Hi!

So git is a wonderful tool, it allows you to keep track of file changes and facilitate coding with other people while keeping and structure code source. This means that your mistake of including a private key is still visible here https://github.com/RadarCOVID/radar-covid-android/blob/67a4506cc43a20062e87aebd5caa6be2ea0f6482/app/src/pre/res/raw/sedia_rsa_private_key.txt

@fjahijado If you push a new commit removing the key this won't fix your vulnerability, you have to remove all changes made to that file in previous commits (or remove the commits).

You can follow github official documentation here to fix it

Any key that you published should be rotated as they have been compromised

:)

I just gave a quick look into the code and found a private key hosted publicly in the repository? Is this expected or is it a mistake? I did not look carefully the design but just caught my attention as a possible bad development practice while I was browsing the code.

It would help to have the git history of the whole development to navigate to the commit that introduced it, unfortunately all was imported as a single commit making it impossible.

Hi!
I write it because I wanted to install the Covid Radar application on my "Amazfit Verge" smartwatch that has Android 5.0 with an Amazfit layer, that is, it is not pure Android, but it is impossible because I think that the minimum version that you have to have to install it is Android 6.0 and my smartwatch has 5.0 I have entered Android Studio I have to try the minimum version and it won't let me, I have knowledge of Android Studio but we are clear. Could you lower the minimum version?
Greetings.
Gorka.

Hi there, just to let you know we have made a first analysis of your app using a CT toolkit. Here comes the result next. I got a very long list what seemed like ip addresses but not quite in the ip_disclosure part of things so I REDACTED that part here just in case you can look at it prior to publication by anyone. Also, I see some problems with insecure random number generation and SQL queries here.

app:
  activities_launch_mode:
    com.google.android.gms.common.api.GoogleApiActivity: standard
    es.gob.radarcovid.features.covidreport.confirmation.ConfirmationActivity: standard
    es.gob.radarcovid.features.covidreport.form.view.CovidReportActivity: standard
    es.gob.radarcovid.features.exposure.view.ExposureActivity: standard
    es.gob.radarcovid.features.information.view.InformationActivity: standard
    es.gob.radarcovid.features.main.view.MainActivity: standard
    es.gob.radarcovid.features.onboarding.view.OnboardingActivity: standard
    es.gob.radarcovid.features.splash.view.SplashActivity: standard
  allow_backup: false
  app_name: Radar COVID
  debuggable: false
  min_sdk: '23'
  package_name: es.gob.radarcovid
  permissions:
    dangerous:
    - BLUETOOTH
    - INTERNET
    - WAKE_LOCK
    normal:
    - ACCESS_NETWORK_STATE
    - RECEIVE_BOOT_COMPLETED
    - FOREGROUND_SERVICE
    - REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
    others: []
    signature: []
    signatureOrSystem: []
  target_sdk: '29'
  use_cleartext_traffic: false
  version_code: '9'
  version_name: 1.2.0
code_analysis:
  insecure_certificate_validation: []
  insecure_random_generator:
  - Les/gob/radarcovid/datamanager/usecase/ReportFakeInfectionUseCase$getFakeVerifyToken$1;.subscribe
  insecure_webview_implementation: []
  ip_disclosure:
  - REDACTED
  remote_webview_debugging: []
  risky_cryptographic_algorithms:
    improper_encrypt_functions: []
    insecure_hash_functions: []
  sql_hardcoded_secrets: []
  sql_raw_queries:
  - Landroidx/work/impl/WorkDatabase_Impl$1;.createAllTables
  - Landroidx/room/RoomDatabase;.query
  - Landroidx/sqlite/db/framework/FrameworkSQLiteDatabase;.query
  - Landroidx/work/impl/WorkDatabaseMigrations$WorkMigration9To10;.migrate
  trackers: []
pii_taint_result:
  leaked_keys: []
root_analysis:
  debug_detections: []
  root_detections: []
  root_usage: []
virus_total:
  md5: 356452cc9382bc1e4fdc77d4a218310c
  permalink: https://www.virustotal.com/gui/file/2b613627897da4cd3be77ddeb19d70e3e3bf5d7ad2d3145aa3bc7cf0ed6114d2/detection/f-2b613627897da4cd3be77ddeb19d70e3e3bf5d7ad2d3145aa3bc7cf0ed6114d2-1612384003
  resource: 2b613627897da4cd3be77ddeb19d70e3e3bf5d7ad2d3145aa3bc7cf0ed6114d2
  response_code: 1
  scan_id: 2b613627897da4cd3be77ddeb19d70e3e3bf5d7ad2d3145aa3bc7cf0ed6114d2-1612384003
  sha1: 17eeba1e08f0cb8baa535ee4b5efbc103469d218
  sha256: 2b613627897da4cd3be77ddeb19d70e3e3bf5d7ad2d3145aa3bc7cf0ed6114d2
  verbose_msg: Scan request successfully queued, come back later for the report

