nic-delhi / aarogyasetu_android Goto Github PK
View Code? Open in Web Editor NEWAarogya Setu Android app native code
Home Page: https://www.aarogyasetu.gov.in/
License: Other
Aarogya Setu Android app native code
Home Page: https://www.aarogyasetu.gov.in/
License: Other
in line 60 and 61
database.execSQL("CREATE TABLE nearby_devices_info_table_backup " + "(id INTEGER NOT NULL, bluetooth_mac_address TEXT,distance INTEGER, lat TEXT,long TEXT,timestamp INTEGER, PRIMARY KEY(timestamp))");
there should be a check here that validates if the given lat long co-ordinates are valid lat-long cords also instead of just using TEXT datatype, wouldn't DECIMAL or POINT datatype should be used?
After opening FAQs , back button should send you on main screen,
Once you hit back button of mobile, it closes your app,
Tested in Oneplus6
Anyone can easily change there location by using mock locations apps. Check if any other apps from the device is using in ACCESS_MOCK_LOCATION Permission.
Needless to add Gzip Interceptor .
Out of the blue, when I opened the app a couple of days ago, I received a toast stating "you have been logged out" and was taken to the splash/on-boarding screens. The scan service was running (persistent notification showing) unitl I opened the app. I had to go through the on-boarding and sign-up process again to resume the scan service. Another user of the app I know also experienced this "random" app logout. Unfortunately I do not have logs or a way to reproduce the issue.
The current android room database present locally doesn't encrypt and store the information even locally which would be good security practice to do. This can be easily implemented with SQLCipher
where the plaintext data like latitude, longitude, bluetooth_mac_address, timestamp
are encrypted on the local device using a randomly generated symmetric key from the AndroidKeyStore
for which this app already seems to contains support taking a look at the SecureUtils
To reproduce:
1.Click blue assist button from homepage
2.Check the button at the right corner without refresh icon.
it's change Bluetooth name and doesn't allow other devices to connect them or causes trouble connecting with them.
The gradle build of the project looks for a keystore.properties
file, which is missing from the checked in codebase.
def keystorePropertiesFile = rootProject.file("keystore.properties")
def keystoreProperties = new Properties()
keystoreProperties.load(new FileInputStream(keystorePropertiesFile))
While the details are mentioned in the readme, please checkin a default file as is which needs to be configured by the developers running the build.
Don't see a reason why they're not allowed, can be useful in informing friends and family members about the stats in our area...
Instead of developing the App for two Platforms with two different codebases, you can have got in one codebase if you have used a framework like flutter. That would be much easier for developers to find a bug and that will be rectified with ease.
Empty catch block in CoronaApplication.java LineNo76
The auto scrolling of stats of no of users, at risk and infected within a certain radius can be too fast for elders to read, also it causes unnecessary waste of time, it should paused when touching over it, allow manual scrolling or make it a normal larger list window which doesn't require scrolling...
There was a comment about static code analyzers being unaware of dynamism of the app and the same will be addressed in a FAQ. Unable to locate the FAQ and reporting multiple CVEs as per MobSF .
Ideally, each of these issues must be verified / tracked separately. But looking for FAQ if any related to static code analysis that is missing in the release.
F-Droid[1] is a community-maintained software repository for Android, similar to the Google Play store. Please distribute release and APK's via F-Droid as well.
This needs app to comply with Inclusion policy [2]
Quickstart Guide[3] have more info
[1] https://en.wikipedia.org/wiki/F-Droid
[2] https://f-droid.org/en/docs/Inclusion_Policy/
[3] https://f-droid.org/en/docs/Submitting_to_F-Droid_Quick_Start_Guide/
In case a person selects "Recently interacted or lived or currently live with someone who has tested positive for COVID-19" in the assessment section
The link in the subsequent bot for:
List of testing centers: https://icmr.nic.in/node/39071 lands the user on a URl which says Not Found.
In short, it returns 404 which should be fixed.
The application is vulnerable to location spoofers which let them allow to enable mocklocation and use any third party app and the major problem are the handset with root access which can manupulate the application location by systemizing the spoofing apps
The option to choose the name of a State or UT in the search section of ICMR approved labs doesn't populate the searched UT or State.
