​South Australian government denies app requires inappropriate permissions

The South Australian government has explained why certain permissions are required to use the mySA GOV app, following criticism from the public.

(Screenshot: Chris Duckett/ZDNet)

The South Australian government has denied that the permissions its mySA GOV app requires for state residents to take advantage of the newly introduced digital driver's licence regime is intended to inappropriately access private information.

Digital licences became available this month in the mySA GOV smartphone app, developed by Appviation and launched in May. However, questions were raised as to why the digital licence feature -- which provides "ready access to licence information and proof of age identification for front line police officers" -- requires access to "camera", "contacts", "storage", and "telephone".

The SA government told ZDNet that the app "does not have access to your personal contacts at all".

"The specific permission the app requests is the 'find accounts on the device' permission, which is found in the 'contacts' group. This is used to connect to the mySA GOV account," the state government said.

Access to the phone's camera is so that the app can "validate other digital passes and licences".

Meanwhile, access to telephone is to enable users to make calls directly to, for example Service SA, about their licences and registrations, the government said. Clicking on phone numbers within the app to make calls requires access to the telephone.

The state government had previously claimed that "extensive" security testing had been conducted to ensure personal data is not accessible to outside parties.

A user's data is only accessible if that user has a valid access token, which is generated upon logging into their verified mySA GOV account, the government said.

Last month, the state government stated that the app generates a one-time barcode, which refreshes every 30 seconds, to prevent counterfeit licences from being used. Anyone, including pubs and clubs, can scan the licences to ensure they are genuine.

The app also has a "shake to animate" feature to show the licence is not a photo or a screenshot.

The SA government additionally told ZDNet that no personal data is stored in the back end of the app, and that all data is encrypted at rest and in transit.

"It is all kept in the serving agency's systems and is only sent through [via the state government's API] on demand when someone uses their app. Other parties only receive that user's data when they let other people scan their passes," the SA government said.

"Note, the user's phone does cache a copy of their own passes/licences, which are pin/fingerprint protected and locally encrypted on the device."

It also claims that regular penetration testing is conducted.

In addition to internal security processes, two independent third parties conducted two security audits of the mySA GOV app prior to its launch, the SA government has said.

The public was first involved with testing the app in the proof-of-concept phase, providing "invaluable" feedback, it said. This was followed by two sets of focus groups.

"A staged release (the proof of age card and boat licences were first made available to the public) meant that more feedback was gathered which allowed the team to tweak the app before the launch of the driver's licence," it added.

Digital licenses are available to all South Australians with a learner's permit, provisional license, and full or heavy vehicle licence, though the government still encourages users to retain their physical licences in the mid-term.

They are also available for motor vehicle instructors and driver accreditation for taxi, bus, and chauffeur drivers.

The government said in September that digital occupational licences for builders, plumbers, gas fitters, electricians, and security and investigation agents are scheduled for release later this year.