Qatar Spyware

Everyone visiting Qatar for the World Cup needs to install spyware on their phone.

Everyone travelling to Qatar during the football World Cup will be asked to download two apps called Ehteraz and Hayya.

Briefly, Ehteraz is an covid-19 tracking app, while Hayya is an official World Cup app used to keep track of match tickets and to access the free Metro in Qatar.

In particular, the covid-19 app Ehteraz asks for access to several rights on your mobile., like access to read, delete or change all content on the phone, as well as access to connect to WiFi and Bluetooth, override other apps and prevent the phone from switching off to sleep mode.

The Ehteraz app, which everyone over 18 coming to Qatar must download, also gets a number of other accesses such as an overview of your exact location, the ability to make direct calls via your phone and the ability to disable your screen lock.

The Hayya app does not ask for as much, but also has a number of critical aspects. Among other things, the app asks for access to share your personal information with almost no restrictions. In addition, the Hayya app provides access to determine the phone’s exact location, prevent the device from going into sleep mode, and view the phone’s network connections.

Despite what the article says, I don’t know how mandatory this actually is. I know people who visited Saudi Arabia when that country had a similarly sketchy app requirement. Some of them just didn’t bother downloading the apps, and were never asked about it at the border.

Tags: cell phones, Qatar, sports, spyware

Posted on October 18, 2022 at 6:57 AM • 34 Comments

Comments

Winter • October 18, 2022 7:19 AM

Despite what the article says, I don’t know how mandatory this actually is.

I assume any enforcement will be far below the radar, if there is any. The World Cup has had enough bad press as it is. I cannot envision how the Qatari would like to have even more bad press.

Anyhow, traveling with two smartphones should cover the case for anyone who does not like it.

Q • October 18, 2022 7:41 AM

I love the assumption that everyone has their phone with them 24/7. Or that everyone even has a mobile phone.

I have a basic 2G phone. Works fine for me. But I don’t take it anywhere, it stays at my place 24/7. Even if it was one of those fancy “smart” phones, it would still stay at my place 24/7, with stickers over the camera lenses, the microphone removed, and use an external plug in microphone when I need to use it as an actual phone and talk to anyone.

Tim • October 18, 2022 8:37 AM

I love the assumption that everyone has their phone with them 24/7. Or that everyone even has a mobile phone.

The assumption is a valid one. For those under the age of 90 – smartphones are a fact of life and are with us most of the time.

(even my 85 year old father has an iphone to communicate with his grandchildren)

sitaram • October 18, 2022 8:58 AM

even for something as innocuous as internal apps that my employer forced all employees to install during “work from home” (and to some extent even now), I just put it all on a second phone

I wonder what the qataris would say to that solution. Would they insist you download it on both phones?

Winter • October 18, 2022 9:02 AM

Works fine for me. But I don’t take it anywhere, it stays at my place 24/7.

But you are not visiting Qatar.

A tourist without a smartphone tends to be utterly lost. Such a tourist will also be isolated without means of communication (try finding a public phone booth nowadays). And I might add that not everybody speaks English. Google translate et al. helps a lot in such cases.

I have not seen a tourist without a mobile phone for a decade or so.

Peter A. • October 18, 2022 10:03 AM

Winter: I agree most people can’t get out of their door without a smartphone today – that’s the majority Qatar tries to target. Very few people, like me, carry a dumbphone, mostly for my family to be able to call me. I rarely have a need to use it throughout my day.

But then, I am not going to travel to Qatar… All my international travel was to countries where the local language was at least somewhat known to me already (or I made effort to learn some basics), and there was a good chance of meeting someone speaking an internationally or regionally popular language I know. Come on, just a decade or two ago millions of people travelled internationally without smartphones, communicated with locals somehow, payed for their stay and food, did whatever sightseeing they wanted, and returned back safely.

Leonid • October 18, 2022 10:16 AM

And what if I have a LineageOS phone, without Google Play Store (or any other app store for that matter)? I doubt they provide .apk’s…

Also, @Peter, in most of USA, anything lower than 4G is not going to work. Yes, there are some 4G dumb phones, but their cost is comparable to an entry-level smartphone.

Finally, at least in Android, it is easy to take away “special” permissions, like “modify system settings” or “display over other apps”. I doubt there is a system dialog that an app can display to ask for it. Once you show officials that the required app is started (with min permissions), you can take away all perms.

