Today, Inesc Tec's president reinforced the intent to fully open the platform's source code. However, the server-side source code seems to be missing.

There is a stale fork of the DP3T server backend, with no edits since July 14. This means that two scenarios are possible:

• Either this fork is being used as the server backend, meaning that the framework is missing security updates from the last couple of months, and that no improvements have been made during the testing period
• Or this fork is not the actual code of the server, meaning that the server code is not published.

Of course, the 2nd option seems much more likely, which is why it's important to know why the platform's source code is not yet fully published, contrary to public statements. Can anyone explain?

There are several people asking why the location access is needed when they already enabled the bluetooth. This leads to distrust and that people won't install the app.

Maybe during the onboarding additional screens should be added to explain why all the permissions/access are needed.

By including dependencies with caret: (example:"react-native-version-number": "^0.3.6") you are allowing the mantainer of the dependency to include any code he wishes in your app just by releasing a minor without giving you a chance to review his changes.

Notice this can also be done through sub dependencies or through your build process (example: devDependencies could inject malicious code in your source on npm install or during build).

Example: https://www.veracode.com/blog/research/discovering-malicious-packages-published-npm

According to
https://github.com/stayawayinesctec/stayaway-app/blob/master/android/app/build.gradle#L262
we're using 1.0.2 of dp3t-sdk-android, but an 1.0.3 version exists (and includes a bugfix):
https://github.com/DP-3T/dp3t-sdk-android/blob/master/CHANGELOG.md#version-103-2472020

after installing the application, the date of the last update remained unchanged, is there any way to force an update?

An idea to improve the user experience of the app is instead of the user having to open the app all the time to check the status or wait for a notification (that can be missed), you can have a widget with the main info (had/not had contact with an infected person) or even to input the code provided by the doctor.
If you need help developing this feature I can help you with that.

The background stock image gives a false sense of security since there are two people close to each other when one of the main measures to fight this pandemic is social distancing.

Please consider changing it to something more appropriate.

To reduce the chance of fat-finger errors the app could perhaps offer the option to scan a QR or bar code.

This code could then come printed on the covid-19 diagnostic reports.

Dependency react-native-netinfo contacts a third-party (Google) by default.

Default configuration: https://github.com/react-native-community/react-native-netinfo/blob/master/src/internal/defaultConfiguration.ts

Used in https://github.com/stayawayinesctec/stayaway-app/blob/master/src/app/sagas/services/index.js

This issue was already raised in at least one other of the contact tracing apps: https://seancoates.com/blogs/how-i-helped-fix-canadas-covid-alert-app

OS: iOS 13.7
App Version: 1.0.1

The toggle for "Monitoring", which can be accessed via the hamburger menu > Monitoring, does not work if the app is set to Portuguese.

Tapping the toggle does not result in any observable action, and it stays on.

Interestingly, if the app is running in English, that toggle updates as expected when tapped.

I do not know if this is a regression in 1.0.1, as I have not tested this in 1.0.

The commit history shows this code reflects the v1.0.0 of the app, so README should be updated to say so.

Changelog is a nice thing to have in a project like this

Since the app runs in the background I tend to forget to enable/disable the app, or getting back to the app.

One quick win in order to get people back to the app could be an indication that would update automatically about how many "code" were exchanged or how many contacts you had.

This quick win would improve exponential people getting back to the app and use it more often!

I followed the installation steps and when running yarn ios-ui I get the following error:

❌  ld: library not found for -lappcenter-analytics

❌  clang: error: linker command failed with exit code 1 (use -v to see invocation)

I notice that CI (GitHub actions) is only running for the Android build. It should be running for iOS too.

Penso que o grande problema da aplicação não é a falta de instalações mas sim a falta de insercções de positivos. Também penso que isto não é nada de novo nem surpresa para ninguém aqui.

Gostaria que sugerir portanto um método diferente de registo de positivo. Em vez da pessoa receber um código em conjunto com o resultado laboratorial, e ter a possibilidade de o introduzir ou não, alteraria para 1 de 2 métodos:

Opção 1) O resultado laboratorial recebido seria na verdade uma hash que seria introduzida na App e indicava se era positivo ou negativo. Desta forma estaria automaticamente introduzida no sistema

Opção 2) O resultado laboratorial apenas seria informado pelo laboratorio/SNS após o utente fornecer um token da app (à la 2FA) que seria nesse momento inserido na Base de Dados da App e como consequência também faria uma inserção automática do positivo.

