Part of the Governance of introducing IRMA in the Municipality of Amsterdam, we need to perform a risk analysis on information security and privacy.

Weak pincode

An issue that might block or delay the introduction of IRMA is the weak pincode a user can choose to access IRMA.

Feature request

• When creating an IRMA account: Enforce to choose a safe pin that is hard to guess (prevent pincodes with ranges 12345, 54321 or similar numbers in it (for example 11111, 12121, etc.)
• Stimulate choosing an unique pincode, not used in other apps.
• Suggest existing users to change pincode regularly

Waarom kan ik niet het gebruiken zonder wifi?

Greetings,

I'm creating a Docker image with all the dependencies needed to build the IRMA app. I installed all the dependencies and (recursively) cloned the current version of this repo, but if I try to build the app with the command flutter build apk inside the repo's root, I get the following error: e: /root/flutter/.pub-cache/git/flutter_privacy_screen-a3c29f667d5a556cf0280f1b39851a2707f788be/android/src/main/kotlin/be/appmire/flutter_privacy_screen/FlutterPrivacyScreenPlugin.kt: (21, 63): Smart cast to 'Activity' is impossible, because 'registrar.activity()' is a complex expression
You can find the full output here. Are you able to build the current version? Maybe I have to checkout a particular branch?
Thank you for your help,

GTP

I would really like to see NFC support so I can add my creditcards and ov-card etc to irma. Then i could replace google wallet for irma and have more trust. is this an antcipated feature?

Sentry Issue: IRMAMOBILE-2020-12F

_CastError: type 'Null' is not a subtype of type 'List<dynamic>' in type cast
  File "session.g.dart", line 79, in _$RequestorInfoFromJson
  File "session.dart", line 301, in new RequestorInfo.fromJson
  File "log_entry.g.dart", line 38, in _$LogEntryFromJson
  File "log_entry.dart", line 88, in new LogEntry.fromJson
  File "log_entry.g.dart", line 11, in _$LogsEventFromJson.<fn>
...
(24 additional frame(s) were not displayed)

Sentry Issue: IRMAMOBILE-2020-12H

OSError: OS Error: No such file or directory, errno = 2
FileSystemException: FileSystemException: Cannot open file, path = 'c5d0f1e727ceeb73531281a6b2bc021fb0935dc3b18b4b3e8fe30f5ae410213b' (OS Error: No such file or directory, errno = 2)
  File "file_impl.dart", line 356, in _File.open.<fn>
  File "zone.dart", line 1434, in _rootRunUnary
  File "<asynchronous suspension>"
  File "image_provider.dart", line 890, in FileImage._loadAsync

In dit scherm de tekst aanpassen naar:
"Wil je de volgende persoonlijke gegevens delen met gemeente Nijmegen en bellen naar xxxxx? "

• 'Dit' in de huidige tekst is niet duidelijk, dus concretiseren
• Dikdrukken van organisatie en telefoonnummer zou ik hanteren.
• Tekst knoppen: 'Nee, liever niet' is gek. Je kunt namelijk niet bellen als je je gegevens niet bekend maakt. Dus gewoon 'Nee'.
• Ik vind persoonlijk de interface niet helemaal duidelijk. Door de de vraag bovenin de plaatsen en de knoppen onderin moet ik even nadenken en goed kijken wat ik moet doen. Nadat dit scherm opent valt mijn oog namelijk gelijk op de knoppen (waarschijnlijk door het kleurgebruik maar ook door het grote witte vlak daarboven/ onder de vraag) maar snap ik niet waar deze knoppen voor dienen. Ik moest echt even zoeken naar de vraag. Kan daar iets aangedaan word qua vormgeving?

Daar zit de gotcha bij dat 'gemeente Nijmegen' natuurlijk niet de hostname is van de server waarop IRMA draait.
Voor een gebruiker is een logische naam wel veel voor de hand liggender dan een technische naam.

It only occurs on physical iOS devices. No clear exception is being shown. It looks like a silent timeout or something. It happens when the enrollment introduction integration test is starting. That's after the issuance issue-municipality-en test finishes. It's likely that the issue lies in one of these two tests.

The issue occurs both in Firebase Test Lab and in my local setup using my own iPhone, so it is not related to a specific environment.

When compiling with XCode 14.3.1 there are no issues. Upgrading flutter, golang or gomobile to the latest versions does not make a difference.

