A Survey on Digital Certificates Approaches for the COVID-19 Pandemic

Digital COVID-19 certificates serve as reliable proof that an individual was vaccinated, tested negative, or healed from COVID-19, facilitating health, occupational, educational, and travel activities during the pandemic. This paper contributes the first to our knowledge state-of-the-art and holistic review of this ecosystem, attempting to answer the following questions: 1) is there a harmonization among academia, organizations, and governments in terms of the certificate deployment technology?; 2) what is the proliferation of such schemes worldwide and how similar are they?; 3) are smartphone applications that accompany such schemes privacy-preserving from an end-user’s perspective? To respond to these questions, a four-tier approach is followed: (a) we scrutinize the so far academic works suggesting some type of digital certificate, highlighting common characteristics and weaknesses; (b) we constructively report on the different initiatives proposed by organizations or alliances; (c) we briefly review 54 country initiatives around the globe; and (d) we analyze both statically and dynamically all official Android smartphone applications offered for such certificates to reveal possible hiccups affecting the security or privacy of the end-user. From a bird’s eye view, the great majority of the proposed or developed schemes follow either the blockchain model or the asymmetric cryptosystem, the spread of schemes especially in Europe and partly in Asia is high, some degree of distinctiveness among the relevant schemes developed by countries does exist, and there are substantial variations regarding the privacy level of the applications between Europe on the one hand and Asia and America on the other.


I. INTRODUCTION
One of the cornerstone challenges introduced by the coronavirus pandemic is the demand for common baselines on approaches to issue, exchange, and validate public health status records. Such records are needed at the very least to effortlessly support the domestic and cross-border mobility of individuals in a privacy-preserving and secure manner. Following the roll-out of vaccination campaigns by governments worldwide, this necessity has become more acute, and so far, several organizations have developed initiatives to subserve this goal. Additionally, a plethora of countries have devised similar solutions to enable the free movement of citizens nationwide and support everyday activities, such as visiting a restaurant or going to the movies. Overall, such solutions are digital, paper-based, but typically validated through The associate editor coordinating the review of this manuscript and approving it for publication was Muhammad Imran Tariq . electronic means, or both, and support at least one kind of certificate: vaccination, diagnostic test, or immunity. In all cases, excluding social, policy, or ethical aspects [1]- [3], which are beyond the scope of this work, such a digital immunization record should be fraud-resistant, easy to issue, use and verify, privacy-preserving, and interoperable.
Focusing on digital certificates, the work at hand offers the first to our knowledge exhaustive review of this topic based on three axes of analysis. The contributions of this study are as follows.
• We elaborate on almost two handfuls of pertinent schemes as proposed in the academic literature and juxtapose them based on four distinct criteria: certificate type, technology used, privacy, and scalability. • We constructively examine all existing initiatives for COVID-19 digital certificates undertaken by organizations and countries worldwide. • We statically and dynamically analyze related official 1 applications (apps) on the Android platform to reveal possible security and privacy issues affecting the enduser. That is, static analysis reports on the use of runtime (potentially privacy-invasive) permissions and relevant application programming interface (API) calls per app, while dynamic analysis reports on potentially privacy-invasive runtime actions regarding network traffic, location services, camera, and telephony. Based on the aforesaid axes, important and timely conclusions in regard to a triplet of essential matters can be reached. First, one can discern if and to which degree the academic research in this topic coincides with real-life schemes proposed -and in several cases -developed by various initiatives, alliances, or governments. Second, in relation to the plethora of different digital certificates approaches already deployed by countries worldwide, a spherical, catholic, and comparative view can be formed: are they converging, also vis-à-vis the literature and those proposed by initiatives, or not? Third, given that often such COVID-19 certificates schemes go hand and glove with smartphone apps to enable the storing and verification of certificates on the fly, it is crucial to determine if such apps respect the privacy of the end user; as Android is currently the predominant mobile operating system, this leg of analysis is confined to that version of such apps. All in all, the work at hand can be used as a reference to anyone interested in the development of pandemic certification schemes, including, scholars, policy makers, security professionals, and government parties; it is also anticipated to stimulate research efforts in this timely and high stakes ecosystem.
We argue that vis-à-vis the state of the art, the current work approaches the matter in a holistic and complete manner. Precisely, works by [4]- [6] focused solely on the potential of blockchain in the context of COVID-19 pandemics, while the survey work in [7] examined the existing contact tracing apps and different frameworks available for their development. Moreover, the authors in [8] examined COVID-19 entirely from the Internet of Things (IoT) prism. On the other hand, the work in [9] provided a holistic security and privacy assessment of the official Android contact tracing apps supported by European countries, leaving out apps destined for COVID-19 digital certificates. To our knowledge, the most relevant work to ours is that in [10]. The authors surveyed existing approaches for vaccination certificates, but they merely focused on blockchain. Moreover, they did not consider initiatives or solutions already put forward by different countries, and they did not assess mobile apps destined for the management of the associated certificates.
The rest of this paper is organized as follows. The next section discusses the relevant academic works on this topic. Section III elaborates on existing initiatives for COVID-19 digital certificates by various institutions and companies, while Section IV provides an overview of the digital certificate schemes developed by countries worldwide. Official Android apps offered by countries to manage digital immunization records are discussed in Section V. The final section concludes the paper.

