On May 25, the US Department of Defense (DoD) issued a public advisory to its personnel, warning against the use of the CAC Scan Android app, available at that time on the Google Play Store.

CAC stands for Common Access Card and describes the standard ID card for all DoD military and civilian personnel, selected reserves, and some contractors.

The CAC Scan app, as advertised on its Google Play Store description, is a simple app that scans the barcode found on these cards and outputs the encoded information on the phone's screen.

This includes the cardholder's first and last name, rank, EDIPI ID, and Social Security number.

The app works and contains no malicious code, but...

The DoD says the app works as advertised and that it was created by a US citizen with ties to the US Army. The DoD also warns:

“ When you scan your (or someone else’s) CAC, where else does the data go; i.e., who else gets a copy of the results? Why would you need this app? You already know your personal info on your CAC… who’s info are you trying to obtain and why? ”

Exposure to collusion attacks

When users want to scan a CAC code, CAC Scan loads a third-party app that's installed as a separate application on the smartphone. The application, called Barcode Scanner, is very popular and has been vetted by multiple security firms as clean.

Lookout identified that Barcode Scanner keeps a history of all the barcodes it scans. A potential attacker who queries for the list of installed apps and finds CAC Scan would automatically know they can search through Barcode Scanner's history to uncover data on CAC cards. This is a classic app collusion attack scenario

While the DoD was only warning against the app because of potential privacy issues, Lookout has managed to identify attack scenarios through which the app could lead to a compromise of US military personnel data.

The app is not available on the Google Play store anymore, but it's unknown if it was Google or the developer that took it down.