Introduction
In the run-up to the emotional vote on November 28 concerning the COVID Act – and more specifically the COVID certificate – and some of the questions it raises, we decided to carry out an analysis of the Confederation’s COVID applications.
Goal
The purpose of this analysis is to determine whether the Confederation’s COVID certificate applications comply with the Data Protection Act (DPA) and their conditions of use.
Our analysis focuses on Android versions of applications.
Analysis criteria
- Is the published source code functional?
- Do the Apps collect and transmit GPS coordinates?
- Do the Apps require more permissions than are necessary for their operation?
- Do the Apps collect other data?
- Does the server collect data?
- What information does the QR contain?
Source code
- The source code is available on GitHub : https://github.com/admin-ch/
- Certificate and verification Apps use the same code base :
- ‘Wallet‘ module: COVID Certificate application
- ‘Verifier‘ module: COVID Certificate Check application
Analysis results
1. Is the source code functional?
Apart from the fact that the Confederation’s SHA256 certificate, required to verify COVID certificates, is missing, both mobile applications can be compiled and are functional.
It is normal that this certificate was removed from the source code before publication, as it undoubtedly identifies the FOPH and is therefore critical information.
the source code published on Github corresponds to the application published on the alternative, open source and free Android ‘store’, F-Droid.
F-Droid has strict acceptance criteria for the publication of source code and libraries. The alternative Android app ‘store’ verifies that each published app meets their criteria, and that submitted apps match the publicly available source code.
2. Do Apps collect and transmit GPS coordinates?
During our tests, the following permissions were requested by the application:
- INTERNET : necessary for Internet access ✓
- CAMERA : ✓
- Necessary to register a new paper COVID certificate
- Necessary to scan a COVID certificate QR code
- ACCESS_NETWORK_STATE : network status to ensure you can contact the server ✓
The application does not require location permissions. The application cannot therefore retrieve or transmit the user’s GPS coordinates. This is confirmed for both the certificate application and the verification app.
3. Do Apps require more permissions than they need to run?
As noted in the previous point, the permissions requested by applications are legitimate and necessary for their proper operation, without giving access to sensitive information.
4. Do Apps collect other data?
Since apps have no other permissions, it’s not possible for them to access data from third-party apps – given the security settings managed by Google in Android.
5. Does the server collect data?
In our tests, we were able to scan certificates without being connected to the Internet with the verification device.
Nous avons analysé le code source du vérificateur et rien n’indique que les codes QR scannés seraient stockés quelque part, ou envoyé vers le serveur de l’OFSP si une connexion disponible.
Les serveurs de l’OFSP ne récoltent donc, à priori aucune données à partir de ces applications.
We have analyzed the verifier’s source code, and there is no indication that scanned QR codes are stored anywhere, or sent to the FOPH server if a connection is available.
FOPH servers do not, therefore, collect any data from these applications.
6. What information does the QR contain?
Data contained in the QR :
- Certificate type: Light or Normal
- Last name, first name, date of birth
- SignIssuer signature
- Generation date
- Validity end date
- Medical information
- Infection date
- Test date and results
- Date of vaccination, vaccine and number of doses
- Status (check whether revoked or not)
- Compliance with Swiss criteria (in the case of foreign certificates)
Source and further information on QR code specifications :
https://ec.europa.eu/health/sites/default/files/ehealth/docs/digital-green-certificates_v1_en.pdf#page=7
Our tests indicate that it is possible to retrieve the first name, surname and date of birth information easily. However, consulting other information linked to the certificate (number of doses, origin of certificate, type of vaccine, etc.) requires technical knowledge or the use of an unofficial application.
It seems that certificate validity is based on the issuer’s signature and expiry date, as well as the revocation status.
Conclusion
Irrespective of any opinion on the COVID Act and the forthcoming vote, our tests have shown that the Confederation’s COVID Certificate applications respect privacy and are secure with regard to data processing and user tracking.
We salute the Confederation’s transparent approach in making the source code available to the public, enabling anyone with technical knowledge to verify the application’s soundness and point out potential security flaws.
At the time of writing, we have found no way of abusing these applications – in terms of both data processing and the issuing of fraudulent certificates – without first obtaining certificate-issuing rights from the FOPH.
Concernant les données médicales dans le QR, voir notre erratum ci-dessous.
Recommendations
We recommend installing these applications from the F-Droid alternative store for two reasons :
- Do not provide any information to Google when installing the application
- Ensure that the installed application corresponds to the published source code
In addition, we strongly recommend using the ‘light‘ version of the certificate for activities in Switzerland.
Erratum
Further analysis of the verification application’s memory footprint revealed the presence of medical data in the certificate. Although this data is not displayed on the screen, technical knowledge or the use of an alternative application does allow it to be consulted.
We have our doubts about the appropriateness of including medical data in the QR code, but we assume that it is necessary for validating certificates from countries that are not directly interfaced with the Swiss Confederation’s COVID certificate system.
We have corrected our article accordingly. However, this finding does not alter our conclusions regarding the inability of COVID certificate applications to enable user tracing in their current version.