Have the #covid19 app and time to take a look. Not sure how much i'll do tonight because i'm sleepy.

First off, it looks like it only asks for a partial postcode when registering. Nice of them to provide one for me.

It needs these permissions which is reasonable.

And that's it. Next step is to see what it's sending over the network. A real PITA since Android was changed to not trust user certs.

Actually before that, let's try reversing the app.

Nice, it's not obfuscated. Note, this isn't a security issue and I would expect it to be open.

Been struggling trying to view network traffic. Maybe a problem with my setup, maybe cert pinning (i've managed to view a couple of requests which is strange) but not the registration process.

Anyway, decided to look at what's stored when you're in contact with someone.

Some analytics are sent to third parties (in this case, Microsoft). Would rather nothing was sent but it's understandable.

Okay, managed to capture the registration (I've done 100's of MitM attacks this way. I need to figure out why it's being so flaky this time).

It seems to work the way described in the NCSC white paper but need to investigate further as it communicates with a few services

Will do a quick code review. First these are the permissions the app requests. Everything seems reasonable. Android requires apps to request location permissions to use Bluetooth.

Looks like it doesn't just broadcast a beacon but expects apps to connect to the BLE service. Makes sense I guess as they probably can't fit all the data they need in an advertising beacon.

Okay, time for bed. Will hopefully be able to continue tomorrow.

So far not seen anything especially unexpected. It appears to follow what is documented in the white paper. There is quite a lot of third parties in use but nothing other app developers don't use.

Hmm, don't like this in the network security config