II. LITERATURE ANALYSIS ON COVID-19 DIGITAL CERTIFICATES
During the COVID-19 pandemic, diverse approaches have been proposed to allow individuals to perform everyday activities, if not return to normality, as known before the pandemic. Typically, this is done through a medical certificate proving that the holder is immune or is not currently infected. Based on the related literature, three basic types of digital health certificates can be identified: (a) vaccination certificates, referring to whether a person has received the vaccine or not [11]- [15]; (b) diagnostic test certificates, demonstrating that a person has undergone a test [14], [16], [17]; and (c) immunity certificates or immunity passports, attesting that a person was infected in the past and has developed antibodies [12]- [14], [17]- [19]. The underlying technologies for preserving the security and privacy of digital health certificates are blockchain and traditional public key cryptography. In practice, the vast majority of proposals rely on blockchain, as will be analyzed in the rest of this section.
As shown in Table 1, some proposals support more than one type of certificate, while most of them are based on blockchain technology. Naturally, since such schemes handle sensitive personal and medical data, all related works provide privacy-protection measures. In Table 1, we empirically evaluated the proposed schemes by assigning the following levels of privacy: high when no sensitive information is stored on a blockchain or centralized system, medium when the health certificate is stored on a private blockchain, and low when the health certificate is kept on a public blockchain. Despite recent efforts, only a few of these studies present technical details or a proof-of-concept implementation, including large-scale evaluation results. For instance, some provide short high-level descriptions of the proposed solution, whereas others report unconvincing benchmarks; the latter are limited to a small number of simultaneous requests, thus being far from real-world deployment scenarios and making the assessment of their scalability difficult.
In [11], the focus is on privacy, with the authors proposing a hashing algorithm that enables users to store information on the blockchain anonymously using an ID that is created from their iris. In this case, the vaccination certificate data and the hash of the user ID are stored in the blockchain. Specifically, the authors' work provides details on the creation of the anonymous ID, while the vaccination certificate is briefly described and can be considered one of the potential use cases of the proposed scheme. In terms of performance, the storage of all the vaccination certificate data on the blockchain could imply a potential performance issue because it would pose very high storage requirements on the blockchain nodes. This is especially true in the case of populous or multiple countries using the same blockchain.
The authors of [12] considered both vaccination and immunity certificates based on verifiable credentials (VC) [20] as digital IDs, the decentralized data storage platform Solid [21], and a consortium Ethereum-based blockchain [22]. A solid pod is a container that holds a digital representation of a physical ID and the medical certificate, either a vaccination or an immunity one. The owner of these data is the user who is free to choose where to save the solid pod data: on their device, on the cloud, or both. After the initial saving, the user can still move to another place or completely delete the data. In terms of privacy, only a hash of the data is registered on the blockchain for verification purposes. This work provides a performance evaluation of the proposed scheme with results for different numbers of concurrent requests, showing a linear increase in the delay times. However, these results show that scalability could be an issue, considering that for 100 concurrent requests, the delay for issuance or verification of the certificate is more than 15 s in the best case.
Another work considering both vaccination and immunity certificates is [13], which is based on Ethereum smart contracts, self-sovereign identity (SSI), and optionally interplanetary file system (IPFS) to store medical tests and travel history in a decentralized manner. It is possible for the certificate holder to store such information in the blockchain. However, a more privacy-oriented approach has also been incorporated in the proposed scheme; the holder can decide to store sensitive information on IPFS on an encrypted form and register the hash on the blockchain for verification purposes. The privacy of certificate holders is further established by the use of SSI instead of centralized identity management systems (IdM). The authors implemented four smart contracts and tested the correctness of their operation. However, no performance evaluation was carried out.
NovidChain [14] addresses all the different types of certificates by integrating the use of VCs in a blockchain implementation called uPort [23], which provides SSI aspects on top of the Ethereum platform. The certificate holder's personal data and test results are stored encrypted on IPFS, and only the IPFS hash is kept on a private permissioned Ethereum blockchain. In terms of identity protection, SSI is used while end-users are free to decide which information they would like to share with the trusted parties they choose. The authors present implementation details of their proposal; the performance evaluation of NovidChain reveals that the rate of issuing certificates, which is its most expensive operation, has an upper bound of ≈34 certificates/sec.
In [15], a blockchain-based platform for vaccination certificates was proposed, focusing particularly on performance and deployment aspects, such as computing resource usage, network response time, and bandwidth. As highlighted by [24], even if the potential of blockchain to combat the COVID-19 pandemic has been reported by several studies, there is a lack of studies related to latency and scalability aspects, which are key aspects for the deployment of this technology. This work leverages VCs together with decentralized identifiers (DIDs) [25] as credentials, allowing end users to control their identities. Regarding the vaccination information, the certificate is stored encrypted on the IPFS, and only its hash is registered on the blockchain. Furthermore, a permissioned blockchain is used, where only a limited set of entities has access.
The authors of [16] introduced the concept of digital health passports (DHP), which is similar to the diagnostic test results required for travelers in certain cases. It is based on a private blockchain using a proof-of-authority consensus mechanism, where the test results are registered and stored. The entities that have access to the blockchain, including hospitals, laboratories, health authorities, airline companies, and border control authorities, are considered trusted. The proposed scheme provides unlinkability, so that an entity cannot associate past test results with an individual, unexplorability, so that an entity cannot traverse the blockchain to obtain test results and anonymity, so that all test result data VOLUME 9, 2021 cannot be readily linked to an individual. Although a certain level of privacy is offered in this scheme, there is room for improvement; for example, even if the right to be forgotten is explicitly mentioned in the paper, since the DHP is registered on the blockchain there is no way to delete it. Regarding the scalability of the DHP, the paper does not provide any implementation details, and no performance evaluation has been performed.
Furthermore, [17] proposed the use of decentralized credentials (i.e., VCs and DIDs) to link identities of individuals with their certificates, while preserving their privacy. Personal data are stored on the user's device, and information is selectively disclosed to authorized entities with user consent. The proposed system cannot be assessed in terms of scalability, as details regarding the implementation and deployment aspects are not given.
The work in [18] presented SecureABC, a privacy-oriented protocol for immunity certificates, based on public key cryptography. This proposal does not use blockchain or any type of centralized repository, and the certificates can be either paper or app-based. Consequently, if the paper certificate or the mobile device is lost, then the respective certificates are lost as well. This design decision leads to a highly decentralized system where the user maintains the ownership of their data, controlling when and to whom they will present their data as well as if and when to delete them. The authors provide a proof-of-concept implementation of their proposal, which demonstrates the basic operation of the system. Although SecureABC is decentralized, its scalability can be influenced by the method selected for digital certificate revocation. However, the authors do not stipulate a specific revocation mechanism; thus, no performance evaluation is provided in this aspect.
In [19], the concept of COVID-19 immunity certificates is based on a government-run blockchain, in which information related to testing facilities and hospitals is also included. The privacy of end-users is protected from third parties by having a smart contract associating the public key of the user with the anonymous key shared with the testing facility workers. In this system, immunity certificates are saved on the blockchain; thus, it is not possible for a user to delete such data. In terms of scalability, the proposed system was not implemented and no performance evaluation was carried out.

III. INITIATIVES FOR COVID-19 DIGITAL CERTIFICATES
The development of digital certificates for COVID-19 has attracted significant interest from several organizations and alliances across the world. Unlike the previous section which focused on describing the existing research literature on the use of digital COVID-19 certificates, in this section, we describe the main initiatives being developed by various institutional alliances and companies worldwide. Furthermore, we compare the different approaches by considering several aspects, such as interoperability and the underlying technology.

A. WHO SMART VACCINATION CERTIFICATE
The WHO smart vaccination certificate (SVC) working group was established to create an interoperable trust framework for digital COVID-19 vaccination certificates, with intended applicability to other vaccines [26]. It brought together members from UNICEF, ITU, and the European Commission to agree on the main security, privacy, and trust aspects of a global vaccine certificate architecture, as well as to provide guidelines for further adoption. Some of the preliminary considerations and outcomes derived from this initiative were described in the ''Interim guidance for developing a Smart Vaccination Certificate'' [27] in March 2021. This document is intended to provide guidance for the establishment of national trust architectures for issuing/validating SVCs and to describe business requirements for a global SVC management framework. The document describes two basic scenarios for the use of SVC, namely continuity of care, which is intended to register the vaccination records of an individual, and proof of vaccination, which provides the proof that an individual was vaccinated. Furthermore, the document provides initial security and privacy guidelines, including the use of PKI to support a cross-border SVC management framework, and the possibility of using a selective disclosure procedure in the proof of vaccination scenario. Furthermore, the scope of the SVC working group expanded in June 2021 [28]: ''On 4 June 2021, the WHO announced that the Smart Vaccination Certificate specification will be renamed the 'Digital Documentation of COVID-19 Certificates (DDCC)' specification, including COVID-19 vaccination status, SARS-CoV-2 test results and COVID-19 recovery status.'' However, in August 2021, the WHO developed implementation guidance and technical specifications for COVID-19 vaccination certificates [29], which states in relation to aspects that are considered out of the scope of their work: ''. . . digital documentation of COVID-19 recovery status because of the uncertainty around any immunity status arising from recovery;''

B. IATA TRAVEL PASS INITIATIVE
The International Air Transport Association (IATA) Travel Pass Initiative [30] is an effort to foster cross-border travels by providing passengers with the information required to travel, for example, which tests or quarantine periods are needed at their destination, as well as the capacity to demonstrate their COVID-19 health status in a verifiable and privacypreserving way. Furthermore, this initiative is also intended to help governments and airlines verify the legitimacy of test/vaccination certificates. In addition, the IATA Travel Pass provides a mobile app [31] to be used by travelers to store and manage their verified certifications for COVID-19 tests or vaccines. It enables authorized test centers to send test results and vaccination certificates to passengers, who can use the app to prove their COVID-19 health status to the pertinent authorities throughout their travel. Moreover, IATA Travel Pass is based on the use of Verifiable Credentials (VC), so that users' data are only stored on their smartphones. It should be noted that in August 2021 this initiative had already been adopted by more than 40 airlines around the world [32].