As a work-around we pinned the XCode version to 14.3.1 in #272 .

Sentry Issue: IRMAMOBILE-2020-12K

UnsupportedError: Unsupported operation: Cannot add to an unmodifiable list
  File "history_repository.dart", line 65, in new HistoryRepository.<fn>
  File "scan.dart", line 13, in _ScanStreamSink.add
...
(16 additional frame(s) were not displayed)

The test fails half of the time with the following error:

java.lang.Exception: ══╡ EXCEPTION CAUGHT BY FLUTTER TEST FRAMEWORK ╞═════════════════
The following assertion was thrown running a test:
The finder "zero widgets with text "Prefer a shorter PIN?"
(considering only hit-testable ones) (ignoring offstage widgets)"
(used in a call to "tap()") could not find any matching widgets.
When the exception was thrown, this was the stack:
#0 WidgetController._getElementPoint (package:flutter_test/src/controller.dart:1294:7)
#1 WidgetController.getCenter (package:flutter_test/src/controller.dart:1233:12)
#2 WidgetController.tap (package:flutter_test/src/controller.dart:554:18)
#3 WidgetTesterUtil.tapAndSettle (file:///home/runner/work/irmamobile/irmamobile/integration_test/util.dart:15:11)
#4 main.<anonymous closure>.<anonymous closure> (file:///home/runner/work/irmamobile/irmamobile/integration_test/settings_test.dart:231:20)
<asynchronous suspension>
#5 testWidgets.<anonymous closure>.<anonymous closure> (package:flutter_test/src/widget_tester.dart:165:15)
<asynchronous suspension>
#6 TestWidgetsFlutterBinding._runTestBody (package:flutter_test/src/binding.dart:982:5)
<asynchronous suspension>
The test description was:
change-pin

On some phones the buttons to enter the digits 9 and 0 sometimes fall off the screen. Not all failed test cases point in the direction of this, so it could be that there are more issues.

On several android phones, the Irma app gives an error when scanning a QR phones. Attached are photos of the error in the app.

The problem occurs on several Android phones that we tested. Other phones worked fine. I do not know if iOS is affected. The screenshot is of my personal Pixel 6a with android 12. Doing a full deinstall followed by a reinstall of the app does not solve the problem.

There is a bit of urgency here, apart from that such an error probably always is urgent in these kinds of apps. As you may know, Irma is being used by the Nuts Foundation, to authenticate users in sharing data in Healthcare. next week is the second hackathon for the eOverdracht-project, in which several vendors are testing their first use case on the nuts network, and will try to get their applications to share data in the nuts acceptance network. This cannot work without the Irma app functioning as intended.

What I did:

• get email plus personal data (digid) attributes in the irma app
• Scan a QR code that requests first name, last name and email attributes
• The following stack trace appears
  
  

To run the integration test a test backend is needed where the app can make its network requests to. Currently, this is an improvised setup hosted by my personally. This is not future-proof. A publicly available test environment of the keyshare server should be created somewhere else for this.

The irmagobridge might give a KeyshareEnrollmentMissingSessionEvent. The Flutter side fully ignores this event. Due to this a loading spinner is displayed indefinitely, because the app does not know that an error occured.

Sentry Issue: IRMAMOBILE-2020-136

_CastError: Null check operator used on a null value
  File "session_screen.dart", line 61, in _SessionScreenState.dispose.<fn>

Stack trace:

String: Cannot initialize client: Hash of /var/mobile/Containers/Data/Application/***/Library/v2/irma_configuration/irma-demo/description.xml does not match scheme manager index
  File "*errors.errorString", in Cannot initialize client: Hash of /var/mobile/Containers/Data/Application/***/Library/v2/irma_configuration/irma-demo/description.xml does not match scheme manager index
  File "schemes.go:687", in (0x105385dd4)
  File "schemes.go:675", in (0x105385c8c)
  File "schemes.go:342", in (0x10538371c)
  File "irmaconfig.go:156", in (0x105369f90)
  File "common.go:245", in (0x1051d04f8)
  File "common.go:225", in (0x1053699ac)
  File "irmaconfig.go:155", in (0x105369959)
  File "irmaconfig.go:227", in (0x10536a3dc)
  File "client.go:176", in (0x10539d18c)
  File "bridge.go:150", in (0x1053ba3e0)
  File "go_irmagobridgemain.go:196", in (0x1053c29ac)
  File "unparsed", in _cgo_gotypes.go:296 (0x1053c3734)
  File "cgocall.go:316", in (0x104f6a4e4)
  File "cgocall.go:235", in (0x104f6a218)
  File "asm_arm64.s:1087", in (0x104fcb980)
  File "asm_arm64.s:1165", in (0x104fcba54)

The current app uses the language setting of the OS.
Please provide a setting in menu to choose a different language for the IRMA-app.