For instance, I tried searching Ladakh & still landed on Uttar Pradesh which is my home state by default.
Steps to reproduce:
There is not even an error on the page. A user can search for any name, it will only show the default state present unless the user explicitly selects a particular state or UT.
Android Build Version : 1.1.3
As a user If I had already registered and if I come back to application after a fresh installation. It shows option to register and not to login. This is confusing.
Since unless you implement the server yourself, which you can't (yet), there's virtually no way to compile the app. even if you somehow add all the properties, you'll have to manually "disable" each crash or bad api response.
basically, is it possible to compile a demo version of the app, without actual api calls (since no server side code has been released (yet) ).
even a fake api inbuilt into the app would work, because implementing the server by yourself is a tough thing to do
In case the user turns of the bluetooth of cellphone. On launching the app, there is a modal to turn on the bluetooth. When a user clicks on the modal, another prompt appears on the screen which says, "Allow Aarogya Setu to enable Bluetooth?"
This little dialog box appears for approximately 3 seconds and vanishes & relaunches again.
Device details:
Huawei P20 Lite
Android Version 9
Resolution: 2280 * 1080
Once the assessment is finished by answering all the questions w.r.t low risk, the advisory message for low risk is displayed along with ok button under it. After we click the ok button under the message, there is one text message displayed with ok text and it seems to be redundant, we can exit the assessment window instead once the ok button is pressed.
To reproduce :
Click the "?" button to the right side of the text "In your area within radius of"
The reassess/reset button icon on the top right corner of the self-assessment page shows up as a green box with an X in it.
The logo needs to be fixed, as without a clear icon or caption it's purpose is ambiguous.
Device: Samsung M30S
One UI Core Version: 2.0
Android version: 10
just a thought.
CVE-2020-0022, affects devices running Android Oreo (8.0 and 8.1) and Pie (9.0) and can allow remote code execution over Bluetooth with no additional execution privileges needed without any user interaction. More here https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0022
Considering a major number of these devices in India may not have received Feb 2020 security update, it is better to give a warning pointing the risks before switching on Bluetooth 24/7.
This release misses
This release does not help in transparency without 1 & 3
Hi,
Thanks all for the nice app. Would like to contribute to the community.
It would be nice if we can show daily trends of death, recovery or new cases in % wise.
This seems slightly hard to validate given the challenges in #16 Looking through the workflow of the code, the symmetric key encryption mode used for older Android devices is AES128 with ECB mode, as a sanity check:
initCipherForLessThanM()
and generateKeysForAPILessThanM()
being called for every encryption on API < M) which is used to locally encrypt the latitude
and longitude
fields with the key.generateKeysForAPILessThanM
attempted every single time getCipher()
is called especially when the RSA keypair isn't used in the encryption process at all, if it is, which public key is being used to encrypt this data? Is this the Aarogya Setu hosted public key?NoPadding
based AES GCM
from API level 10, if this is the case, why is the ECB mode continued to be used?So this leads to the final question:
EncryptionUtil()
or DecryptionUtil()
since IV becomes the first block of the cipher text? It currently looks like this only happens once and the singleton instance with the same IV value continues to be used.Please add a clear code of conduct for this repo.
People have a lot of devisive sentiments related to this app and it is very likely that this repo will be brigaded or the issues be used for insensitive comments.
Already I can see fights breaking out in GH Issues, with folks making personal attacks on each other.
To prevent this repo become a battlefield for politically motivated comments, a CoC is absolutely needed. See here for inspiration
https://help.github.com/en/github/building-a-strong-community/adding-a-code-of-conduct-to-your-project
For your reference, and to get the discussion started, I will add some great CoCs used by other OSS communities:
You will need to have clear definitions of what infarctions are and how they will be handled.
Best of luck!
Also, separate out the discussion forum so that people who want to discuss items which are not issues/FRs, can do so without polluting the main repo. GH has discussion board built in.
PS. unrelated but just wanted to say that it is so amazing to have this app as an OSS project. Hats off to you guys.
All proximity tracing applications take too many critical device permissions, and it should sunset from functioning after the covid19 crisis period.