C. COVID-19 CREDENTIALS INITIATIVE (CCI)
The use of VCs in the context of the COVID-19 crisis has also been fostered by the COVID-19 Credentials Initiative (CCI) [33], which groups around 100 organizations to support the use of VCs to mitigate the spread of the virus. In December 2020, CCI was adopted by the Linux Foundation Public Health (LFPH), which was created to work with public health authorities, academia, and industry organizations to maximize the impact of public health technology. The activities of CCI are split into three main community groups: the use case implementation workstream, which provides a common platform for organizations to present their projects based on COVID-19 credentials; the rules and governance workstream, which is focused on defining rules and guidelines for COVID-19 credentials; and the vaccine credentials focus group, which is intended to define a roadmap for the effective deployment of vaccine credentials.

D. EU DIGITAL COVID CERTIFICATE
In March 2021, the European Commission proposed the EU Digital COVID Certificate (EUDCC), formerly called the EU Digital Green Certificate [34], to facilitate safe and free movement inside the EU during the COVID-19 pandemic.
In general, such a certificate is a digital proof that a person has either been vaccinated against COVID-19, received a negative test result, or recovered from COVID-19 [35]. It can be issued for free in a digital or paper version by a certain body (e.g., a hospital), which includes a signature for the certificate. Such credentials also contain essential information (e.g., name or issuance date) and a QR code for the validation process, which is performed to check the certificate's validity and authenticity by verifying the signature that was added in the issuing process. The certificate is intended to be accepted in all EU member states by using a PKI to support crosscountry validation; for this purpose, an EU gateway has been developed as a core component to foster the interoperability of certificates across Europe. The EU gateway officially went live on July 1, 2021, although some countries were using it ahead of this date on a voluntary basis. It should be noted that, by the end of August 2021, more than 350 million EUDCC had already been issued. 2

E. CommonPass
CommonPass [36] is a platform developed by the non-profit public interest foundation Commons Project to evaluate whether an individual's test results and vaccination records are provided by a trusted source and satisfy the entry requirements of a certain country. Therefore, an individual should be able to access, say, through CommonHealth, such results or vaccination records before using CommonPass. If the evaluation process is successful, CommonPass generates a certificate, which is verified through a QR code. Common-Pass has also developed an app to access test and vaccination records from authorized providers [37]. CommonPass is supported by the Common Trust Network [38], which is intended to ensure that only verifiable lab results and vaccination records from trusted sources are presented for cross-border travel and commerce. In particular, such a network is based on a global registry of trusted laboratories, standard formats for laboratory results or vaccination records, and information from governments about countries' entry rules. CommonPass can be already used for traveling to certain areas, such as Aruba or Hawaii.

F. AOKPass
AOKpass [39] is an initiative developed by the International Chamber of Commerce (ICC) to empower users to present digital and authenticated credentials to government authorities. Precisely, the framework provided by AOKpass can be employed in diverse use cases to enable safe crossborder travel, for example, for vaccination certificates, as well as events and other venues [40]. AOKpass is based on the well-known permissionless blockchain implementation called Ethereum [22]. In particular, the AOKpass application is used by a certain lab to issue a digital passport, including the test results to an individual. Then, the passport is presented to a certain authority through a QR code, which is verified by the corresponding authority through the Ethereum blockchain [41]. The initiative also developed an app to enable users to manage their medical records [42].

G. OTHER INITIATIVES
The Certify.health initiative [43] was intended to develop privacy-by-design COVID-19 status certificates by considering testing results and vaccination data. As part of this initiative, the Certify.health app [44] was developed as a health wallet to manage certificates by considering HIPAA and GDPR regulations. The certificates contain information from the clinic and clinician who signed the document and can be verified through a QR code. Certify.health is based on CareChain, which represents a joint effort to establish blockchain infrastructure and personal data management for health-related use cases [45]. Other approaches that consider the use of blockchain technology to manage people COVID-19 status have been proposed by single companies. Specifically, the i-Covid19 certificates [46] were proposed by the BlockTack company to demonstrate a person's status and immunity to COVID-19. Such certificates can be issued through email, SMS, or in a paper version and validated through messaging apps or QR codes. The content of an i-Covid19 certificate could include information about serological, PCR, and viral antigen detection tests, but they are not intended to provide vaccination information. Additionally, based on blockchain, the IBM Digital Health Pass (DHP) [47] is intended to manage COVID-19 test results or vaccination status. Such results are stored in the person's mobile phone through a digital wallet and shown to pertinent authorities VOLUME 9, 2021 through a QR code. The underlying blockchain infrastructure based on Hyperledger [48] is intended to manage data of the issuing entity, such as DIDs, keys, and schemas, to make credential exchange tamper-proof and verified against issuer signatures and credential hashes [49].

H. COMPARISON
The previous initiatives present different aspects associated with the realization of a digital COVID-19 certificate ecosystem. Based on the description above, we classify the different initiatives as shown in Table 2 considering specific criteria, such as certificate type, that is, vaccination, test, or immunity; partnership, which indicates the organizations, institutions, or companies that coined such initiative; technology, which represents the underlying technology for the definition, generation and verification of COVID-19 certificates; interoperability, which indicates to what extent interoperability issues are addressed by the initiative; and mobile app, which specifies whether an app has been developed as part of the effort.
Based on our analysis, all the different initiatives (except i-Covid19) consider certificates for proving vaccination status. Furthermore, it should be noted that most of the initiatives were coined and developed in the context of a consortium composed of several organizations and/or associations, except for IBM DHP and i-Covid19 certificates, which were developed by private companies. A common aspect of the different initiatives is that they propose the use of QR codes to prove/verify digital COVID-19 certificates, and most of them propose similar information to be included in the certificate, such as citizen's data, vaccine manufacturer/batch, or vaccination dates. Moreover, interoperability aspects are addressed by different initiatives to a certain extent. For example, EUDCCs are intended to be used in the EU, and other countries (e.g., Switzerland) also define interoperable certificates with EUDCCs. In the case of CommonPass, it is noteworthy that it offers a global registry to manage vaccination records, unlike other approaches.
Regarding the infrastructure developed for certificate registration and validation, most of the approaches are based on the use of blockchain technology (e.g., IBM DHP and AOKpass) or traditional public key cryptography (e.g., SVC or EUDCC). Indeed, as previously mentioned, the EUDCC defines an EU gateway so that certificate signatures can be verified across the EU. Regarding the current state of deployment, it is worth noting that the EUDCC proposal is fully operational, and most EU countries already make use of these certificates to promote safe travel across the EU. Moreover, some of the initiatives (e.g., IATA Travel Pass and IBM DHP) already provide smartphone apps, so that citizens can manage their digital COVID-19 certificates. In the case of EUDCC, most countries using these certificates have developed apps for this purpose, as will be described in Section IV.

IV. COVID-19 DIGITAL CERTIFICATES WORLDWIDE
After describing the main worldwide initiatives on the use of COVID-19 digital certificates, this section provides an exhaustive description of the current landscape of countries' strategies. For our analysis, we consider the information provided by the Re-open EU initiative [51], the international monitor about vaccine passports and COVID apps [28], and the Observatory on Border Crossing Status due to COVID-19 [52]. The main aspects considered during this analysis are the procedure to acquire a certificate, the supported certificate types, the data contained in the certificate, and whether an app is available or not. It should be noted that the terms ''health passport'', ''certificate'' and ''pass'' are used interchangeably throughout the description of the different plans in each country.
A. AMERICA 1) ARGENTINA According to [53], a digital COVID-19 vaccination certificate can be obtained through the Mi Argentina app [54], which is available for Android and iOS operating systems. To request the vaccination certificate, citizens need to create an account and validate their identity by scanning their identity card through the app. The obtained vaccination certificate contains information about the vaccinated user, including their name, surname, and identification number, data about the vaccine, as well as date and place of vaccination.