Quem não possua dispositivo móvel com app ou que tenha decidido não utilizar a app por opção própria, teria que se deslocar a uma entidade pública (Centro Saude, Hospital, etc) para conhecer o resultado que seria "lido" com um token mestre do SNS.

Cumprimentos.

The application is disclosing information of the last Activity shown when it is put in background.

It is possible to see this information when the user opens the list of background apps:

Due to the possible sensitive information that might be shown, this should be implement.

Currently you're pointing to the "master's HEAD version" of play-services-nearby-18.0.3-eap.aar, but you don't have any certainty that the file won't change, or disappear (for eg., being replaced with an 18.0.4 version of the file).

You should instead point to the actual version of the file we are supposed to be using, ie:

https://github.com/google/exposure-notifications-android/raw/58f6dc872016e2a42d174178dcefcae5d7590952/app/libs/play-services-nearby-18.0.3-eap.aar

There is no way of selecting the language of the app (at least that I'm aware of). I'm assuming that it uses the system's language but it should have a way to set the language, either when the user opens the app for the first time or in a settings page.

Olá,

A Apple lançou na segunda-feira uma actualização para o iOS 12 (12.5) com o objectivo de expandir as notificações de exposição a aparelhos incompatíveis com o iOS 13 (nomeadamente o iPhone 5s, iPhone 6 e iPhone 6 Plus).

Existem planos para actualizar a aplicação para ser compatível com esta versão?

This app lacks the third-party licenses from the open-source component it uses. One should be included under Legal Information in order to avoid Business and Legal issues

This is just a question, not sure where else to place it.
Why is stayaway a brand new implementation on something that other entities/countries have already made and published?

For example, Germany has https://github.com/corona-warn-app/

Contrary to the UK, that when they started development no such other projects existed (at least not in a good/mature level), Portugal had the chance to reuse an already working solution.

A new version, 1.0.4, of Android's dp3t SDK was released, which includes a change reducing the chance of false positives.

Hello, everyone!

I'm aware that this use case is not likely a priority, but I tried to run the app on Lineage OS 14.1 (Android 7.1), and I cannot turn on monitoring. The app shows a "Monitoring disabled" popup, but the "Enable monitoring" button does nothing. In the settings, "Monitoring" is shown as "Disabled", but when I click on the switch, it momentarily goes grey and then stays off. I have enabled Bluetooth but it did not make a difference.

Do you know what may be causing this, or any pointers on how can I debug what is going on?

Thanks in advance!

Usually the apps that use the Exposure Notifications System have that classification in the Google Play store.

Maybe that information should added.

There seems to be a new version of the play-services-nearby- play-services-nearby-exposurenotification-1.6.1-eap.aar in https://github.com/google/exposure-notifications-android/tree/master/app/libs.

The Corona-Warn-App for Germany seems to be already using it (corona-warn-app/cwa-app-android#1057) and according to the comments in the PR it seems that this new version solves the problem of Location setting need in order to work (for devices which support locationless scanning)

fixed Location-Settings on Android 11 Devices with EN 1.6.1 (Location not needed anymore)

With the concent of the user, and explicit settings from the user this application should maintain population density about popular locations in the city where the person is. With this the application shoud raise notifications to the person saying the places that he should avoid and the places that are safe

I saw in the code that there is currently some support for a dark mode version of the app.
Unfortunately, I know this is currently not implemented. Could a switch be added to toggle between light and dark modes?
As a bonus, making it follow system dark more preferences should also be an option.

Relevant code:

I could also submit a PR if needed.

Hi there,

For the currently tagged versions in this repository, we have:

• v1.0.0-alpha - Aug 21
• v1.0.0 - Sep 1

This situation is confusing, since on Google's Play Store, the version available is:

• 1.0.0 - August 21, 2020

Naming the "new version" (released yesterday) as 1.0.0 is misleading, as users will think that the version they're using currently from the app stores corresponds this repo's "v1.0.0", when in fact it is "v1.0.0-alpha".

As done in the Swiss app https://github.com/DP-3T/dp3t-app-android-ch/blob/master/REPRODUCIBLE_BUILDS.md , it would be an important step for the trustworthiness of the official apps distributed on the play stores if there is a way to make reproducible builds, and ensure this code matches what is being distributed.

