Evaluation of SwissCovid app

Own Analysis of SwissCovid The National Cyber Security Center (NCSC) organized a public security test of the SwissCovid app. The test "aims to provide full transparency". In response to...





Possess Evaluation of SwissCovid


The National Cyber Security Heart (NCSC) organized a public safety take a look at
of the SwissCovid app.
The take a look at “targets to provide pudgy transparency”.

In accordance with the public take a look at, we equipped a document on June 5 which used to be
field to To blame Disclosure without a duration restrict.
A summary of our conclusions were rapid published by NCSC with out our
document.
On the opposite hand, our document were commented and even criticized in the clicking
on June 10 by SwissCovid representatives
(whereas we were restful forbidden to publish the document itself).

On June 16, we bought an authorization to publish by ourselves.
The NCSC dwelling lists many safety review experiences which would be rather
optimistic about SwissCovid.
It doesn’t checklist ours.
As a substitute, it comprises a “detailed diagnosis” by NCSC about out document.
We are in a disagreement with this diagnosis.

Because it appears to be rather clear that dialog is now no longer transparent,
we build right here our observations for the public.

The June 5 document used to be augmented with an addendum.
In summary, our observations are as follows.

  • Despite the truth that the availability code of the app is equipped, we are in a position to now no longer
    bring collectively it, flee it, and develop it work with out signing an settlement
    with Apple or Google.
    We enact now no longer get it well suited with the belief of beginning provide.
  • A vital fragment of the contact tracing protocol (which used to be in the beginning the
    DP3T protocol) is applied by Apple-Google in a fragment of the system
    called GAEN.
    This fragment has no accessible provide code although the law requires
    disclosure of the availability code of all parts of the system.
  • Some servers are hosted by Amazon, as fragment of a CDN provider.
  • The accessible records to doable users is unclear, incomplete,
    or unsuitable.
  • Customers is at possibility of be traced or identified by surveillance programs of
    third events whereas the expend of SwissCovid.
  • Identified users who document delight in a possibility to be identified by a third
    birthday party.
  • Third events would possibly possibly inject flawed that that you would possibly possibly imagine contamination signals on a
    goal phone or on a foremost team of goal telephones.
    This would consequence in making folks drag to quarantine with out being
    thought to be as at possibility.

To resolve GAEN having no accessible provide code although the law mandates
all parts to thrill in an accessible provide code, the Federal Council
issued an ordinance making an exhaustive checklist of parts which does
now no longer embody GAEN.
To account for such exclusion, SwissCovid promoters argue that GAEN is
fragment of the operating system of the phone, or most incessantly fragment of the
Bluetooth dialog interface of the phone, and that it’s no longer
frequent to require to expose the availability code of such parts.
We speak that GAEN is such a fragment of the phone, on the least on Android telephones.
GAEN is fragment of the Google Play Companies and products which would be just of the
operating system and of the dialog interfaces.
We would no doubt flee a pre-identical outdated version of SwissCovid on an Android
phone which had no Google Play Companies and products.
On the opposite hand, this phone had the Android operating system and must expend
Bluetooth.
Furthermore, many of the outdated DP3T protocol which used to be applied in
this pre-identical outdated version disappeared in the latest version of the app
since an identical protocol is now in GAEN.
We create that there just isn’t a founded technical justification for with the exception of
GAEN from the parts of the system
.
We strongly mediate that the ordinance is a real trick to bypass the law
which is the final consequence of a disagreement between SwissCovid and
Apple-Google.
We bustle constitutional specialists to develop an review on the validity
of the ordinance.

We build right here the NCSC diagnosis on our document along with our delight in notes.
The summary of our remarks are as follows.