2) BAHAMAS
The Bahamas Travel Health Site [55] website provides the possibility of obtaining a Bahamas travel health visa to travel to or within the country. This credential can be obtained by uploading the results of a PCR test from an accredited laboratory or vaccination proof in the case of vaccinated travelers to such websites. As described by [56], the vaccination proof can be represented by a card issued by the government or the Centers for Disease Control and Prevention. After the PCR test results or vaccination proofs are verified, and the user performs the corresponding payment, a Bahamas travel health visa can be downloaded.

3) BARBADOS
On June 25, 2021, the country updated its travel protocols, which can vary depending on the countries previously visited by travelers [57]. To curb the spread of COVID-19, the BIMSafe app [58] was developed with different functionalities, including the possibility of monitoring potential symptoms for several days after the arrival of the traveler using wearable devices, uploading PCR test results before the travel, and providing updated information on travel protocols [59]. In the case of vaccinated travelers [59], they need to provide a proof of issuance from a health organization, a documented proof issued by a medical center, or to use an existing validation system, such as IATA Travel Pass or EUDCC, as described in Section II. According to [59], the BIMSafe app also offers the possibility of uploading the proof of vaccination certificates to be verified through electronic health passports.

4) CANADA
It requires COVID-19 vaccine passports, also known as proof of COVID-19 vaccination, to allow international travelers to visit the country without going through mandatory quarantine. Fully vaccinated travelers can use the ArriveCAN app [60] to upload their vaccine certification. The uploaded photo or PDF must show details of the first and second doses, unless they received the single-dose vaccine.

5) CHILE
People in Chile who have been fully vaccinated against COVID-19 can obtain a pass to move about more freely [61]. Citizens can download the pass on their mobile phones two weeks after receiving the second or final shot. The pass gives the bearer permission to move freely in cities under lockdown and go to the supermarket, pharmacy, or for open air exercise. However, an app is not yet available to facilitate digital COVID-19 vaccination certificates.

6) MEXICO
People vaccinated in Mexico can download their COVID-19 vaccination certificate through a web portal created by the Mexican Government's Secretary of Health [62] using their personal unique population registry code (CURP). The certificate includes a QR code, citizen's data, brand, and batch of the vaccine, as well as the dates when the citizen received each shot. However, the use of mobile apps has not yet been considered.

7) UNITED STATES
In the USA, several States officially banned vaccine passports by forbidding private entities or government authorities from requesting proofs of vaccination [63], while others do not have plans to support them. California, Hawaii, Illinois, and Louisiana are among the states that consider the use of vaccination certificates. The only state that has currently implemented a vaccination certificate is New York with Excelsior Pass [64], which was built by IBM, based on its digital health pass solution described in Section III-G. It is based on blockchain and provides proof of vaccination, disease recovery, and negative test results. The pass, which contains a QR code, can be retrieved from a government website and can be printed on paper, saved as a screenshot, added to the mobile device's wallet, or to the Excelsior Pass Wallet app [65].

B. ASIA 1) BAHRAIN
The BeAware app [66] allows citizens to issue COVID-19 vaccination certificates two weeks after taking the second dose of the vaccine. According to [67], the app displays a color-coded shield along with an official certificate detailing the person's name, date of birth, nationality, and which vaccine was received. The shield indicates the person's vaccination phase using the following color codes: • Gray: Not vaccinated • Red: First dose received • Yellow: The second dose received • Green: Fully vaccinated and 14 days have passed. The validity of the certificate can be verified by the authorities by scanning the QR code linked to the national vaccine register.

2) BANGLADESH
The Surokkha app [68] allows citizens to register for vaccination against COVID-19. Furthermore, the app allows users to check their vaccination application status, as well as VOLUME 9, 2021 download the vaccination certificate after the completion of two doses of the COVID-19 vaccine.

3) BRUNEI
The Government of Brunei developed the BruHealth app to provide COVID-19 information, preventive care information, and government advisories to the citizens of Brunei. The app allows citizens to register for vaccination against COVID-19 and view their vaccination records [69].

4) CHINA
The Chinese government introduced a digital vaccination certificate, called the International Travel Health Certificate [70]. The certificate includes information on the citizen's current COVID-19 vaccination status, as well as the dates of receiving the vaccine, the manufacturer, and the type of vaccine received. The International Travel Health Certificate is available through the WeChat app.
Moreover, Hong Kong developed an app called eHealth [71]. After vaccination, citizens receive paper vaccination records, but they can also download vaccination records in digital form through the eHealth mobile app.

5) INDIA
The Indian government created the CoWIN platform [72] to facilitate the vaccination process by allowing citizens to register for vaccinations. The platform also has the possibility of downloading vaccination certificates, which can be linked to citizens' passport to facilitate travel abroad. To manage vaccination certificates, different apps have been developed, including the Co-WIN app [73], which was created to manage the vaccination process through the CoWIN platform, Aarogya Setu [74], which provides contact tracing and self-assessment services, DigiLocker [75], which allows the storage of different personal documents, such as a driving license, and UMANG India [76], which provides different e-government services.

6) ISRAEL
The Ministry of Health has developed the Ramzor app [77] to provide the public with restrictions on various localities in Israel. To obtain the certificate, users must fill in their personal details, such as identity card or passport number, phone number, and date of birth. A verification code is sent to the phone via SMS. Users will then be able to access their certificates easily through the app menu.

7) JAPAN
It will start accepting applications to issue vaccination passports in July 2021 for individuals who wish to travel abroad [78]; it is not clear whether these passports will also be used domestically to ease containment measures. This type of certificate will only verify that an individual has been vaccinated and will probably include information such as name, passport number, and vaccination date. Initially, vaccination passports will be issued on paper form only, while a digital format is under consideration. Earlier [79], it was announced that an app would be developed, probably based on CommonPass [36].

8) JORDAN
Travelers to Jordan are required to use the gateway2jordan platform [80] to fill in the travel declaration so that they can obtain a QR code for boarding. The same platform can also be used by vaccinated travelers to upload their vaccination certificate (or proof of vaccination) and obtain a QR code to travel across the country.

9) MALAYSIA
The government of Malaysia has developed the MySejahtera app [81] app to assist in the management and mitigation of COVID-19, helping citizens to monitor their health status and to find nearby hospitals for potential treatments in case of infection. Furthermore, it allows the registration and appointment for vaccination, as well as the issuance of digital certificates, which include data about the vaccinated citizen, vaccine manufacturer and batch, as well as vaccination date.

10) OMAN
The Tarassud app [82] was developed by the health ministry to provide information about the spread of COVID-19 in the country. This app needs to be used by all travelers during the quarantine period when they reach Oman. They must also complete the required travel forms through a web portal [83]. Furthermore, according to [84], the Tarassud app provides the possibility of obtaining and verifying certificates for vaccinated people.

11) PAKISTAN
The vaccination certificate is obtained after paying a fee [85], whereas it can be issued online and downloaded from a national authority. It includes information such as name, date of birth, nationality, and passport number of the individual, as well as information about the vaccine and the date and place of the vaccination. No information about its format or the existence of an app is provided.

12) QATAR
The country provides a service [86] to view and download vaccination certificates for vaccinated citizens seven days after receiving the vaccine. The service is linked to the National Authentication System (NAS), so that only citizens authenticated through this platform will be able to obtain the certificate.