1. When you open the app after it has not been used for a year, you have the option the start over. The red button cannot be reached because it appears behind the keyboard which you can't hide.

2. In the first (re)setup flow after the pincode entry you are asked for your email address. When you leave the app and come back the input field is active, but the keyboard won't show. You have to skip that step or redo the pincode to show the keyboard.

iOS 14.8.1
Irma 6.2.0
iPhone 8

Edit: nvm. Turned out iOS messed up the update to 6.2.0. It does that sometimes.

In the build-app-ios action the following error occurres:

Undefined symbols for architecture arm64: "_res_9_nclose", referenced from: _internal/syscall/unix.libresolv_res_9_nclose_trampoline.abi0 in Irmagobridge(go.o) "_res_9_ninit", referenced from: _internal/syscall/unix.libresolv_res_9_ninit_trampoline.abi0 in Irmagobridge(go.o) "_res_9_nsearch", referenced from: _internal/syscall/unix.libresolv_res_9_nsearch_trampoline.abi0 in Irmagobridge(go.o) ld: symbol(s) not found for architecture arm64

I cloned the project to my local machine and modified the description.xml file inside irma_configuration/pbdf/, adding tags. However, after recompiling the project, I still cannot display the language code "zh". How should I proceed?

https://drive.google.com/file/d/1uoezEJ85grhw_3rTV_zAo5pEEv0L3g5M/view?usp=sharing

In the flow, it is possible to request optional attributes that may be 'not null.' For this purpose, a design has been created that needs to be implemented so that this exception can be handled. Important: It is optional in the credential, but the verifier can request this (specifically not null).

https://irma.app/docs/session-requests/#null-attributes

Note: It may be necessary to make changes in the bloc as well.

Design ideas:

Expected behaviour

The camera should be deactivated after scanning the QR code, as well as after closing the QR view.

Actual behaviour

The green camera indicator in the upper right-hand corner stays active, even after the QR code has been scanned. The camera also makes a sound as if it is focussing. Pressing the home button takes the app to the background, temporarily deactivating the camera, only to resume when the app is opened again. The only way to fully deactivate the camera is to close the app by double-tapping the home button and swiping up.

iPhone model: iPhone SE (2nd generation)
iOS version: 14.2
App version: 6.0.10

ref: https://gitlab.com/fdroid/fdroiddata/-/jobs/4053212260#L788

/LE: fyi https://gitlab.com/fdroid/fdroiddata/-/commit/324469753aeca008a413f062a32cb259bd34106e

On some Android devices an error occurs when requesting permission to the users camera. I was unable to reproduce this error on my own device, a One Plus Nord 2.

PlatformException(PermissionHandler.PermissionManager, A request for permissions is already running, please wait for it to finish before doing another request (note that you can request multiple permissions at the same time)., null, null)

This issue seems to be related to a problem within the package, and has been discussed in the following GitHub issue: Baseflow/flutter-permission-handler#950.

At first the Yivi app works fine, but after a year the app starts with a fatar error:

java.security.InvalidKeyException: Keystore operation failed
android.security.keystore2.KeyStoreCryptoOperationUtils.getInvalidKeyException(KeyStoreCryptoOperationUtils.java:130), android.security.keystore2.KeyStoreCryptoOperationUtils.getExceptionForCipherInit(KeyStoreCryptoOperationUtils.java:154)

It only occurs on devices of the Samsung Galaxy S21 series. We currently have reports from 44 different users and all of them use a Samsung Galaxy S21.

With the recent UX update of the IRMA app my local development setup stopped working. Error message: 0 https: remote server does not use https. Before the updat IRMA app didn't require https for localhost...

I use the irma server -v --static-path examples/browser for my convenience to work with.

encountered behavior:
On Android (app version e63aee5), when viewing a card and then pressing the back button, the app exits.

Expected behavior:
When pressing the back button, the card view should return to the wallet view and not exit the app.

