Comments (8)
Security by obscurity is not security at all. I support @cmoro-deusto on that
from radar-covid-android.
@cmoro-deusto even when I see and share your point, this or reproducible builds won't allow to fully check 100% that the code published in Google Play is the same as the code and so on published on these repositories. When apps are published, code is minified, obfuscated, signed, etc. so the final apk from your "reproducible build" will never be exactly the same as the one published. In fact, they did not publish the actual source code for CheckSumUtil and JwtAuthorizationFilter (see README) and it definitely makes sense, as some people were trying to guess and hack the positive report system, that could lead into chaos.
from radar-covid-android.
@spanishkangaroo a process similar to the one used by Signal could be implemented. Please see: https://github.com/signalapp/Signal-Android/blob/master/ReproducibleBuilds.md
from radar-covid-android.
@cgimeno I cannot agree more with you. I'm just saying that of course it will be better, but it will not fully solve every concern. Just check the apkdiff.py used for apk comparison, you're fully relying on it and it does not, for example, compare resources that could have hidden stuff.
from radar-covid-android.
@cgimeno Indeed. @spanishkangaroo Of course you cannot compare "secrets", but you can compare the binaries. That's Signal's approach. The secrets should also live in the appropriate environment, not in the source code.
I have been unable to review the source completely, but apparently (I might be wrong) some of those secrets exist in source as properties and that's why they have been forced to strip them from the code.
I'm also not fully convinced that CheckSumUtil
and JwtAuthorizationFilter
apply to the mobile app (certainly the auth filter should only apply to the backend).
Nevertheless and to be clear I'm not trying to nickpick: I reckon more exposure of the build and release system would allow for more independent reviews. That should allow more confidence in the whole solution, leading to a bigger installation base, which is what we all should aim for.
from radar-covid-android.
People that actually care about others, the current situation and themselves will download the app anyway. Even if the app leaks data to the government, that already know about all your illnesses and earnings; or to Google or Apple, whose source-closed operating systems you've been running for years.
There is no point in caring that much about this app. Just common sense.
from radar-covid-android.
@spanishkangaroo I respectfully disagree. The fact of opening the code is to show transparency and to allow independent reviews in order to increase confidence.
from radar-covid-android.
Thanks. We will take into account this suggestion for future improvements.
from radar-covid-android.
Related Issues (20)
- Rework of the whole UI? HOT 6
- ¿Future implement of Huawei Contact Shield? HOT 7
- Unnecessary dependency on Google's API HOT 19
- ¿Se permite abrir "issues" en español? HOT 1
- Multilanguage support HOT 4
- Notificación no útil. HOT 20
- It is not possible to change language HOT 3
- F-droid inclusion HOT 7
- Suggestion to use Weblate for translations HOT 2
- La app aquí expuesta es la misma que la que está en Google Play? HOT 3
- Minimum versión API 21 HOT 1
- SDK 30 Location error notification HOT 4
- Question: Why location permission is not in AndroidManifest.xml? HOT 4
- Funcionamiento hasta aceptar condiciones de uso HOT 1
- Traffic analysis: strange calls to URLs HOT 3
- Lower required Android version
- RadarCOVID first analysis using automated COVID-GUARDIAN toolkit
- Project not building due to missing dependency
- Project source code does not match latest release (v1.4.1) HOT 1
- Project source code does not match latest release (v1.4.3) HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from radar-covid-android.