The apps are expected to generate limited-time QR codes with the respective country’s digital signature (just like the biometric data in your passport), so no, your suggestion won't work.
Yup, because lowest-bid contractors are well known for producing bulletproof code, never copying bad samples from StackOverflow, and never rolling their own crypto instead of using proper libraries.
States’ already turned to contractors to design the system of digital signatures on their biometric passports, but these passports remain secure, so your sarcasm is unfounded.
Unless they somehow figured out a flaw in thr crypto that allowed for spoofing countries in which case holy shit why are you using it to fake vaccine certificates?