13) SAUDI ARABIA
The Tawakkalna app [87] was initially developed as a contact tracing app, as well as a means for issuing movement permits both for employees and individuals. Later, it was updated to offer more services, two of which are for managing vaccination certificates called ''Health Passports'' and COVID-19 test results. It is not clear, however, what is the format of the certificate and what information is stored in it.

14) SINGAPORE
The format of digital health certificates in the case of Singapore follows the HealthCerts open standards [88], [89]. These standards allow the issuance of vaccination certificates as well as COVID-19 test results. An individual can request a digital vaccination certificate from a national authority [90], which is then received to the user's email address and/or Singpass app [91]; it is also possible to print it out. The user receives a QR code that contains a link to HealthCert, a key to decrypt the HealthCert, and a URL to perform its verification. Nevertheless, no information is available on the exact data contained in the HealthCert.

15) SOUTH KOREA
The government has developed a vaccination certification service called COOV (Corona Overcome), which is provided via a smartphone app [92]. COOV is based on the use of blockchain and DID technologies to prevent potential forgery or alteration of certificates. The vaccination certificate is stored within the user's smartphone and can be used to present a proof of vaccination using a QR code. Indeed, the COOV app [93] can be used to store, present, and verify vaccination certificates. Users can manage the disclosure of their personal data, and the Korea Disease Control and Prevention Agency (KDCA) only records information that can verify the authenticity of the data. Furthermore, according to [92], such vaccination credentials can be verified in other countries through the global vaccination management system on which COOV is based.

C. EUROPE 1) AUSTRIA
EUDCCs can be requested through a website provided by the Austrian government [94]. Furthermore, the Grüner Pass app [95] has been developed to manage different certificates, which can be kept in paper or electronic form. Then, the app is used to scan the QR code of the certificate, so that it is stored by the app in the smartphone to be presented by the user to access certain services.

2) BELGIUM
EUDCCs are also used in Belgium through the CovidSafeBE app [96], which allows Belgian citizens to download a certificate associated with vaccination, testing, or recovery. Vaccination certificates can be obtained if the citizen vaccination is registered in the Vaccinnet vaccination system.

3) BULGARIA
According to [97], as of July 1, 2021, everyone traveling to Bulgaria from a green or orange zone country, regardless of their citizenship, are allowed entry without quarantine by presenting an EUDCC, a negative COVID test result, or any official document verifying their recovery from COVID-19. However, a digital vaccination certificate app is not yet available.

4) CROATIA
The Croatian Government has released the CovidGO app [98]. This app facilitates the validation of QR codes on digital COVID certificates issued in the Republic of Croatia or EU member states. According to [99], the app verifies the digital signature of the certificate without processing the user's personal data. For valid certificates, a green screen will be displayed, and if the certificate is invalid, a red screen will be displayed with an additional explanation.

5) CYPRUS
Like in the case of other EU countries, Cyprus allows travelers holding a valid EUDCC to enter the country [100]. Furthermore, the Ministry of Health has created a platform to obtain a valid certificate [101] through a simple form in which identified citizens obtain a one-time PIN (OTP) to validate the process. In addition, the COVPASS Cyprus app [102] has been developed as a wallet app to allow citizens to download and store their certificates.

6) CZECH REPUBLIC
It was one of the first countries to adopt the use of EUDCC. In particular, the citizen's vaccination portal [103] is intended to receive certificate requests. Furthermore, two smartphone apps have been developed: Tečka [104] and čTečka [105]. The former is intended to manage the certificates so that citizens can download or scan their credentials to be stored through the app. The latter provides the functionality to verify certificates by reading their QR code.

7) DENMARK
As described in [106], the use of EUDCC is managed through the Coronapas app [107]. The system is connected to the Danish Vaccination Register and Microbiology Database, which provides test and vaccination information. In this way, only citizens who were tested or vaccinated were able to access their certificates. Furthermore, Coronapas can be used by citizens to prove their certificate through a QR code.

8) ESTONIA
The use of EUDCC replaces previous VaccineGuard vaccination certificates [108]. The certificates are issued through the Estonian national patient portal, digilugu, and enable Estonian citizens to have proof of their vaccination status on their smartphones. The QR code on a mobile phone certifies that the data are from Estonia's state database and are therefore reliable.

9) FINLAND
The country accepts and issues EUDCCs. Specifically, citizens can obtain their certificates through the My Kanta platform, which can be printed or displayed on one's mobile VOLUME 9, 2021 phone [109]. Such a platform also manages the information related to vaccination, testing, and recovery, so that certificates will only be available for those users who previously were vaccinated, tested, or recovered from COVID.

10) FRANCE
EUDCCs are also used in France. According to [110], citizens can obtain a certificate through the TousAntiCovid app [111], which was developed previously for digital contact tracing. In particular, people being vaccinated or taking a coronavirus test are able to receive a text message or email, giving them access to a state-certified online document that can be downloaded and either printed off or stored through TousAntiCovid. The app will generate a QR code linking to a range of information stored in a national database, that is, the person's name, the date and type of their test or vaccine, and details of the relevant doctor or laboratory. Certificates are also accessible through several channels, such as the French state health insurance website Ameli, according to [112].

11) GERMANY
Both the Corona-Warn-App [113] and the CovPass [114] app can be used to manage EUDCCs by scanning the QR code of the certificate that is stored within the citizen's smartphone. Both apps can be used to prove such certificates, as well as to manage the certificates of other family members.

12) GREECE
Just like other EU countries, Greece issues EUDCCs to travel across Europe, as well as a domestic type of certificate, which is employed for travel within the country. According to [115], Greek citizens can request certificates through a government portal, which allows them to download a digital version of the certificate. Furthermore, the Covid Free GR app [116] was recently developed for the verification of EUDCCs; however, the app does not enable downloading and managing certificates.

13) HUNGARY
Hungary launched an app called EESZT [117] as an electronic COVID immunity certificate. The app contains a QR code for verification, the name of the person, the date of vaccination, and the type of vaccination. A person's immunity can also be checked by scanning the QR code of the app. However, scanning will require another app, which will be made available as EESZT Covid Control [118]. For people to use the app, they must register with the app's website [119].

14) ICELAND
It was one of the first countries issuing EUDCCs. According to [120], the certificates accepted at the border, either in paper or electronic format, include the confirmation of previous COVID-19 infection that fulfills certain requirements, and certificates of full vaccination against COVID-19, including EUDCCs. Furthermore, vaccinated people in the country can obtain a vaccination certificate from a web portal [121].

15) IRELAND
Ireland issues EUDCC certificates in digital or paper format. It can be retrieved based on its type: vaccination certificates are e-mailed or posted, recovery certificates can be requested by phone, and negative test certificates are issued by the testing center. The digital form of the certificate is in PDF format, comprising a QR code that can be demonstrated using a smartphone. It can also be saved in the COVID Tracker App [122], which also acts as a contact tracing app. The source code used initially for the app became publicly available and is known as COVID Green [123]; however, it seems that it has not been updated recently and it does not contain the certificate storage functionality.

16) ITALY
Italy has launched an online portal to issue digital certificates, demonstrating that an individual has been vaccinated, tested negative, or recovered from Covid-19 [124]. The certificates follow the EUDCC format and contain a QR code; they can be downloaded to a mobile device or printed. The details included in them are name, surname, date of birth, vaccine name and manufacturer, number of doses and date of last dose, as well as the name of the country where the vaccination was performed. Although a mobile app is not necessary for downloading or using it, the certificate can be accessed through the Immuni contact tracing app [125] or the IO app [126].

