The VaxCheck system, which the state government launched on Tuesday, integrates a COVID vaccine certificate into the mySAGov app already used for check-ins.

SA is the second-last state or territory in Australia to introduce such a solution, with anti-vaccine activists having already discovered multiple ways to work around federal and interstate equivalents.

Proof of vaccination is currently required in South Australia for SA Police officers and staff, in healthcare settings, schools, preschools, early childhood facilities, aged care facilities and taxi drivers working at airports and will be required for all Adelaide City Council staff, volunteers and contractors by December 10, with authorities flagging more mandates are to be announced.

Proof of vaccination is also now a requirement to enter Adelaide Oval, the Convention and Entertainment centres, Adelaide and Monarto zoos, Memorial Drive international tennis and various smaller businesses and venues around the state, including some wineries and medical clinics.

The decision on whether to require vaccination in other settings is currently up to business owners, but some industries are calling for the mandate to be extended.

Melbourne-based software developer Richard Nelson, who proved vaccine certificates in the federal government’s Express Plus Medicare app can be forged within minutes, told InDaily the SA solution is better than that, but is still easily worked around.

“The SA app doesn’t share the same vulnerabilities that the Medicare Express app has, which is a really, really low bar,” he said.

Nelson warned that the various state government apps can be “manipulated to display anything”.

Unvaccinated Australians have shared techniques about how to create digital vaccine certificate replicas, with Instagram even running ads promoting fake certificates.

Adelaide Airport check-in. Photo: Tony Lewis/InDaily

A state government spokesperson said South Australia’s digital vaccine certificate system is “consistent with Federal Government security requirements”, and requires users “to enter a pin number or biometric validation (in the form of finger-print or facial recognition).”

When a user has linked their vaccination certificate into the mySA Gov app and checks-in at a location with mandated vaccination requirements, the check-in screen will confirm that they have a valid certificate.

Most venues are not mandated to require vaccination but can choose to require it for entry anyway, in which case users can bring up visual confirmation of their vaccination status in the app.

The digital certificate includes a barcode for these situations that to validate the certificate using a mySA GOV app on another device, in a separate process to the QR code check-in system.

Software developer Leigh Brenecki, who chaired PyConline AU 2020, told InDaily the barcode helps secure the system, but needs to be easy to use and understand.

“I have a SA digital driver’s license which uses the exact same technology, and nobody’s ever scanned that either,” she said. “So they’ve got everything set up for success from a technical perspective, but they really need to make sure that businesses know that they need to scan the code, and know how to do it, and understand that when it comes to identifying forgeries just looking for a green tick isn’t enough.”

Nelson is on the same page, noting that few people typically scan to verify the vaccination proof in interstate apps.

“Nobody actually scans these — so in practice no verification is actually done … unless it’s all designed for people to actually scan verifiable QR/bar codes, it’s not secure,” Nelson said.

Other developers have managed to build their own version of state check-in apps from the ground up, complete with recreations of the hologram animations that are supposed to guarantee authenticity.

Nelson added that even a perfectly secure app won’t prevent vaccine forgeries however, given South Australia also accepts the federal government’s easily forged PDF file versions of vaccine certification.

“The real problem is that the lowest common denominator is acceptable,” he said.

“A forged PDF can be used to enter a venue — so a completely verifiable system that SA does is almost meaningless.”

Software developer Jim Mussared, who was able to fake the vaccination status in the Service Victoria app in less than 10 minutes, told InDaily the state-level problems were ultimately caused by mistakes made at the federal level.

“This isn’t the state’s fault — this whole thing should have been avoided if Medicare (Services Australia) had issued digital signatures with all forms of vaccine certification,” Mussared said.

“The PDF should have had a QR code too, as should the one in the Medicare Express app, and the one that can be added to the Google Wallet / Apple Pay. The state apps could then have just loaded these signed certificates directly.”