’ and then actually get users to download their own dodgy criminal app.’
Much of our most sensitive and personal information is now carried on our phones, with apps for everything from banking to dating and health. It’s vital to make sure that security is as tight as it can be.
Is sideloading a route for criminals?
Apple executive Craig Federighi recently told the Web 2021 conference that: ‘Sideloading is a cybercriminal’s best friend.’
This may be in large part because Apple is campaigning against being forced by EU law to allow Apps to be installed on iPhones from sources other than the App store. However, many experts agree that sideloading can pose a threat to your phone’s security.
Covid testing data risk
This isn’t the first time that Which? has had data security concerns with Covid testing providers. Earlier this year one of the major Covid testing laboratories suffered a data leak after failing to password-protect customers’ data.
The leak highlighted the risks involved in giving the testing firms the information that they’re required by the UK Health Security Agency (UKHSA) to hold on their customers.
Firms also hold customers’ genetic data provided through samples taken, and there were concerns raised recently about one firm planning to sell customers’ swabs for medical research.
What to do next if you’re affected
While downloading an App doesn’t have to pose a risk in itself we advise Randox customers with an Android phone not to use the App until it’s added to the Play Store.
If you have downloaded the App then make sure to switch off the permission to ‘download from unknown sources.’ Once you’ve switched it on that then becomes your default security setting.
‘Google Play has indicated that adjusted work schedules are causing longer than usual review times for app submissions.
Randox can confirm the CertiFly app has been submitted to Google and is awaiting review.
Following app download, which involves allowing temporary access from an unknown source, our website directions recommend that the security setting be re-established. Customers are directed to download the app from the Randox website as a trusted source. We do not publish or advertise any external download links and closely monitor app stores to ensure any fake apps are immediately reported and removed.’