17) LATVIA
The Digital Covid-19 Certificate in Latvia can be used to prove that a person has completed their vaccination, recovered from the virus, or tested negative [127]. The certificate can be requested, viewed, downloaded, and saved locally from a governmental portal. It contains a QR code and can be used in a digital form or printed on paper. The Latvian certificate is interoperable with the EUDCC and is recognized by other EU member states. For verification and validation of the certificates, an app, called Covid19Verify, or a website can be used.

18) LITHUANIA
Lithuania supports both the EUDCC and a national scheme called ''opportunity passport'' [128]. In both cases, the certificate shows that an individual has been vaccinated, tested negative, or recovered from the disease [129]. The digital certificate is issued by a government portal in the form of a QR code and can be saved on a mobile device or printed out. The data stored are the individual's name, date of birth, and information about the vaccine; it should be noted that these data are not collected when the QR code is scanned. The authorities have announced a mobile app that is only for scanning and verifying the validity of the certificates, but no app is foreseen for downloading and managing the certificates themselves.

19) LUXEMBOURG
The CovidCheck certificate issued by Luxembourg [130] follows the EUDCC format, and it is proof that a user is vaccinated, recovered, or tested negative for COVID-19. It can be used in digital format on a mobile device or printed on paper. CovidCheck bears a QR code and can be issued from a governmental portal. A mobile app is provided, namely CovidCheck.lu, which only verifies the authenticity and validity of the certificate and cannot be used for storing it.

20) MALTA
Malta has a national scheme called the Maltese Vaccination Certificate and simultaneously supports the EUDCC [131]. Maltese citizens can apply for the national certificate, which proves that an individual received two doses of a recognized vaccine through a portal [132]. There is no information regarding mobile apps used to manage these vaccination certificates. It should be noted that only vaccination proofs are accepted; thus, an EUDCC stating recovery or a negative diagnostic test result is deemed invalid.

21) NETHERLANDS
The Netherlands supports the EUDCC certificate as proof of vaccination or recovery, as well as for demonstrating diagnostic test results [133]. To download and demonstrate the certificate, a citizen has the option to download the open source CoronaCheck app [134], [135] or access a governmental portal that provides the possibility of printing it on paper.

22) POLAND
Poland participates in the EUDCC system [136]. The certificate can be requested by citizens through a portal or using two mobile apps, namely mObywatel and Moje IKP. A third app, called Skaner Certyfikatów COVID, is available for verification and validation of certificates. All three apps are available for Android and iOS [137].

23) PORTUGAL
The certificate issued by Portugal follows the EUDCC format and can be requested from a governmental portal [138]. The SNS 24 app [139] allows citizens to issue, consult, store, and present an EUDCC in electronic format; it also allows entities such as air carriers and event organizers to validate certificates [140].

24) SERBIA
A credential called Digital Green Certificate [141] is a proof of vaccination and demonstrates the results of different types of COVID-19 diagnostic tests. It contains personal data, such as name, surname, ID number, gender, and passport number, as well as information such as the number of vaccine doses and the dates they were administered. The certificate can be obtained from a governmental portal, and no information is available regarding related mobile apps. Moreover, according to [142], Serbia allows the entrance of foreign citizens, who use a negative RT-PCR test, a vaccination certificate issued by the country (or a country with which Serbia has a recognition agreement), or a certificate of recovery from COVID-19.

25) SLOVAKIA
Initially, Slovakia issued its own national COVID vaccination certificate, which could be downloaded from a government portal and saved in the GreenPass app [143] or printed out. Later, the national certificate was replaced with the EUDCC [144], although the national certificate is still valid [145].

26) SPAIN
Spain supports the EUDCC, and citizens can request certificate issuance from the Ministry of Health [146]. Naturally, it inherits the characteristics of EUDCC, such as vaccination, recovery from infection, or negative diagnostic test results. It includes a QR code and can be downloaded and used from a mobile device or printed on paper. Currently, no app is foreseen for the management or use of certificates.

27) SWEDEN
Sweden also participates in the EUDCC system, and its citizens can request it from a governmental portal [147]. Although initially proving only vaccination, it is planned that it will also support negative test results and recovery from COVID-19. No mobile app is foreseen for the management or verification of certificates.

28) SWITZERLAND
In Switzerland, a COVID certificate can be issued for those who have been vaccinated, recovered from the disease, or tested negative [148]. It is issued online or directly on the vaccination or test center, in electronic or paper form and includes a QR code; it is also interoperable with the EUDCC. In technical terms, the entire COVID certificate system is open source, while no personal data are stored centrally in national authority systems. The certificate contains personal information such as the first and last name of the holder, date of birth, and certificate number, as well as vaccination, recovery, or test information, namely number of doses, details of the vaccine administered, and vaccination/recovery/test date. The COVID Certificate app [149] is available to manage the certificate in electronic form.

29) UNITED KINGDOM
The UK developed the NHS COVID Pass [150], which allows an individual to share proof of their COVID-19 vaccination [151] or test results. It is available in digital or paper format and can be used from a mobile device through the NHS App [152]. It can also be downloaded online, without using the app. The African Union developed a tool called My COVID Pass tool. The tool will offer verification of public health documentation during entry or exit across borders [153].

2) AUSTRALIA
The Australian government launched the Express Plus Medicare app [154]. The app allows fully vaccinated citizens to use digital certificates as proof of vaccination. The certificate is automatically generated and available on the app. Users need a government services account called myGov, to use the app.

3) MOROCCO
Whoever has a national ID or a residence card in Morocco is registered automatically for the vaccination campaign. After receiving the second dose, an individual can download the vaccination certificate from an online portal [155] by entering the ID or residence card number and date of birth. No further information is currently available regarding its form or personal details.

E. TAKEAWAYS
Unlike most research proposals described in Section II, existing countries' initiatives to manage digital certificates are based on the use of well-known PKI infrastructures. Indeed, the EU countries are interconnected through an entity called the EU gateway, which is employed for a cross-country validation of the signatures associated with each EUDCC. Furthermore, it should be noted that some countries (e.g., Greece) also use local certificates that coexist with EU certificates. Other countries (e.g., Switzerland) define their own certificates, which are also interoperable with EUDCCs. According to our analysis, most EU countries have developed an app to manage EUDCCs, and in some cases (e.g., in France), additional apps are developed for the verification of such credentials. While the development of such apps is more heterogeneous in other countries across the world, most of the considered countries provide government services to enable citizens to request their corresponding COVID-19 certificates. These services also allow credentials to be printed without the need for a specific app, so that users can show their certificates in paper format, if required. Our analysis revealed that the issuance of vaccination certificates is mainly offered for free, although there are cases where a fee is requested, for example, in Pakistan.
Comparing the main aspects considered during the analysis, the following outcomes were noted. Regarding the procedure to acquire a digital health certificate, 18 or 33% of the countries issue the certificate through a mobile app, 29 or 54% use a web portal, and 4 or 7.4% of the countries use both; in 3 countries or 5.5%, the procedure of issuing a certificate is not described. Concerning the certificate types, 30 countries or 55.6% endorse all three types of certificates (vaccination, diagnostic test and immunity), 4 or 7.4% support two types of certificates (vaccination and diagnostic test), and 20 or 37% support only vaccination certificates; notably, all countries offer the vaccination type of certificate. Most countries, that is 35 or 65%, provide information on the data contained in the health certificate, which in all cases are personal details (such as names and ID number) and vaccine details (such as brand and dates of vaccine administration). With reference to whether an app is available, 36 out of 54 or 67% of the countries offer a mobile app.
An overview of the main characteristics of digital certificates used globally is presented in Table 3. On the one hand, these characteristics concern high level aspects of the certificate that give a quick overview of the regions and countries where digital health certificates are more commonly used, as well as the types supported. A second set of characteristics pertains to the mobile apps associated with these certificates, for example, whether the app is open source or not, considering that a mobile app is an important building block that seriously influences the security and privacy of a system. From the table, it can be easily noticed that most digital certificates cover all three types: vaccination, diagnostic test, and immunity certificates. The majority of countries offer an app for managing and/or verifying the validity of digital certificates; in most cases, the use of the app is not compulsory, and certificate issuance and management can also be performed through other means, such as by means of a web portal. Of these countries providing an app, almost all have developed software for both Android and iOS platforms, and earlier OS versions are supported, backing this way their wide deployment. Regarding the software model, the open source approach was selected in only 13% of the developed mobile applications.