Potential causes:

• The web browser available to the user is no longer supporting plain HTTP for external links, preferring HTTPS
• Error due to an invalid URL
• Google Play is not installed
• Using a rooted device when launching intent
• Using an app that is not accessible because of profile restrictions
• Settings put into place by an administrator
  https://www.positioniseverything.net/no-activity-found-to-handle-intent/

It does not happen very often, so there is not much priority.

Sentry Issue: IRMAMOBILE-2020-1TC

PlatformException: PlatformException(, android.content.ActivityNotFoundException: No Activity found to handle Intent { act=android.intent.action.VIEW dat=https://sidnemailissuer.yiviconnect.nl/... (has extras) }, android.content.ActivityNotFoundException: No Activity found to handle Intent { act=android.intent.action.VIEW dat=https://sidnemailissuer.yiviconnect.nl/... (has extras) }
	at android.app.Instrumentation.checkStartActivityResult(Instrumentation.java:2080)
	at android.app.Instrumentation.execStartActivity(Instrumentation.java:1727)
	at android.app.Activity.startActivityForResult(Activity.java:5377)
	at android.app.Activity.startActivityForResult(Activity.java:5335)
	at android.app.Activity.startActivity(Activity.java:5721)
	at androidx.core.content.a$a.b(ContextCompat.java:1)
	at androidx.core.content.a.i(ContextCompat.java:1)
	at m.b.a(CustomTabsIntent.java:10)
	at x1.a.onMethodCall(IIABPlugin.java:45)
	at l2.k$a.a(MethodChannel.java:18)
	at z1.c.l(DartMessenger.java:19)
	at z1.c.m(DartMessenger.java:41)
	at z1.c.i(DartMessenger.java:1)
	at z1.b.run(R8$$SyntheticClass:13)
	at android.os.Handler.handleCallback(Handler.java:938)
	at android.os.Handler.dispatchMessage(Handler.java:99)
	at android.os.Looper.loop(Looper.java:246)
	at android.app.ActivityThread.main(ActivityThread.java:8653)
	at java.lang.reflect.Method.invoke(Native Method)
	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:602)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1130)
, null)
  File "irma_repository.dart", line 558, in IrmaRepository.openURLinAppBrowser

If users have a credential in their app where revocation is enabled, then this error is triggered and sent to Sentry. Error is not visible to the user.

nonrevocation witness invalidated by update

https://gabi-irma.sentry.io/issues/3928942545/?project=5251288

I am trying to run the irmamobile project with flutter run, after following all the described steps in readme.
The output from the flutter run looks like this:

`lib/src/screens/pin/pin_screen.dart:64:13: Error: No named parameter with the name 'child'.
child: PinWrongAttemptsDialog(
^^^^^
../../flutter_windows_2.0.3-stable/flutter/packages/flutter/lib/src/material/dialog.dart:1035:12: Context: Found this candidate, but the arguments don't match.
Future<T?> showDialog({
^^^^^^^^^^
lib/src/screens/pin/pin_screen.dart:75:13: Error: No named parameter with the name 'child'.
child: PinWrongBlockedDialog(blocked: pinState.blockedUntil.difference(DateTime.now()).inSeconds),
^^^^^
../../flutter_windows_2.0.3-stable/flutter/packages/flutter/lib/src/material/dialog.dart:1035:12: Context: Found this candidate, but the arguments don't match.
Future<T?> showDialog({
^^^^^^^^^^
lib/src/screens/change_pin/change_pin_screen.dart:136:17: Error: No named parameter with the name 'child'.
child: PinWrongAttemptsDialog(attemptsRemaining: state.attemptsRemaining),
^^^^^
../../flutter_windows_2.0.3-stable/flutter/packages/flutter/lib/src/material/dialog.dart:1035:12: Context: Found this candidate, but the arguments don't match.
Future<T?> showDialog({
^^^^^^^^^^
lib/src/screens/enrollment/widgets/introduction.dart:40:7: Error: No named parameter with the name 'resizeToAvoidBottomPadding'.
resizeToAvoidBottomPadding: false,
^^^^^^^^^^^^^^^^^^^^^^^^^^
../../flutter_windows_2.0.3-stable/flutter/packages/flutter/lib/src/material/scaffold.dart:1451:9: Context: Found this candidate, but the arguments don't match.
const Scaffold({
^^^^^^^^
../../flutter_windows_2.0.3-stable/flutter/.pub-cache/hosted/pub.dartlang.org/flutter_svg-0.19.0/lib/src/picture_provider.dart:52:59: Error: No named parameter with the name 'nullOk'.
context != null ? Localizations.localeOf(context, nullOk: true) : null,
^^^^^^
../../flutter_windows_2.0.3-stable/flutter/packages/flutter/lib/src/widgets/localizations.dart:413:17: Context: Found this candidate, but the arguments don't match.
static Locale localeOf(BuildContext context) {
^^^^^^^^
../../flutter_windows_2.0.3-stable/flutter/.pub-cache/hosted/pub.dartlang.org/provider-3.2.0/lib/src/delegate_widget.dart:194:18: Error: Superclass has no method named 'inheritFromEle
ment'.
return super.inheritFromElement(ancestor, aspect: aspect);
^^^^^^^^^^^^^^^^^^
../../flutter_windows_2.0.3-stable/flutter/.pub-cache/hosted/pub.dartlang.org/provider-3.2.0/lib/src/provider.dart:259:19: Error: The method 'inheritFromWidgetOfExactType' isn't defin
ed for the class 'BuildContext'.