Clive Robinson • October 18, 2022 10:18 AM

@ Bruce, ALL,

Re : Only when it binds you.

With regards,

“I don’t know how mandatory this actually is.”

The world appears to be full of victimless crimes, where people think they can safely not do so, but are actually committing a crime.

So you don’t download the apps, nothing apparently happens, you go home…

But for some an odficial for what ever reason will give the modern equivalent of,

“Papers Please!!”

And that is when your very personal world of hurt starts. Because you are proved to be a criminal or at very least someone who can be extorted in some way or another.

It’s usually the smallest of things people trip on, and when they fall, how far and how painfully is out of their hands. Because it is then in the hands of the “authoraties” who have agendas of their own, that the individual has no idea of. Or as to what is going to happen to them or why…

My advice, as always is when crossing boarders do not have anything on you that you should not, and if forced to have a phone or other before departing buy the cheapest lowest speck device you can. With luck it won’t be able to load or run the apps and/or will have an easily removable battery. Don’t call anyone on the phone like friends, family, coworkers, but do pre-load the phone with consulate numbers and similar and a firm of lawyers or similar who know where you are going and has a list of contact numbers etc. Carry only your home countries documentation such as passport and drivers licence, don’t carry other stuff other than the minimum of financial and health protection information.

At the end of the day, what you don’t have with you can not be taken away from you. Likewise information you don’t use such as who you call can not be used against you.

When you leave the country at the first change / stop over, just take the SIM out, factory reset the device and leave it on the floor by the bar or under the restaurant table. As for the SIM break it and bin it somewhere else. When you get back home report the phone lost/stolen from baggage or some such. As long as you don’t try to claim on insurance then you are not committing a crime.

But in all honesty, why on earth would you want to go watch sport in Qatar? I’ve been there before at that time of year, and well lets just,say “average temprature” is not very helpfull. 50C or 122F is not my idea of a fun temprature to be in, ubless you’ve spent a month or two aclimatising…

Winter • October 18, 2022 10:25 AM

@Peter A.

Come on, just a decade or two ago millions of people travelled internationally without smartphones, communicated with locals somehow, payed for their stay and food, did whatever sightseeing they wanted, and returned back safely.

But then, there were public phone boots then, ticket offices for public transport, cash. In Sweden, public transport, especially long distance, is difficult without buying online tickets, and cash is not accepted in most shops. In many places, you only can get a taxi online.

It is easy to travel without a smartphone, but it is also easy to get up the creek without a paddle. And a dumbphone without a local SIM card is awfully expensive. While WiFi is ubiquitous.

Try to find a backpacker without a smartphone/tablet. That should tell you a lot.

Roxie • October 18, 2022 11:04 AM

Despite what the article says, I don’t know how mandatory this actually is.

The article and Bruce’s summary are quite unclear and almost contradictory. “Having to download” or “have” an app is not the same as being “asked to” do so, or having or being asked to “install” it. Having to install it is not the same as having to run it or keep it installed. And couldn’t one deny the extra permissions it asks for?

It should go without saying that one should not bring one’s primary phone with all its data across an international border. That’s not really fair to those without the extra cash to buy a travel-phone; wiping, crossing the border, and restoring may be a viable option, but not for a totalitarian government whose border agents might make someone provide passwords on-the-spot (USA border agents, by contrast, are not authorized to access online accounts when checking phones).

fib • October 18, 2022 11:25 AM

@ Tim

For those under the age of 90 – smartphones are a fact of life and are with us most of the time.

Death is a fact of life, my dear friend. Smartphones not much so.

Remember Smartphones were created by a marketing man [S. Jobs]. I can safely blame their use to many [maybe most] of the main societal problems we face in these troubled times [key phrases: attention economy, surveillance capitalism].

Grandma does not need a smartphone to talk to the kids. A laptop is far better suited for the job [big screen, big keyboard, big letters…]. The smartphone frenzy could be better explained by psychology rather than economics.

I’m still quite young [sort of], and I have absolutely not need for such a thing [to be frank they are nothing but toys to me]. For the sake of an occasional experiment [like @ Q] I keep these gizmos [I got more than one] in my office, under severe security constraints.

Winter • October 18, 2022 11:56 AM

@fib

I’m still quite young [sort of], and I have absolutely not need for such a thing [to be frank they are nothing but toys to me]

Smartphones are popular because they expand your reach enormously. I know how life was before smartphones, the internet, and electronic watches. The world was a lot “smaller”. Backpacking in Africa, SE Asia or S America was next to impossible.