  • NCSC says that the outcomes of the public take a look at come in on
    the NCSC web dwelling.
    On the opposite hand, our document is now no longer there and we wonder if rather just a few experiences are
    lacking.
    We order that the public take a look at is now no longer as transparent as it aimed.
  • NCSC restful insinuates that GAEN is fragment of the operating system,
    which is now no longer the case.
  • NCSC claims that the expend of GAEN increased the privacy of the users.
    We strongly disagree with this commentary.
    Outsourcing a vital fragment of contact tracing to an opaque implementation,
    which is made accessible by a third birthday party,
    which used to be build in on up-to-date telephones with out the consent of the
    users,
    and
    which used to be now no longer field to an just audit
    can now no longer reinforce the privacy of anybody.
  • NCSC claims that GAEN is an interface and now no longer a protocol.
    We disagree with this commentary.
    GAEN implements a vital fragment of the contact tracing protocol, what outdated-normal
    to be the DP3T protocol.
    We quite take the app as being an interface between GAEN, the servers,
    and the user.
  • NCSC argues that Amazon webhosting some servers is harmless since the
    provider is handiest about distributing non-sensitive records.
    In rather just a few context, such inform has been confirmed to be corrupt.
    On the opposite hand, we now delight in got insufficient records to assess on the safety
    impact of this provider.
  • NCSC talked about lots of that that you would possibly possibly imagine assaults being identified and documented
    with out offering any reference.
    We are aware those assaults are now no longer new and we are in a position to now no longer imagine NCSC
    is unaware of those assaults.
    Our significant level is that users must be responsive to those assaults and
    records is now no longer with out problems accessible at the present.
  • NCSC states that “Customers can consistently turn off tracing if they’re in
    what they take into checklist to be a sensitive atmosphere”.
    We strongly accept as true with it but we mediate that users must learn about
    that that you would possibly possibly imagine assaults and to be reminded that they’ll turn off
    SwissCovid if they’re concerned.
  • NCSC argues that having apps scanning Bluetooth although the user
    turned off Bluetooth is now no longer a possibility for the user.
    That is unsuitable.
    Some apps (and even GAEN) would possibly possibly continue scanning
    (towards the user’s consent).
    They would possibly resolve the danger of an infection of the user with thresholds
    rather just a few than those from FOPH and additionally title the contacts of
    the user.
    For the time being, turning off Bluetooth scanning is subtle on telephones
    and this is identified as a privacy possibility.
  • NCSC claims that malicious apps are now no longer an dispute particular to
    SwissCovid.
    Our level is that SwissCovid adds a threat that malicious apps can
    exploit.

Our references:

Excellent references (in French):

Other references:


Last update: June 19, 2020.

Be taught More

Categories
Internet of Things
93 Comments on this post.
  • Caseyphync
    30 November 2020 at 10:31 am
  • RodneythOva
    3 December 2020 at 7:53 am

    canadian viagra cialis cialis does cialis make you bigger

  • RodneythOva
    3 December 2020 at 3:15 pm

    viagra amazon viagra buy viagra online usa

  • RodneythOva
    3 December 2020 at 10:38 pm
  • RodneythOva
    4 December 2020 at 5:07 am
  • RodneythOva
    4 December 2020 at 10:38 am
  • RodneythOva
    4 December 2020 at 4:56 pm
  • RodneythOva
    5 December 2020 at 5:31 am
  • RodneythOva
    5 December 2020 at 1:02 pm
  • EdwardThofe
    7 December 2020 at 1:20 am
  • EdwardThofe
    7 December 2020 at 9:13 am
  • RichardTolve
    9 December 2020 at 1:36 pm
  • RichardTolve
    9 December 2020 at 9:45 pm
  • RichardTolve
    10 December 2020 at 6:14 am
  • RichardTolve
    10 December 2020 at 2:31 pm
  • RichardTolve
    10 December 2020 at 9:39 pm
  • RichardTolve
    11 December 2020 at 3:29 am
  • RichardTolve
    11 December 2020 at 9:20 am
  • ThomasJef
    12 December 2020 at 8:55 am
  • ThomasJef
    12 December 2020 at 11:59 pm
  • JamesBew
    15 December 2020 at 9:17 am
  • JamesBew
    15 December 2020 at 5:47 pm
  • JamesBew
    16 December 2020 at 2:43 am
  • JamesBew
    16 December 2020 at 12:06 pm
  • JamesBew
    16 December 2020 at 9:07 pm
  • JamesBew
    17 December 2020 at 4:16 am
  • GregoryPet
    17 December 2020 at 8:41 am
  • GregoryPet
    17 December 2020 at 5:40 pm
  • GregoryPet
    18 December 2020 at 3:07 am
  • GregoryPet
    18 December 2020 at 12:44 pm
  • GregoryPet
    18 December 2020 at 8:43 pm
  • GregoryPet
    19 December 2020 at 3:00 am
  • GregoryPet
    19 December 2020 at 9:25 am
  • MichaelNeoro
    21 December 2020 at 9:57 am
  • MichaelNeoro
    21 December 2020 at 6:55 pm
  • Warrenfax
    23 December 2020 at 1:28 pm
  • Warrenfax
    23 December 2020 at 8:26 pm
  • Warrenfax
    24 December 2020 at 3:38 am
  • Warrenfax
    24 December 2020 at 1:21 pm
  • Warrenfax
    24 December 2020 at 11:11 pm
  • Warrenfax
    25 December 2020 at 7:13 am
  • Warrenfax
    25 December 2020 at 1:26 pm
  • Haroldnum
    29 December 2020 at 3:40 am

    does cialis lower your blood pressure http://cialisirt.com/ how long does it take cialis to take effect janmjozk