More info about why this is important can be read in the issue requesting this same possibility to the German app: https://github.com/corona-warn-app/cwa-backlog/issues/21 .

On #3 , the issue was closed after the develpment team said that there is no way to run the tests since there are no tests to be run, but that PRs implementing tests are welcome.

Discussion went on in that issue, after it was closed, but I'm opening this one in the hopes that the efforts regarding the implementation of software tests can be focused here.

I take also the opportunity to kindly request this issue not to be closed while those tests aren't implemented: while they might not be a current priority, their importance seems undeniable.

OS: iOS 13.7
App Version: 1.0.1

After updating the app to 1.0.1, the "last checked date" is still at 1/Sept, even after restarting the app a few times and switching it from foreground to background.

I'd consider this "normal", as I don't expect it to always be updating, but the changelog of version 1.0.1 leads me to beleive it's not:

Add force app sync when app comes from background or foreground

Hello, sorry for not reporting this problem earlier since I was part of the pilot program, but didn't get around to give feedback.

Similar to #65 my app isn't updating. The only times my app updated, indicated by the field "atualizado a:", was once when I installed the app, and once after the app reset around the time the full release was launched.
Right now it says updated on 31st of August and today is the 16th of September.

App version: 1.0.1
Phone: Pocophone f1 (Xiaomi)
MIUI version (modified android from xiaomi): MIUI Global 11.0.9
Android version: 10QKQ1.190828.002

I know one other person who told me he had the same problem.

title.

Hi,

Since installed iOS 13.7, which brings phase two of the COVID Exposure API, it seems that the app is no longer updating.

I updated from iOS 13.6 to 13.7 on the 1st of September and today is the 3rd of September and the app seems to be stuck and no longer updating.

I'm not sure if this is some sort of visualization issue only, because when checking Settings -> Exposure Notifications - Exposure Checks I see records being written to the system.

I'm available for any information needed. Thank you

There are many people with old iPhones, that can’t update to iOS version 13.5.
The app should be inclusive also in that sense.

Phone is running iOS 13.7. Version 1.0.1 of APP installed on Sep 7, 2020. "Last updated" date displayed by the APP is "9.10.2020". Today is Sep 13, 2020. APP is opened at least once a day. Exposure checks are being logged by iOS.

Happy to provide more information if requested.

App version: 1.1.3
Google play services: 21.21.16
OS: MIUI 12.5

After installing the APP and using it for a few days no exposure IDs are being recorded at all.
Tried to uninstall the app, and install it via settings, but when selecting Portugal, it says no app is recorded for use in portugal by my health authority.

According to the locale's files:

"home_page": "https://stayawaycovid.pt/"

But this URL (at least for now) points to a standard wordpress backoffice login page...

considering this app is FOSS, it would be nice to see a release on F-Droid. I could submit the app myself if you want.

https://f-droid.org/en/docs/Inclusion_Policy/

This app changes the Android bottom bar's colour from Black to White, making it very hard to distinguish the white Android navigation buttons. We should change it to some other colour, like #1d3787 which is one of this app's main colours.

Should I try to make a PR with this change?

For better code understand, we should add comments like this:

// A brief explanation about 'Teste' function
function teste(param) {
    // Other explanation
}

What do you think?

I would consider this a minor feature request, not at all being fundamental for the app itself.

It would be very interesting to publish statistical data periodically and in fully anonymised form like the Swiss FOPH does by providing:

• Number of all apps downloaded up to now
• Number of covid codes entered by users per day

The installation of the App is totally voluntarily but such data may help to convince people and increase the number of installations and therefore, success for its use.

Your CI/CD pipeline should contain a step to automatically audit and fix these vulnerabilities. High and critical ones will likely require manual input and it should stop there. Low ones like the current 248 (analysed today, Thursday the 30th) would automatically be fixed.

However, fixing can break sruff, unless your code is properly tested. This issue requires solving #7 first.

Hi,

My iPhone (on iOS 14.0.1) updated the app to version 1.0.4 and the app automatically disabled exposure monitoring. It shows that the latest risk evaluation was today (before the update) and now monitoring is just disabled without my interaction.