V. APP ANALYSIS
The aim of this section is to present key results regarding the functionality of official apps supporting national or multinational initiatives, for example, COVID-19 certification schemes in the case of EU member states. Specifically, we analyze the collected apps both statically and dynamically. The first type of analysis reveals potentially privacy-invasive permissions and API calls, while the second reports activities related to network traffic and the use of sensitive Java classes during runtime. Overall, as shown in Table 4, forty-seven official country apps were collected from Google Play with a freeze date of July 27, 2021. Note that for the sake of verifiability of the obtained results, the last column of the table designates the version of each analyzed app. With reference to the previous section and Table 3, eighteen countries are omitted because they currently do not offer such apps. For the interested reader, an analogous analysis but for official contact tracing apps available in European countries has been contributed by [9].

A. STATIC ANALYSIS
A primary step towards understanding an app's behavior is extracting and inspecting the requested permissions of the is as of July 31, 2021 from Google Play). VOLUME 9, 2021 app, listed in the AndroidManifest.xml file. Moreover, the lookup for potentially privacy-invasive API calls in an app's code offers additional information about higher-risk actions the app may execute, as well as whether the identified calls coincide with the requested permissions. In this respect, the Androtomist tool [171] has been used to scrutinize each app and extract permissions from the manifest file and API calls from the smali files. Table 5 lists the potentially privacy-invasive 3 permissions requested by each examined app. Recall that opposite to ''normal'' permissions, when an app asks for a sensitive permission, the Android OS presents a runtime permission prompt. Overall, the following twelve permissions were observed in the analysed apps.
• P1: READ_CALENDAR permits an app to read the user's calendar events, attendees, and reminders.
• P2: WRITE_CALENDAR allows an app to perform insert, update, and delete operations on the user's calendar.
• P3: CAMERA permits access to the camera.
• P4: READ_CONTACTS allows the app to retrieve a list of contacts, including the contact name, phone number, street address, and email address.
• P5: WRITE_CONTACTS allows an app to modify or delete contact data stored on the user's phone.
• P6: GET_ACCOUNTS allows access to the list of accounts in the Accounts Service; namely, it offers access to the existing accounts on the user's device.
• P7: ACCESS_FINE_LOCATION provides access to the exact location of the device via GPS, WiFi, and mobile cell data. It is also required for some connectivity tasks, including connecting to nearby devices over Bluetooth low energy (BLE).
• P8: ACCESS_COARSE_LOCATION allows the app to access the approximate location of the device by using either WiFi or mobile cell data or both.
• P9: READ_PHONE_STATE allows an app to determine the phone number, detect an active call, as well as the remote number connected by a call.
• P10: CALL_PHONE gives permission to call phone numbers without user intervention. This can result in unexpected charges from calls made by malicious apps.
• P11: READ_EXTERNAL_STORAGE permits an app to read from external storage.
• P12: WRITE_EXTERNAL_STORAGE allows an app to write to external storage.
It is important to note that all the analyzed apps prompt the user to scan QR codes or documents. Therefore, the use of the camera is considered legitimate in this case. The same observation can be made for the READ_EXTERNAL_STORAGE permission, which is required to load a certificate stored on the SD card of the device.
As shown in Table 5, all apps except CovidSafeBE, Immuni, Moje IKP, and Surokkha requested at least one sensitive permission. No less important, 42 out of 47 apps or 89.3% asked for the CAMERA permission (P3), and 14 out of 47 or 29.7% of them requested the ACCESS_FINE_LOCATION permission (P7). Most apps asked for between 0 and 5 sensitive permissions. On the other hand, WeChat requested 9 out of 12 sensitive permissions. This is somewhat expected, as WeChat is a multi-purpose messaging, social media, and mobile payment app [160]. Finally, as shown in the same table, 2 out of 4, 10 out of 15, and 2 out of 27 apps requested ACCESS_FINE_LOCATION permission (P7) for America, Asia, and Europe, respectively.
As already pointed out, API calls per app have also been extracted with the purpose of identifying certain calls to methods that may pose a threat to the user's privacy. The following potentially sensitive API calls were discovered in apps' smali code: • android/telephony/TelephonyManager; → getNetwork-Operator() returns the mobile country code MCC) and mobile network code (MNC) of the current registered operator when a user is registered to a mobile network, that is, when a SIM card is used [173].
• android/telephony/TelephonyManager; → getLine1Number() returns the phone number for line 1, when supported by the SIM card operator. It requires at least one of the following permissions: READ_PHONE_STATE, READ_SMS, or READ_PHONE_NUMBERS [175].
• android/telephony/TelephonyManager; → getCellLocation() returns the current location of the device, and requires the ACCESS_FINE_LOCATION permission. This method was deprecated in Android 8.0.
• android/location/LocationManager; → requestLoca-tionUpdates() is used to register for location updates from the given provider. It presupposes the same permission as getLastKnownLocation().
• android/location/Location; → getLatitude() and android/ location/Location; → getLongitude() methods are used to obtain the latitude and longitude of the device in degrees, respectively. • android/hardware/Camera; → open() is used to access the back-facing camera of the device [177]. It presupposes the CAMERA permission.
• android/hardware/camera2/CameraManager is a system service manager for detecting, characterizing, and communicating with camera devices [178].
For easy reference, the above mentioned API calls have been grouped in Table 6 into three categories: cellular network, location, and camera. As observed from the table, certain cellular network-related API calls may expose the device's location. Specifically, the phone number (getLine1Number()) or SIM operator name (getSimOperator-Name()) may reveal the user's country, while getCellLocation() returns the current location of the device. As shown in Table 7, the API calls observed in each analyzed app were put vis-à-vis their respective category in Table 6. As shown in the former table, 19, 37, and 32 apps were found to include API calls pertaining to the cellular network, location, and camera, respectively. Interestingly, Surokkha, BruHealth, and Co-WIN Vaccinator App do not include API calls from any of these three categories.
Another observation in Table 7 is that 23 out of 47 apps included location or camera-related API calls, for which the necessary permissions were not declared in its manifest file. According to an article from [179], Google and Apple recently refused to publish an updated version of the NHS COVID-19 app, a contact tracing app for monitoring the spread of the COVID-19 pandemic in England and Wales. In the updated version, the app requests users to upload logs of venue check-ins via barcode scans, if they tested positive for the virus, and warn other users. This operation requires VOLUME 9, 2021  camera permission as well as one of the camera-related API calls listed in Table 6.