• 'BuildContext' is from 'package:flutter/src/widgets/framework.dart' ('../../flutter_windows_2.0.3-stable/flutter/packages/flutter/lib/src/widgets/framework.dart').
  Try correcting the name to the name of an existing method, or defining a method named 'inheritFromWidgetOfExactType'.
  ? context.inheritFromWidgetOfExactType(type) as InheritedProvider
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  ../../flutter_windows_2.0.3-stable/flutter/.pub-cache/hosted/pub.dartlang.org/provider-3.2.0/lib/src/provider.dart:260:19: Error: The method 'ancestorInheritedElementForWidgetOfExactT
  ype' isn't defined for the class 'BuildContext'.
• 'BuildContext' is from 'package:flutter/src/widgets/framework.dart' ('../../flutter_windows_2.0.3-stable/flutter/packages/flutter/lib/src/widgets/framework.dart').
  Try correcting the name to the name of an existing method, or defining a method named 'ancestorInheritedElementForWidgetOfExactType'.
  : context.ancestorInheritedElementForWidgetOfExactType(type)?.widget
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

FAILURE: Build failed with an exception.
`

It seems like lib\src\screens\pin\pin_screen.dart uses a child parameter from flutters showDialog in dialog.dart, which is not supported anymore and was removed in december 2020. Similar thing could be the problem with resizeToAvoidBottomPadding from lib/src/screens/enrollment/widgets/introduction.dart .

Gaat om dit scherm:

Tekstvoorstel:
In blauwe kader: i + Je persoonlijke gegevens zijn doorgegeven aan gemeente Nijmegen

Je kunt nu bellen
Klik op doorgaan. Het telefoonnummer verschijnt dan automatisch. Achter het nummer staat een persoonlijke code. Hier hoef je niks mee te doen.

Kies je voor bellen, dan hoor je enkele tonen. Daarna word je verbonden

Overweging hierbij:
• Blauwe kader: er staat twee keer dat de gegevens zijn doorgegeven. 1 zin is voldoende. Sowieso is doorgegegeven geen woord. (er staat dus sowieso een vette type in het huidige scherm)

Finding: users compare/confuse the retrieved personal data with a passport data and see a validity period and wonder whether this is correct. And users do not know what a level of assurance is and relate this to themselves: am I averagely reliable?

Solution: show the validity period and LoA separately in Yivi, these are now presented as part of the retrieved personal data. Also provide an explanation of what this data means.

Finding: the confirmation email is sent by the unknown organization SIDN.

Solution: send the email on behalf of Yivi.

Getting up and running with building this project for Android at present.

Can I get some further information (perhaps it can be added to the docs, happy to write them and submit a PR if I can get the information) on how the build flavors are used/named in irmamobile?

What do I get if I build for beta over alpha flavor in the resulting app?

Is alpha more production ready than beta or the other way around?

Many thanks :D

Problem

The IRMA iOS app freezes when I try to disclose pbdf.nijmegen.personalData.fullname to a local irmago server running in development mode (see below for versions of software used).

Expectation

That I can request the attribute.

Reproduce

1. run ./irma-master-darwin-amd64 server -v in terminal window A
2. run ./irma-master-darwin-amd64 session --server http://localhost:8088 --disclose pbdf.nijmegen.personalData.fullname in terminal window B
3. launch the IRMA app and turn on developer mode (by tapping 7x on the version label)
4. go back to the main screen of the IRMA app and click "QR scan" to scan the QR code produced in step 2.
5. Notice that the app freezes. The screen remains white. A restart of the app is required (killing it) before it goes back to normal.