Hello!

Monitoring the application traffic, I have found calls to servers for which I find no justification. Specifically, I have detected requests on port 443 to the following URLs:

• apps|launches.appsflyer.com
• outcome-ssp.supersonicads.com
• embeds.driftcdn.com
• js.stripe.com
• firefox.setting.services.mozilla.com

Is this normal application behavior? I have logged traffic with an application that creates a VPN to monitor requests from each application on the phone and it seems to be working fine.

Specifically these two:

Hi, since USA has banned Huawei from using Google services, Google Exposute API does not work on their new devices.

For this reason, Huawei has developed the Huawei Contact Shield API integrated in the Huawei Mobile Services.

https://developer.huawei.com/consumer/es/doc/Contact-Shield-V1/introduction-0000001050738511-V1

Do you plan to integrate this function in the future to make RadarCovid usable in Huawei/Honor devices (or others that do not have the GMS but have HMS) an publish RadarCovid in AppGallery (new Huawei/Honor devices doesn't have Play Store since USA ban)?

Radar Covid for Android has declared a dependency on Google’s Firebase SDK for analytics purposes as indicated in the line 198 and 199 of the graddle configuration.

    // Recommended: Add the Firebase SDK for Google Analytics.
    implementation 'com.google.firebase:firebase-analytics-ktx:17.5.0'

The analysis of the .apk available on Google Play on the 8th of September 2020 (md5=ce999f762890d3f9b7911cb700997019) using static analysis corroborates that the SDK is present in the app as can be inferred from the presence of the following package: com/google/firebase/

Unfortunately, as the code is obfuscated in the current release on the Google Play Store, it cannot be concluded: 1) whether the app version published on Google Play is directly compiled from the source code released today; and, as a result, 2) whether the Firebase SDK is actually invoked from the app.

The presence and use of this SDK is not listed in the current Privacy Policy of the app.

In case that this is legacy code from an older version integrating and using the SDK, or simply dead code, it would be recommendable to remove this dependency. If it is indeed used, it would be recommendable to remove it as well due to the potential privacy risks that incorporating a third-party analytics SDK could cause on end users.

This behavior seems to be prevalent in the iOS app, too, as suggested by this issue.

On Thu 28th October, version 1.4.3 of Radar COVID was released on Google Play Store. Two weeks has passed and this repository still does not reflect new changes since v1.4.1 (released on July).

Is there an estimate date for when the source code will be disclosed?

Recibo desde hace unos días una notificación recurrente: "Radar COVID No funciona correctamente. Error al cargar nuevos datos de infección".
Si la pulso sobre ella se abre la app y allí todo parece correcto, ninguna alerta aparece ni nada que indique como solventar el error que indicaba la notificación.

