How secure are New York's vaccine passport apps?

Most of us in New York City know we're less than two weeks away from having to prove we're vaccinated to dine or exercise indoors. Far fewer of us have figured out or understand exactly how we'll show restaurants and fitness studios we've received all of our shots.

"I announced the Key to NYC pass and about five hours later the president of the United States endorsed it," Mayor Bill de Blasio said on Thursday.

The NYC COVID Safe app allows users to upload a photo of their COVID-19 vaccine card and then flash the image in the app to enter a vaccine-requiring establishment.

"[It's] not connected to the Internet," de Blasio said. "Can't be hacked."

Is that true?

"No," Surveillance Technology Oversight Project (S.T.O.P.) founder and executive director Albert Fox Cahn said. "That statement from a technical perspective just doesn't make any sense."

Cahn read NYC COVID Safe's terms and conditions and found the city's app Internet-enabled to document one's IP address every time one opens it. He also uploaded a photo of Mickey Mouse in place of his vaccine card and the app approved Mickey with three green checkmarks, leaving Cahn confused as to why the city developed its own app at all.

RELATED: New York City launches vaccine passport

"I think this is just more proof of the dysfunction between City Hall and Albany," he said.

More than 3 million New Yorkers have downloaded the state's Excelsior Pass. And the governor announced Excelsior Plus on Thursday, allowing New Yorkers to use Excelsior at select locations around the world. But Cahn also worried for that app's security, hacking it — with a user's permission — in just 11 minutes.

"Carrying the card itself is the simplest," de Blasio said. "Lot of people just have the card in their wallet."

Get breaking news alerts in the FOX 5 NY News app. Download for FREE!

On that, Cahn agreed. 

As of this writing, the city had yet to clarify whether the vaccine-exempt might dine or work out indoors, or how staff will verify international vaccination documents or prove a CDC card's authenticity.

"The difference between vaccine cards and the app is the apps look more secure," Cahn said, "but the truth is they're just as easy to forge as that piece of cardboard."

New York City's vaccine requirement to dine or exercise indoors takes effect Monday, Aug. 16.