B. DYNAMIC ANALYSIS
Dynamic analysis was also performed to analyze the apps listed in Section V-A more deeply. Specifically, in this case, dynamic analysis aims to keep track of privacy-sensitive instantiated Java classes and network traffic produced during app runtime. This type of analysis has been carried out by means of dynamic instrumentation, that is, the instrumentation, namely method hooking, is added during the app execution in a just-in-time (JIT) approach. This process was carried out using the Androtomist tool along with a SIM-less Nvidia Shield K tablet [180], running on Android 7.0. To encompass every possible functionality, each app was exercised by hand, that is, not via the use of a UI/app exerciser. Specifically, during runtime, the instrumentation code logs specific Java classes related to network traffic, location, and mobile network, according to the API documentation, as follows: • Location: (android.location.) Location, LocationManager, and LocationProvider. An object of the first class represents a geographic location, including latitude, longitude, and timestamp. The second class provides access to the system's location services and provides periodic reports on the geographical location of the device [181]. The LocationProvider class also provides periodic reports on the geographical location of the device, but was deprecated in Android 12.0.
• Camera: (android.hardware.) Camera and camera2. CameraManager. The former is client for the Camera service, which manages the actual camera hardware and was deprecated in Android 5.0. The latter provides a manager for detecting and connecting to camera devices by utilizing the camera2.CameraDevice class. It replaces the deprecated Camera class [182]. Both Camera and camera2.CameraDevice require the CAMERA permission.
• Mobile network: android.telephony.TelephonyManager. This class provides access to data regarding the telephony services of the device. Specifically, the methods of this class can be called by an app to obtain the available telephony services and states and retrieve certain types of sensitive subscriber information, including the unique subscriber identity, namely, the International Mobile Subscriber Identity (IMSI). The results of the dynamic analysis are summarized in Table 8. The four rightmost columns of the table indicate whether the examined app has: (a) produced network traffic, (b) instantiated the Java class LocationManager, (c) instantiated the Java class TelephonyManager, and (d) instantiated either or both the Java classes Camera and CameraManager, respectively. As seen in the table, two apps asked for phone number authentication through a verification code received via SMS to properly work. Therefore, given that the Nvidia Shield K tablet device is SIM-less, these apps were excluded from the current analysis. The following key observations were made: • All but four examined apps produced network traffic, meaning they visited specific URLs.
• Ten apps or 21.2% employed the LocationManager class, which provides access to the system's location services and allows apps to obtain periodic updates of the device's geographical location. Specifically, one out of four, seven out of fifteen, and two out of twenty-six apps instantiated the aforementioned class for America, Asia, and Europe, respectively.
• Thirty-six apps or 76.5% used the TelephonyManager class.
• Twenty-eight apps or 59.5% used the Camera class.
As previously mentioned, all of these apps are expected to prompt the user to scan QR codes or documents.
• Sixteen apps or 34% require users to login to a service before using the app; thus, the analysis results for these apps should be considered incomplete.

VI. CONCLUSION
With the global vaccine roll-out being underway, COVID-19 certificates mainly aim at abrogating domestic or international travel restrictions such as entry prohibitions, quarantine obligations, and testing. Indeed, some countries are considering such certificates for leisure activities, including access to bars and restaurants. This work attempts to shed light on this timely and intriguing matter by surveying all contemporary digital record initiatives and schemes already developed collectively by organizations or individual states. Moreover, the survey includes similar proposals published in the relevant literature. Given that such certification schemes are typically accompanied by mobile apps to ease the storing, updating, and verification of the holder's certificates, we also scrutinize such official apps in the Android platform, seeking any aspect that could potentially put the user's privacy at risk.
With respect to the state-of-the-art literature, nearly half of the existing schemes consider at least two types of certificates, while the most supported type is that of the immunity certificate, followed by the vaccination certificate. All nine schemes, but two, rely on blockchain technology, and, as expected, all consider privacy aspects. On the downside, scalability issues, which are decisive factors for real-world deployments, are considered only by a couple of schemes. On the other hand, thus far, nine different initiatives have been developed mostly by organizations or alliances to aid and spur the issuance, exchange, and validation of public health status records. Again, most of them leverage blockchain technology or PKI and utilize a companion smartphone app to manage and/or verify the relevant credentials, where the latter is typically done via a QR code. Most notably, the proposal cultivated by the European Commission has been adopted by the EU and is already operational across all EU 27 member states as well as Switzerland, Iceland, Norway, and Liechtenstein.
It is also salient that 54 countries have already created national official COVID-19 certification schemes (7, 15, 29, 3 from America, Asia, EU, and Africa/Oceania, respectively) and 36 of them are supported by smartphone apps; such schemes may work in tandem with broader initiatives (as in the case of EUDCC) and others are standalone. In any case, for the sake of convenience, the norm is for both paper-based and paperless records. The great majority of mobile app geared schemes are destined to both the Android and iOS platforms and support all three types of proofs, namely vaccination, diagnostic tests, and immunity. However, only four of them are open source.
The results of the static analysis show that 42 of the 47 apps ask for permission to use the camera, and about one-third of them also require read/write permissions to access the external storage of the device. However, this is expected, as this type of apps need to use the camera to scan the QR code included in the certificate and potentially read the downloaded certificate directly from the device. Interestingly, approximately one-third of the apps require location-based services. On the other hand, dynamic analysis allowed us to verify the results stemming from static analysis. For instance, despite the fact that 37 apps or 78.7% do contain at least one location-related API call, only 10 or 21.2% of them instantiate the relevant classes. The same observation is true for camera-related API calls. Specifically, with reference to static analysis, 32 apps or 68% were found to include such calls, while dynamic analysis showed that only 28 apps or 59.5% instantiated the relevant class. However, the remaining four cases involve apps that require users to register before using the app and have a reduced chance of triggering camera-related events during analysis. Again, the use of several potentially privacy-invasive API calls and sensitive java classes does not come as a surprise; there exist for the same reason as the matching permissions, for example, for accessing the camera when reading a QR code.
All in all, based on the findings presented in Tables 5, 7, and 8, it can be argued that the schemes developed by European countries offer an overall increased level of privacy vis-à-vis those from Asia and America, which tend to require an increased number of sensitive permissions pertaining to location based functions and interaction with external storage.
GEORGIOS KAROPOULOS received the Ph.D. degree in computer network security from the University of the Aegean, Greece. He is currently a Scientific Officer at the Joint Research Centre, European Commission. In the past, he was a Marie Curie Fellow Researcher at the University of Athens, Greece, and an ERCIM Fellow at IIT-CNR, Italy. His research interests include network security, VoIP security and privacy, smart grid security, and critical infrastructure protection. He has published and is a frequent reviewer in conferences and scientific journals in the above areas.
JOSE L. HERNANDEZ-RAMOS received the Ph.D. degree in computer science from the University of Murcia, Spain. He is currently a Scientific Project Officer with the Joint Research Centre, European Commission. He has participated in different European research projects, such as SocIo-Tal, SMARTIE, and SerIoT. He has published more than 60 peer-reviewed papers. His research interests include application of security and privacy mechanisms in the Internet of Things and transport systems scenarios, including blockchain and machine learning. He has served as a technical program committee and the chair member for several international conferences.
VASILEIOS KOULIARIDIS received the Ph.D. degree from the Department of Information and Communication Systems Engineering, University of the Aegean, Greece. His research interests include Android security and privacy, mobile malware analysis and detection, and machine learning.
GEORGIOS KAMBOURAKIS was the Director of the Information Security Laboratory, from September 2014 to December 2018, and the Head of the Department, from September 2019 to October 2019. He is a Full Professor with the Department of Information and Communication Systems Engineering, University of the Aegean, Greece. He is currently on unpaid leave with the University of the Aegean, while he is working with the European Joint Research Centre (JRC), European Commission, Ispra, Italy. His research interests include mobile and wireless networks security and privacy, VoIP security, the IoT security and privacy, DNS security, and security education. He has more than 155 refereed publications in the aforementioned areas. VOLUME 9, 2021