A sunset policy is essential for all proximity tracing apps.
With easing of lockdown Movement of people will increase so an navigation option should be added so that people can move from one location to another location
by safe (green) path (Contamination free or low risk) instead of people relying on Google Maps or for shortest route between two points
In order to prevent users from faking the green badge, It is essential to provide Bluetooth uptime % on home screen to ensure the risk status is not false positive. Organizations permitting entry based on green status can make an informed decision.
Please add binary releases corresponding to current production versions.
It will be good if release management can be done directly from this repo to play store https://github.com/codepath/android_guides/wiki/Automating-Publishing-to-the-Play-Store
isRooted Only check the test-keys , uperuser.apk and su but system can be rooted with many other way.
Like
TEST KEYS
DEV KEYS
NON RELEASE KEYS
DANGEROUS PROPS
PERMISSIVE SELINUX
SU EXISTS
SUPERUSER APK
SU BINARY
BUSYBOX BINARY
XPOSED
RESETPROP(EXPERIMENTAL)
WRONG PATH PERMITION
HOOKS
these are some key points
https://github.com/DimaKoz/meat-grinder
This uses some some native NDK methods to check so..
I can push this mechanisam as I've implemented this in my another app
Thanks n Regards:
Haneet Singh Chhabra
Test cases are missing. Moreover we can convert the whole code to Kotlin.
Moshi is a modern, high performance and recommend serialisation library for kotlin and java by Square developers. Gson has some limitations and existing bugs which Moshi overcomes. If it's used in this codebase we can also reduce some amount of code.
To support and run this app seamlessly on Android 10 or above there should be permission ACCESS_BACKGROUND_LOCATION
. Because this permission is needed to be granted to access location in the background. Otherwise this application will not work on devices having Android 10 or above OS version. If it looks good to you then I'll be happy to work on it.
Does this app comply with Meity released protocol? https://meity.gov.in/writereaddata/files/Aarogya_Setu_data_access_knowledge_Protocol.pdf
If yes from which versions?
Since there isn't any method called to check whether mock location is enabled or not, hackers/miscreants can use any mock location app to hide their real location and report infection from this fake location.
Since the program does not have any checks for Temporary phone numbers ,
A user could register/login using a temporary phone number hide his location and report a fake covid infection case.
adding this simple permission check will prevent this
public static boolean isMockSettingsON(Context context) {
// returns true if mock location enabled, false if not enabled.
if (Settings.Secure.getString(context.getContentResolver(),
Settings.Secure.ALLOW_MOCK_LOCATION).equals("0"))
return false;
else
return true;
}
The auto scrolling data stats are not aligned properly to be seen, thus positioning themselves not in the middle but either in top or bottom of the readable space. Also, the space for the stats should be increased for better view and readability.
Device: Redmi 4
Android version: 7.1.2
MIUI version: MIUI global 11.0.2
Allow for an username or id system which can link multiple users to a single account and prevent confusion, for eg if a someone gets tested positive and uses multiple devices, does he get marked as +ve on all of them or just one, both can cause confusion as just marking a single entry will overlook the times user came in contact using the other device, and in the latter, single user might show up as 2 diff people who got tested +ve in stats...
The project misses a code of conduct. I have experienced name-calling in the first issue filed here.
I am suggesting to adapt a diverse participation friendly code of conduct like contributor covenant https://www.contributor-covenant.org/version/2/0/code_of_conduct/ and enforce the same to avoid such issues and to build a reporting mechanism.
There is no need to reinvent CoC, while widely accepted models like Contributor covenant existing
There are few minor cosmetic display issues when we choose language as Kannada:
Mechanism which suggest route people which avoid red zone or zone with more cases.
As lockdown is going to end soon, at least people avoid selecting a red zone path.
Thanks for open-sourcing the Android App! A fantastic step towards openness and transparency. I would like to ask, will the iOS App be open-sourced in a similar fashion anytime soon? It will be another great step towards openness.
Thanks.
The last option in the ICMR approved labs appears to be 'Dadra And Nagar Haveli'. That option overlaps with the 'done' button in the footer section
After playing any video on the Media section, pressing the back button should open the Media home page but instead exits the app.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.