Grandma does not need a smartphone to talk to the kids.

I get the impression you have not yet come between a grandparent and their grandchildren. Do not try it.

Also, if you are young and want a social life, a smartphone is simply required.

lurker • October 18, 2022 11:56 AM

@Bruce

Despite what the article says, I don’t know how mandatory this actually is.

From the article:

… Hayya is an official World Cup app used to keep track of match tickets and to access the free Metro in Qatar.

From under my tinfoil hat I read this as: the app is a 2FA token for your footy ticket; and it’s your entry token for the “free” metro. No app, no entry, to both.

A NFC smartcard could do the same without all the tinkering with your phone data, but cards cost money to make, can be forged, resold, … whereas for most folks their phone has become part of their body.

Quantry • October 18, 2022 12:39 PM

Why not load the app compliantly, but power off yer device and store it in a rf shielded bag? Seems like no-brainer defense for a multi-hundreds-of-dollars device, when not specifically in-use, home OR abroad.

“A [good] faraday bag completely prevents hacking, tracking, spying; no apps or malicious code can be remotely triggered or wiped, no communication can penetrate, and no one can access the microphone, camera, or GPS location; and the shielding also augments defenses against data theft, EMPs, and EMF radiation, and enhances digital privacy.”

Assuming yur using one for all devices, passive or active, (cards, fobs, blah blah…).

Again,

Hezekiah:”There isn’t anything in my treasuries that I didn’t show the king of Babylon.”
Isaiah: “[Then] your children will be castrated slaves in his palace.” (Isaiah 39:6-7)

Ted • October 18, 2022 2:15 PM

FIFA doesn’t want to comment on the apps’ security holes.

FIFA blink twice if you need help.

An ex-CIA officer turned private contractor allegedly helped Qatar do some “things” to help secure the FIFA World Cup.

In a response to allegations, his representatives responded:

“For the record, however, GRA [Global Risk Advisors] never had the projects described by the AP: “Pickaxe”, “Falconeye”, “Merciless,” “Deviant,” “Clockwork,” or “Viper.””

https://apnews.com/article/soccer-sports-business-united-states-middle-east-754753c3f425650eedfef6c264bf669c

Oookay.

Anywho. Go Al Annabi!

https://twitter.com/qfa_en/status/1574685330623680513

TimH • October 18, 2022 2:43 PM

It’s not just Qatar.
https://www.49ers.com/tickets/mobile

Levi’s® Stadium Mobile Ticketing Instructions
Entry into Levi’s® Stadium is mobile-only. Sign in to your 49ers account to access your tickets and parking passes.

Data Used to Track You
The following data may be used to track you across apps and websites owned by other companies:
Location
Precise Location
Coarse Location
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Advertising Data
Other Data
Other Data Types

Data Linked to You
The following data, which may be collected and linked to your identity, may be used for the following purposes:
Third-Party Advertising
Location
Precise Location
Coarse Location
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Advertising Data
Other Data
Other Data Types

Developer’s Advertising or Marketing
Location
Precise Location
Coarse Location
Contact Info
Physical Address
Email Address
Name
Phone Number
Other User Contact Info
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Advertising Data
Other Data
Other Data Types

Wannabe techguy • October 18, 2022 3:55 PM

@Q
Are you in the U.S.? If so,how are you using a 2G phone? I was forced several yrs ago to 3G & recently to 4G because the 3G networks were being shut down.
I use it as my only phone & think it’s good to have when I’m driving around.
I’ve not yet seen a need for a mini computer that makes calls.

Anonymous • October 18, 2022 9:25 PM

it would still stay at my place 24/7, with stickers over the camera lenses, the microphone removed, and use an external plug in microphone when I need to use it as an actual phone and talk to anyone.

You forgot to put a sticker over the fingerprint reader and remove the gyroscope, Wi-Vi MIMO antennae, speakers and compass. 😁

Phillip • October 19, 2022 3:08 AM

It goes for 29 days, plus arrival and departure. This is one way of looking at it. Does any team protest?

