Radar COVID released its code yesterday in Spain. As planned, the Secretary of State for Digitalization and Artificial Intelligence (SEDIA) posted on GitHub the code of your tracking application. We wanted to know in depth the technical details of the application, analyzing in detail this released code.
Linuxct, software engineer, has helped us understand and have a more complete view about the code released on GitHub, so let’s analyze in detail the operation of the app.
Understanding the Radar COVID code, how does the app work?
{“file”: “https://webediaespana.video.content-hub.app/default/video/1d/58/62/5f327d1f3bef07f64f/default-standard-720.mp4”, “image”: “https: // webediaespana.delivery.content-hub.app/image/34/aa/b3/5f327d063bef07f653/original/miniature-radar-covid.jpeg “}
To be able to thoroughly analyze the code we have had the help of Linuxct, a software engineer and regular collaborator in XDA Developers. After talking with him, we can detail the information about what has been published on GitHub, what is right, what is wrong, and what is missing.
This analysis has been carried out on the Android version, developed in Kotlin, one of the most popular programming languages.
How does Radar COVID work from a technical point of view?
- As soon as we open the application for the first time, it calls the server requesting the issuance of a token of user. These token They allow the terminal to be identified (not the person) and are self-generated by the server, not being linked to a person, but to a device. Is about a widely used security measure.
-
When the app obtains this token, it uses it both to ask the server for the data of the texts that the app displays on the welcome screen (which will depend on the language we choose) and to request the DP3T configuration data from the server. The notorious DP3T (Decentralized Privacy-Preserving Proximity Tracing) is the SDK (software development kit) that is being used to develop the tracking apps, that is, a development protocol shared by these applications and that it was already open source.
-
When DP3T is initialized, it is in charge of asking the user to activate Bluetooth and give the application permission to connect to the Google’s notification system of exposure to COVID, integrated into the operating system itself.
In other words, the app identifies the user with a token, requests the configuration data and subsequently It asks us to give connection permissions to Bluetooth and the Google notification system.
How we explain when the app is launched, COVID Radar send notifications to users about possible positive contacts, as long as users with COVID have reported the case to the corresponding health authority through the corresponding code that it provides.
From a technical point of view, the app marks ‘high risk of exposure’ after syncing data from DP3T, starting to show guidelines and necessary confinement times based on the data obtained from the server.
And what about the codes they give us to report the positive? When the health authority gives us the 12-digit code, we enter it in the app and this information is sent to a server (the information only leaves our device to send the code).
From this server the PCR number is checked to be in the database and if it is positive. After verification, the data is sent back to the app and it shows us the high risk of exposure mentioned above. It should be noted that when you report your PCR positive, The identifier is not sent (the token we talked about previously) so that a PCR number cannot be linked to a device.
What about application permissions?
One of the points that has caused the most concern to users is how privacy and permissions are in Radar COVID. As the expert explains, the app uses just and necessary permissions to perform its functions.
- android.permission.INTERNET– Allows communication with DP3T and the backend of the server.
- android.permission.ACCESS_ NETWORK _STATE: allows the app to know if the device is connected to the internet.
- android.permission.BLUETOOTH: used to communicate between devices via DP3T
- android.permission.REQUEST_ IGNORE _BATTERY _OPTIMIZATIONS– Allows the application to run at any time in the background, allowing synchronizations between the application and the server to happen at the appropriate times.
The application does not access location permissions, telephone or contacts of the user, so he can not be identified in any way. About why Covid Radar not working without active GPS on Android, is due to technology Bluetooth Scanning Google’s operating system, which requires active location to track via Bluetooth.
What “goes wrong” in the published code of Radar COVID
After releasing the Radar COVID code there have been two main criticisms. The first one is that the app development history has not been published, that is, the history with all the data and steps that have been taken since the beginning of its development.
The fact that there is no history of the app means that we only have the current photo of the code, the latest version of the application. We do not know how it has been built or the decisions that have been taken. Regarding this history, requested by more than 200 academics in a “manifesto in favor of transparency in public software developments”, Linuxct considers that it goes hand in hand with discrepancies in the code, the other point criticized in Radar Covid.
Keep in mind that what happened about the code discrepancies between the Google Play version and the version that they have released to GitHub would all be resolved if they published the GitHub history, to really know what they did and why they were functionalities that have now disappeared from the source code
Endpoints not present in the code uploaded to GitHub But what are these discrepancies? Specific, there is a more extensive list of endpoints in the Google Play version, internal services that do not exist in the GitHub code, and detected code not present in the GitHub version. Regarding the endpoints, they are those URLs to which the application makes calls to interact with the server. On the other hand, there are curious details, such as that Android version uses code to detect root (which is quite obsolete as it is based on the old SuperSU and not on Magisk). This code is not in the version uploaded to GitHub.
How can this be explained? With an update to the current version of Covid Radar for Android, in which the lines of code seen in the GitHub version are included, as explained by the expert.
My way of understanding is that at some point they will update the Google Play version with the code that they have uploaded to GitHub and that this code disappears. I see it as a “lesser evil” but “good to know” …
The summary that we can get with all this information is that, although the application fulfills what it promises, the application published on GitHub is not exactly the same as on Android. As Linuxct explains, “this may be due to the fact that Google is pending to approve a possible code upload update to the Play Store and for this reason the versions differ”. On the other hand, There is no trace on the history of the app, but a current photo of the latest version.
Despite this, the application has shown be safe, do not expose the privacy of users, so any user who wants to install it on their phone can do so with the peace of mind that their data is safe.
Is full code review can be read in the Linuxct GitHub, in which the information in this article is developed in more specific terms.
was originally published in
Xataka Android
by
Ricardo Aguilar
.
