“Ideally, apps shouldn’t let users add credentials that don’t pass a validation check performed on the app’s backend servers,” said Ryan Kennedy, application security consultant at nVisium. Kennedy said in the context of the Excelsior Pass app, the Excelsior Pass scanner should function as a “source of truth” as end users may not always use the most up-to-date versions of an app.

“As a New York City resident, and a frequent user of the app, I’m glad to hear that security concerns are being addressed and that it’s becoming increasingly difficult for bad actors to forge their vaccine status,” Kennedy said.

Read the entire article here!