Hi,
It would be interesting to clarify the reason why they are fewer API methods on the source code released here:
https://github.com/RadarCOVID/radar-covid-android/blob/master/app/src/main/java/es/gob/radarcovid/datamanager/api/ApiInterface.kt

Than in the Play Store version:
https://github.com/josemoyab/radar-covid/blob/8acb96f8ccd979f03db3c6dbfdf162d66ad6ac5a/sources/p003f/p004a/p005a/p006a/p008b/C0436a.java

I am particularly interested in the removal of the method /kpi/kpi and RequestKPI that are live on the Play Store version:
https://github.com/josemoyab/radar-covid/blob/8acb96f8ccd979f03db3c6dbfdf162d66ad6ac5a/sources/p002es/gob/radarcovid/models/request/RequestKpi.java

Thanks!

This GitHub issue is just an excuse to express my gratitude to the developers of RadarCovid and to congratulate and encourage them to keep working and improving. Right after the code was released I read tons of rage/hate/shit on social networks and I came to this repo expecting the worst.

Nothing is further from reality, I'm really pleased to have found a full-fledged app developed using a modern language as Kotlin, written in ENGLISH!! (as any public project in the world should be written), using clean code patterns and even including some tests.

We can now start discussing about the libraries used, the way some logic or algorithms are implemented, if there are better or worse patterns, if code comments would be welcome in some places, if some old keys shouldn't have been included in the repo, if the code style should be changed, fixed, etc... but this is just room for improvement from a GOOD STARTING POINT.

I have been developing Android Apps for the last 10 years of my career and I know what is to work under not optimal conditions or environments, without proper resources, managers, timing or enough workforce. I guess developing an App for a Public Administration as a client with the goal of saving people lives in the midst of a pandemic situation doesn't fit in the definition of "optimal environment".

In addition making your work public and available to be scrutinized by thousands of eyes and receive criticism, many of the times without any positiveness and totally useless, is a huge mental and self-confidence toll to pay that nobody is prepared to.

So, again, let me say you in my name and I'm sure in the name of many more developers, thanks for your work and keep improving.

🔑
From Kotlin code convention: https://kotlinlang.org/docs/reference/control-flow.html

var max = a 
if (a < b) max = b

// With else 
var max: Int
if (a > b) {
    max = a
} else {
    max = b
}
 
// As expression 
val max = if (a > b) a else b

There are a few places where the curly braces are omitted

🔑
Veo que toda la conversación se está realizando en inglés, pero no he visto ninguna regla en el fichero CONTRIBUTING.md al respecto.

Supongo que en la discusión de una aplicación de origen español es esperable que sí se pueda hablar en español.

In order to be fully open, build and release system should also be accessible. Together with Issue #21 would allow source-binary verification.

Lower Android version at least to 4.2.2 Kitkat, so it's possible to use also in old mobile phones.

Describe the bug
The app tells you that it is not working because the "energy saving" option is enabled, even it is deactivated.

To Reproduce
Steps to reproduce the behavior:

1. Enable energy saving
2. Open the app
3. Close it and disable energy saving
4. Open the app and see error

Expected behavior
To work as the energy saving feature is disabled.

Screenshots
https://gyazo.com/a874870a66bf5675b486b692f17b2724

Device (if relevant):

• Device: Xiaomi MI 8
• OS: MIUI 11

Hi people,

I have a question. I see that, if I disable the location in my Android device, the RadarCovid raises a notification, demanding to re-enable the location on my device, for making RadarCovid working properly.

Why that requirement (location enabled) is not set on the AndroidManifest? (https://github.com/RadarCOVID/radar-covid-android/blob/develop/app/src/main/AndroidManifest.xml)

Thanks!

/question

Hi,

Today I found this twit from Víctor Suárez on Twitter requesting language support for Asturian.

On the one hand, I found pull request #30, which seems to be translating the app to Galician.
On the other hand, the same tweet cited above shows there's already support for Catalan and English. I think this is already being discussed in RadarCOVID/radar-covid-backend-configuration-server#4, but I still haven't found where are the translation strings located.

Is it possible for us to translate the app into any other language? How could we do it? Is it OK to translate texts the same way as in #30?

Thanks.

In my opinion, the pooling should be faster. 15min?