  • Haroldnum
    29 December 2020 at 11:43 am
  • Haroldnum
    29 December 2020 at 6:33 pm
  • Haroldnum
    30 December 2020 at 1:16 am
  • Haroldnum
    30 December 2020 at 7:58 am
  • Kennethdaype
    3 January 2021 at 9:45 am
  • Kennethdaype
    3 January 2021 at 5:12 pm
  • Aqwshaify
    10 January 2021 at 6:26 pm
  • Nllpreete
    11 January 2021 at 4:59 am
  • Kennethshole
    11 January 2021 at 7:54 am
  • Khthcory
    11 January 2021 at 8:16 am
  • Kennethshole
    11 January 2021 at 5:49 pm
  • Lokuhaify
    12 January 2021 at 2:04 am
  • Fgvdreete
    12 January 2021 at 12:51 pm
  • JlloMoume
    12 January 2021 at 5:33 pm
  • Jtmfhaify
    13 January 2021 at 3:59 pm
  • Rickyprand
    15 January 2021 at 2:24 am
  • Rickyprand
    15 January 2021 at 8:46 am
  • Rickyprand
    15 January 2021 at 3:34 pm
  • Rickyprand
    15 January 2021 at 8:57 pm
  • Rickyprand
    16 January 2021 at 2:06 am
  • Rickyprand
    16 January 2021 at 7:12 am
  • Rickyprand
    16 January 2021 at 12:06 pm
  • SamuelMeque
    17 January 2021 at 7:46 am
  • SamuelMeque
    17 January 2021 at 12:36 pm
  • SamuelMeque
    17 January 2021 at 5:29 pm
  • SamuelMeque
    17 January 2021 at 10:01 pm
  • SamuelMeque
    18 January 2021 at 4:02 am
  • SamuelMeque
    18 January 2021 at 9:06 am
  • StephenOdowl
    19 January 2021 at 10:44 am
  • StephenOdowl
    19 January 2021 at 5:55 pm
  • Nlbxreete
    20 January 2021 at 9:19 am

    viagra cialis trial pack cialis generic reviews cialis soft [url=http://cialijomen.com/]cialis daily[/url] ’

  • Aqbvhaify
    20 January 2021 at 1:15 pm
  • Kbctcory
    21 January 2021 at 7:23 am

    cialis online canada dapoxetine with cialis original cialis online [url=http://mycialedst.com/]36 hour cialis[/url] ’

  • Fbdhreete
    21 January 2021 at 4:01 pm

    cheapest cialis tadalafil 20 mg cialis with dapoxetine cheap buying cialis in australia [url=http://21cialismen.com/]cialis with dapoxetine[/url] ’

  • JvcbxMoume
    21 January 2021 at 4:13 pm

    cialis without prescriptions cialis pill canada cialis canada free trial [url=http://phrcialiled.com/]cialis with dapoxetine 80mg[/url] ’

  • Lcxhaify
    21 January 2021 at 7:13 pm

    viagra tablet viagra for sale onlkne buy viagra in singapore [url=http://genqpviag.com/]buying viagra from canada[/url] ’

  • GerardBig
    22 January 2021 at 2:49 pm
  • GerardBig
    22 January 2021 at 10:09 pm
  • Fsbxhaify
    23 January 2021 at 12:17 am

    viagra best prices viagra online adelaide viagra and paypal uk no prescription [url=http://genericrxxx.com/]viagra online 500mg[/url] ’

  • Jbdchaify
    23 January 2021 at 7:17 am

    viagra sydney testimonials of viagra users therefore if traveling through europe you will need a separate visa to enter ireland. it is important to note, ordering viagra online [url=http://llviabest.com/]safe generic viagra[/url] ’

  • Nmilreete
    25 January 2021 at 4:31 am

    viagra online sweden authentic viagra buy viagraa online [url=http://xz-pharmacyonline.com/en/career-opportunities.html]viagra sildenafil[/url] ’

  • Ahmdhaify
    25 January 2021 at 7:26 am

    find cialis online cheap cialis for sale buy cialis asap [url=http://cialmenshoprx.com/]cialis stores[/url] ’

  • Kbbtcory
    25 January 2021 at 4:37 pm

    cialis one a day legit online pharmacy what is more effective,cialis or viagra? [url=https://xz-pharmacyonline.com]canada online pharmacy[/url] ’

  • JnhMoume
    26 January 2021 at 12:10 am
  • Fbgreete
    26 January 2021 at 11:38 am

    discount viagra viagra cape town sale how much does viagra cost? [url=https://canadianpharmacy-usx.com/organic.htm]buying viagra in caribbean[/url] ’

  • ChrisDut
    26 January 2021 at 1:57 pm
  • ChrisDut
    26 January 2021 at 9:08 pm
  • ChrisDut
    27 January 2021 at 4:14 am
  • ChrisDut
    27 January 2021 at 9:14 am
  • ChrisDut
    27 January 2021 at 2:27 pm
  • Leave a Reply

    *

    *

    RELATED BY