I've discovered some other people with the exact same situation. I think this is a major issue that may case many people to have exposure monitoring disabled, which compromises the effectiveness of this app.

I'm available for more details if needed.

It is currently linking to https://stayawaycovid.ptpolitica-de-privacidade/ (lacking a / so not working).

Hi there. This is by no means an exaustive list, but:

• This past few days, the Irish Covid Tracker app users suffered huge battery drain, leading many to uninstall the app. The issue was with GAEN, and was silently fixed by Google: https://twitter.com/HSELive/status/1293888350504591362

• There are hints of a new API version, but no documentation, no changelog, no roadmap is available. google/exposure-notifications-android@339ea63

• The current distribution model of one of the components needed in order to use GAEN on Android raises questions and concerns: #15 (comment)

• There are several known issues on the GAEN framework, but they lack proper documentation, to ensure transparency DP-3T/documents#327 . The problem is highlighted when we see claims in the press about how bullet-proof and privacy-preserving this application is, which seem to purposefully ignore the already known issues

• These examples come to illustrate and reinforce the concerns by several actors, from the academia ( https://down.dsg.cs.tcd.ie/tact/transp.pdf ), data protection specialists ( https://jornaleconomico.sapo.pt/noticias/contact-tracing-caminho-seguro-ou-passo-em-falso-623571 ) to institutions like the Portuguese Association for Free Software (ANSOL) ( https://ansol.org/STAYAWAY-COVID ), or the Portuguese Data Protection Agency (CNPD) ( https://www.cnpd.pt/home/decisoes/Par/PAR_2020_82.pdf ), whom alert to the dangers of depending on a closed source component (GAEN) for this solution.

• Implementing DP-3T is possible without closed source dependencies DP-3T/dp3t-sdk-android#143 , and there are several reasons to opt for that, more transparent approach DP-3T/dp3t-sdk-android#10

• Deutchland is noticing similar issues, in particular since "no clear agreements have been reached with Google and Apple about reprocessing data gleaned via the app." https://www.dutchnews.nl/news/2020/08/dutch-privacy-watchdog-says-coronavirus-app-still-needs-work/

Therefore, I am opening this issue to propose to the project that the issues that arise from having a closed source dependency on GAEN must be openly addressed.

As a "starting point", I'll also link to https://www.lusa.pt/article/RuzdrRtnLzuClNfx09aPxzMSZM5iuSI1 , where INESC TEC's administrator is quoted saying:

“Ao estarmos a usar estas funcionalidades da Apple e da Google perdemos o controlo sobre elas, mais ainda, apesar da aplicação e todo o sistema ser código aberto, esta parte não é e, portanto, perdemos esse controlo”, disse, acrescentando que esta é “uma fragilidade que não vai ser ultrapassada”. “Deixarmos de usar estas funcionalidades da Google e da Apple significaria não termos aplicação”, sublinhou.

(In english, my translation:)

"By using these features from Apple and Google we loose control over them, and besides, while the application and the whole system is open source, this part isn't and so we loose that control", he said, adding that this is "a fragility that is not going to be overcome"
. "No longer using these features from Google and Apple would mean not having an application", he highlighted.

This application should give feedback to the user about the population density in the nearby.
For this the application should have configuration settings where the person should introduce the number of people that are arround him that should raise a notification telling him about the density of people arround him treshold that is being overcomed. That will allow people to be more caution about the places and the amount of time they spend in some overcrowded place.

There are several differently-licensed items within this project that aren't listed on the README (the Roboto fonts, for eg.). But one of them caught my attention for a different reason.

While unpackable and easy to decompile, ./android/app/libs/play-services-nearby-18.0.3-eap.aar is being distributed here as-is, instead of built from source, or used as a dependency. There isn't even a reference of where did this supposedly came from.

Also, note that, as far as I can see, that file came from an Apache 2.0 licensed repository and might be covered by that license: https://github.com/google/exposure-notifications-android/blob/master/LICENSE . If that is the case, then the current distribution of it being made on stayaway-app doesn't seem to be complying with the LICENSE (lack of notice). If it isn't, even you are not allowed redistribution.

Also, please note that the non-eap versions of this file are usually distributed under the Android Software Development Kit License, which does not allow redistribution.

There is an open issue regarding this, upstream, at google/exposure-notifications-android#23 .

No logs and app not show never updated