The #covidsafe app is now available in Australia 😷
However, it's a shame that they have decided not to release the source code for full transparency.
Luckily, I'm a curious chap and also a professional mobile developer.
However, it's a shame that they have decided not to release the source code for full transparency.
Luckily, I'm a curious chap and also a professional mobile developer.
So, I've downloaded and decompiled the Android app using the freely available, open source tools apktool and JadX.
Here are my findings for those who are interested interested:
Here are my findings for those who are interested interested:
First things first, the app is not obsfucated (scrambled); this means we can decompile it to a level almost as good as having the original source code.
They may not have released the source code but there is a clear intent of transparency displayed by not obsfucating it.
They may not have released the source code but there is a clear intent of transparency displayed by not obsfucating it.
The Android app looks to be written in Kotlin and uses Android building blocks like activities, services, broadcast receivers, RoomDatabase, Retrofit etc
Industry standard stuff.
Industry standard stuff.
Given the Android app is Kotlin, I expect #covidsafe iOS is written in Swift and uses the standard iOS APIs.
iOS apps take much more work to reverse engineer so this is simply a guess on my part.
iOS apps take much more work to reverse engineer so this is simply a guess on my part.
Data is stored locally in a SQLite database using the RoomDatabase API.
This places collected data inside the apps internal storage, a secure part of your phone strictly private to #covidsafe.
This places collected data inside the apps internal storage, a secure part of your phone strictly private to #covidsafe.
This means data is secured using the operating systems security mechanisms and *is not* accessible by other applications.
Unless you have a jail-broken device or have deliberately unlocked root permissions, the data collected by #covidsafe is secure.
Unless you have a jail-broken device or have deliberately unlocked root permissions, the data collected by #covidsafe is secure.
The app broadcasts a unique BluetoohLE SSID that other phones with #covidsafe installed can use to detect it.
Importantly, the app *does not* broadcast the device name so when another phone detects you, you are identified using a Bluetooth address and not a device name.
Importantly, the app *does not* broadcast the device name so when another phone detects you, you are identified using a Bluetooth address and not a device name.
#covidsafe then uses a BluetoothLeScanner to watch for other devices that broadcast the apps known SSID.
Basically, #covidsafe only picks up and records other phones that have given their permission to broadcast.
This implementation is vanilla Android and is industry standard.
Basically, #covidsafe only picks up and records other phones that have given their permission to broadcast.
This implementation is vanilla Android and is industry standard.
In terms of data transmission and remote storage, the app requires that the user manually uploads the data.
The only place in the app that transmits the data is the UploadDataUseCase:
The only place in the app that transmits the data is the UploadDataUseCase:
The data upload is authenticated by a One Time Pin request that is sent your mobile phone.
This is important as all data upload is through user consent only.
This is important as all data upload is through user consent only.
Lastly, data is transmitted via HTTPS to an AWS instance secured with a public/private key pair.
Web development and security is not my domain so I'll leave it to others to verify the locality of that endpoint.
Web development and security is not my domain so I'll leave it to others to verify the locality of that endpoint.
It's also interesting to note that there is a cleanup task that automatically deletes all records after 21 days.
From what I can see, everything in the #covidsafe app is above board, very transparent and follows industry standard.
I'd interested in hearing perspectives on the app from my tech friends. Please chime in if you are also having a dig around and find something of note 😊
I'd interested in hearing perspectives on the app from my tech friends. Please chime in if you are also having a dig around and find something of note 😊
Another important update, please take a look at @VTeagueAus's investigation into #covidsafe.
She is a security expert and is definitely more qualified than myself to comment on the apps privacy and security.
She is a security expert and is definitely more qualified than myself to comment on the apps privacy and security.
We are running a live panel discussing our findings of #covidsafe tomorrow night.
Live from 6:30pm AEST on Wednesday 29th April.
RSVP here:
eventbrite.com.au/e/covidsafe-ap…
Live from 6:30pm AEST on Wednesday 29th April.
RSVP here:
eventbrite.com.au/e/covidsafe-ap…