Anonymous • October 19, 2022 6:04 AM

Ehteraz has been in use since COVID, and they have someone at the airport at customs that wants to see the app on your phone before you go by, as well as a security guard at most malls/hypermarkets that make you show the app before you are allowed to enter, so it is nominally being enforced already.

a • October 19, 2022 2:47 PM

Lots of surveillance apologists out there. This is nothing compared to what can be seen on the horizon.

b • October 20, 2022 11:28 PM

@Quantry
Why not load the app compliantly, but power off yer device and store it in a rf shielded bag? Seems like no-brainer defense for a multi-hundreds-of-dollars device, when not specifically in-use, home OR abroad.

If you have to use the phone as a metropass or for other features, the app may download someth to your device when you take it out of the bag. Ok, maybe it wont. But it can be difficult to be certain.

Barry Freed • October 21, 2022 7:33 AM

I’ve lived in Qatar for the past 7 year. You can’t get into any mall, bar, restaurant, hospital, etc, without showing your Ehteraz status on your mobile. It’s simply impossible to live here without it. The permissions it asks for are minimal (on the iPhone at least) and you don’t have to always have it on, just when you enter some establishment. See here for screenshots of both apps from my mobile: https://twitter.com/BarryFreedNYC/status/1583420428424720386

@Clive It gets nowhere near that hot in November and December. The weather then is around the 80s and 70s (F) in the day and night in November and 70s in the day and 60s (F)at night in December. It’s much hotter in the summer but even 50C/122F would be extreme. It’s usually around 105-115F which is bad enough.

Iro Bagar • October 21, 2022 7:59 AM

Seems irresponsible to malign the intentions behind a COVID-19 tracking app. C19 is so dangerous; so absolutely fundamentally threatening to our existence as a species. Why would ANYONE put privacy and other facetious”rights” ahead of the need to protect us against COVID.

evilkiru • October 21, 2022 11:17 AM

@Iro Bagar: Because there are plenty of people in this world who view either profits or the illusion of control above all else.

anonymous • October 21, 2022 12:11 PM

“I don’t know how mandatory this actually is” –> These are mandatory. The Hayya app is your digital visa to enter Qatar during the World Cup period. It is also, practically speaking, your best source of info for all related logistics while visiting Doha for the event. (Your game tickets are stored in yet another app, for what that’s worth; all tickets are digital except for some very high end ‘hospitality’ tickets that come with lots of extras.) As someone @Barry Freed noted here, Ehteraz is required to enter buildings (and the metro — and presumably the stadiums as well). Will this requirement be relaxed during the upcoming six weeks? Who knows? I expect where Ehteraz requirements may cause unsafe crowding conditions (as e.g. occurred at the Champions League final in Paris in the spring, although those had nothing to do with an app, just negligent incompetence on the part of the police and authorities there), they may be relaxed in certain circumstances. (They have removed most masking requirements.)

Clive Robinson • October 22, 2022 7:02 PM

@ ALL,

Re : Take only memories.

One question that does not appear to have been adequately asked/aswered is that of,

“What you take home on your phone?”

You are forced to load an App with way to many permissions that then “embeds it’s self” so thoroughly it changes the basic functionality of the phone, stopping you turning it off etc.

This requires it to make low level modifications “to your phone”, normally beyond that of a normall app.

So the question arises of,

“Do all these changes get undone?”

Knowing what I do of the country’s political past, I would suggest, that once the App is installed it can neither be fully removed, or all it’s changes fully undone…

Can anyone atest to what actually you will take home with you?

After all we know the NSA/CIA use the Olympics and similar international sporting events to “bug” foregin nations telecommunications infrastructure and government officials communications devices…

Would anyone seriously suggest that the Qatari Intelligence Community would bot avail themselves of similar opportunities?

fib • October 24, 2022 10:54 AM

@ Winter

I’m sorry for replying so belatedly.

Backpacking in Africa, SE Asia or S America was next to impossible.

Not meant to make a fuzz about smartphones. I have traveled both Brazil [big country] and the Southern Cone[0] by land without cell phones [let alone smart ones]. Always a delight. Never ever needed them. YMMV.

[0]h*tps://en.wikipedia.org/wiki/Southern_Cone

Quantry • October 25, 2022 11:23 AM

@ all , @ b Regarding Faraday bags, it seems like a reasonable extension of that thinking to charge it while it’s still in the sealed bag with a battery [1], (no cords from outside the bag). Charge cords to mains are a low impedence ground for the antenna, as I see it, and what public charging ports are to be trusted? [1] ‘https://puri.sm/products/power-banks/

@ b, thanks, re #comment-411376:

the app may download someth to your device when you take it out of the [Faraday] bag

True that: Assume so.