Note

I have tried to request another attribute and that worked great. It appears as though the specific attribute I'm requesting matters. For example: when I request pbdf.pbdf.mobilenumber.mobilenumber using the same steps it works fine and the attribute appears in my terminal and the app keeps functioning. I've also tried deleting and re-adding the BRP data but that didn't help.

Software versions used

• irma-master-darwin-amd64 with shasum=72618081e5c125995e168a71a546a05df0ab761f (latest master downloaded today). To make the confusion about which version I'm using complete, the shasum I mentioned doesn't refer to a git commit but is the hash of the file.
• iOS app version ad77578 (running in developer mode)

The latest version fail to build on F-Droid due to a missing git tag:
https://f-droid.org/wiki/page/org.irmacard.cardemu/lastbuild_130
Can you please add them?

I suppose this is more of an issue with services.nijmegen.nl, but I wasn't sure where to better report it.

Open app -> Refresh card -> Inloggen met DigiD -> Redirect to Google Play Store

I've created a video to show the problem: https://streamable.com/hogqt6

IRMA: org.irmacard.cardemu 6.0.9
Browser: org.mozilla.firefox 82.1.1
DigiD: nl.rijksoverheid.digid.pub 5.16.1

Cards with an issue, say 'expired', have a little alert icon instead of the three dots icon.

This alert icon does not invite interaction. If you want to delete a card due to being expired, you have to search and try to find out how you can delete it.

This can easily be fixed by adding the three dots icon for every card, and then display the alert icon just to the left of it. That way the interaction options for every card are the same, and for some cards you get an alert icon that indicates it is recommended to interact with them

It would be great to have an option to disable the FlutterPrivacyScreen, while the purpose of the FlutterPrivacyScreen is obvious and important, it can sometimes be useful to have the ability to take screenshots for debug purposes or to demo the APP using a screencast.

Some banking apps provide the same option in the settings.

Sentry Issue: IRMAMOBILE-2020-146

_CastError: Null check operator used on a null value
  File "session_screen.dart", line 124, in _SessionScreenState._buildFinishedContinueSecondDevice
  File "session_screen.dart", line 202, in _SessionScreenState._buildFinished
  File "session_screen.dart", line 362, in _SessionScreenState.build.<fn>
...
(16 additional frame(s) were not displayed)

Finding: The user is asked to enter his/her PIN code several times during long-term use of Yivi.

Solution: Do not request a PIN as long as the user is actively using Yivi. Only ask for the PIN code if Yivi is no longer actively used for x minutes (just like mobile banking).

What I expect to happen

For the Home screen to have a consistent number of Recent Activity entries (for example, the last 4)

What happened instead

On the Home screen under Recent Activity it first shows 4 activities when opening the app, but when switching back to Home screen after already being in the app it shows 2 activities instead.

How to reproduce

• Make sure there's more than 4 entries in the Activity tab in your app
• Close the app and remove it from your "recent apps"
• Open the app fresh
• It will now display 4 entries under Recent Activity
• Switch to any other tab and back to Home
• It will now only display 2 entries under Recent Activity

Hard and software

• App version: 7.0.1 (419445, fa2ebd5)
• Android version: 12
• Device: OnePlus 7T Pro

User story: I have one old email address which is expired in my list of attributes. Even though I select another non-expired attribute, this expired attribute is sent to the server.

I suspect that an index number in the 'un-expired' attribute list is used during selection, but during sending that index number is used on the full list of attributes (both expired and non-expired).

I consider this a privacy leak: an attribute (although expired) that I did not select is send to the IRMA server.

Next annoying thing: how can I remove an expired attribute from my list without renewing it? There is no way currently for this.

OS: Android
Version app: 7.2.0 (using the Yivi branding, some beta channel in the Play Store).

P.S. Nice Yivi redesign, nice that the app remembers which attribute was used to disclose to the server (did not remember seeing that before).

Finding: users who do not live in Nijmegen are surprised and do not find it logical that their personal data is collected via Nijmegen. NB: this also applies for other data sources, the Chamber of Commerce data via Signicat.

Solution: show at the top of the Yivi explanation page through which organization (= Nijmegen) data is collected.