The hope is tho, out of a 1440 minit day, the “absolutely necessary” device can be in the bag for most of it. And hopefully then you’ve neutered some abuses of your cameras, mics, GPS, Accelerometer, Light Sensor, NFC, WiFi, Bluetooth [/BLE], cellular triangulation, and reduced time available for back-haul… no speeding tickets to pay…

Clive Robinson • October 25, 2022 12:01 PM

@ Quantry, ALL,

Re : Crimes are made to prosecute.

You say,

“the “absolutely necessary” device can be in the bag for most of it. And hopefully… …no speeding tickets to pay”

You’ve committed a crime in many jurisdictions…

It would be argued that with forethought you destroyed evidence that would otherwise have been created. Therefore you had intent to commit not just a crime, but to cover it up.

It’s why using “faraday bags” is in effect a bad idea as it shows some kind of “difference” that can be “dressed up to be premeditation” or some form of “conspiracy”.

As some phones tell the network opperator they are “on charge” my advice has for some time consistantly been “put your phone on charge in a locked draw, at the same time every day”, “turn it off every time you go on the subway” etc…

That is “prudent behaviour” and easily explained as such with no “cloak and dagger” style “paranoia” for a prosecutor to try to build into circumstantial evidence.

I used to advise “buy a pager” because they do not give your location away. However most places “the bug in your pocket” mobile phone has killed pagers off… More is the pitty.

There are other ways to replace pagers, but they are somewhat specialized and require licences.

In the US you can turn GMRS and “family radio” into “local area pagers” using the likes of APRS through repeaters but that is “naughty behaviour” as far as many people are concerned.

Fun fact APRS does work through the International Space Station and certain satellites including old US Navy ones for “wider coverage” but it realy won’t work to your pocket.

Quantry • October 26, 2022 11:08 AM

@ Clive, thanks re:

with forethought you destroyed evidence

Actually, with forethought, I was reminding folk their GPS, and Accelerate I suppose, even wifi, can easily produce a realitime map of lawbreakers: AKA, if you insist on carrying a phone unbagged, OBEY the local laws.

Honestly, when wise deployment of legal, affordable self-protections can be construed as lawbreaking, we are in a sorry state. Door locks come to mind, and curtains on yur windows.

Thanks for your service and clarity.

Clive Robinson • October 26, 2022 7:14 PM

@ Quantry,

My statment was about the abstract you rather than you personally.

My intent was to show just how any action that is not the “plainest of vanilla” a cop or prosecutor will try to twist as unreasobable behaviour in the eyes of a jury.

As has been noticed by those reading and commenting on this blog before the FBI and similar always tack on something like “conspiracy to …” onto a list of charges.

Two reasons,

1, Conspiracy charges are not provable as false by a defendant so are hard to beat.
2, If they can find you guilty of anything then the chances of you suing for costs or damages are about as close to zero as they are going to get.

In the US, UK, British Commonwealth, and most other places based on the old English legal system, it is near impossible not to be committing a crime even being asleep in bed can be twisted in some way…

Admitedly I’ve yet to hear of someone actually being charged with committing some kind of crime whilst being on a hospital operating table but let’s just say,

1, I’m sure it’s already been contemplated by some over zealous cop/prosecutor.
2, A cop/prosecutor will work out some way to claim it in the not to distant future.

And before anyone says “that’s not possible” I can already think of a way it could be done in outline…

Eddie • November 15, 2022 11:50 AM

@Tim

The assumption is a valid one. For those under the age of 90 – smartphones are a fact of life and are with us most of the time.

I’m less than half that age and still stubbornly don’t have a smartphone, for several reasons.

I’ve traveled in Africa and southeast Asia and have never said, “Oh darn, I wish I had a smartphone” or even a dumb phone.

I have a small 11-inch laptop that I bring when traveling so I can access email, look up an address, or whatever. I don’t carry it everywhere I go, 24/7. This works just fine for me.

Anselm • November 16, 2022 8:22 PM

I have a smartphone. It runs Sailfish OS, which is great. There’s a runtime environment for Android apps but it doesn’t have access to the Google Play Store.

I guess I don’t get to go to Qatar (not that I wanted to, anyway).

Qatar Spyware

Comments

Leave a comment Cancel reply