Hola! Hi!
As people seams to report in English, I will do the same :-)

When I run the app (debug version) in my devices (I have tested two), this message appears just when it tries to activate the connection with the Google API for exposure notifications. The complete text of the error message is:

Error: 17: API: Nearby.EXPOSURE_NOTIFICATION_API is not available on this device. Connection failed with: ConnectionResult{statusCode=UNKNOWN_ERROR_CODE(39507), resolution=null, message=null}

But when I install the app downloaded from the PlayStore, it works with no error message.

I need to use an API KEY for google tools or something similar?

Thanks in advance :-)

jCenter has been deprecated since February 2021, giving a 403 Forbidden response to any request to "dl.bintray.com". In consequence, dependency "com.goterl.lazycode:lazysodium-android" cannot be fetched.

Related to CrowdNotifier/crowdnotifier-sdk-android#26.

Steps to reproduce

1. Clone repository
2. Checkout "develop" branch
3. Run ./gradlew build

Gradle error log

FAILURE: Build failed with an exception.

* What went wrong:
Could not determine the dependencies of task ':app:testPreDebugUnitTest'.
> Could not resolve all task dependencies for configuration ':app:preDebugUnitTestRuntimeClasspath'.
   > Could not resolve com.goterl.lazycode:lazysodium-android:4.2.0.
     Required by:
         project :app > org.crowdnotifier:crowdnotifier-sdk-android:2.1.0
      > Could not resolve com.goterl.lazycode:lazysodium-android:4.2.0.
         > Could not get resource 'https://dl.bintray.com/terl/lazysodium-maven/com/goterl/lazycode/lazysodium-android/4.2.0/lazysodium-android-4.2.0.pom'.
            > Could not GET 'https://dl.bintray.com/terl/lazysodium-maven/com/goterl/lazycode/lazysodium-android/4.2.0/lazysodium-android-4.2.0.pom'. Received status code 403 from server: Forbidden

Proposed solutions

Either upgrade "org.crowdnotifier:crowdnotifier-sdk-android" to v4.0.0 (still in development and with breaking changes) or provide the AAR dependency file for "com.goterl.lazycode:lazysodium-android" mannually:

 allprojects {
     repositories {
         google()
         jcenter()
-         maven {
-            url  "https://dl.bintray.com/terl/lazysodium-maven"
-        }
+        flatDir {
+            dirs 'ext-libs'
+        }
     }
 }

🔑Each time I open the app on Android this is the notification I get

The updates on the "Exposition data" seems to be stuck on a specific date and the only way to force its update is disabling "Radar Covid Activo" and enable it again.

Device: Huawei P30
OS: Android 10

Hi! The RadarCovid app is already translated into several regional languages, but as a suggestion to assist improving existing translations (or adding new ones) the Weblate platform could be used. https://hosted.weblate.org/

The currently used UI design is very different from the Android standards, and takes a lot of space and big bottom buttons (with small icons and a big empty space) to what could be done very cleanly and without differing from the usual UIs in android apps. Right now the app doesn't have to show almost anything at all, it is just a background running app with a few links for more info about procedures and so on, but i think it will probably be improved to show info about how to avoid the app being frozen in some kinds of ROMs (miui for example), and maybe some other features, and adding things to the current UI, in my opinion, would be counter productive for the non tech savvy people, as makes the UI very cluttered...
For example, currently if you browse to the second and third menu using the bottom buttons, it will show a short text that you would have to scroll... it is a very short text and you have to scroll it, and besides the inefficient space usage, scrolling is an action that, i think, it is not very intuitive to a lot of people, i have seen frequently people not realizing you can scroll an app to see the rest of the options for example

I would suggest doing a UI refactor now that the app is not used very widely (and so to not make people see the old and new UI, only the new one, to avoid confusions) and just make a very simple, typical material design UI, with the same bottom buttons and the same text that it has right now.

Maybe someone experienced in android programming could do it very quickly, i don't know 🤷‍♂️ (edit: misunderstanding explained below)

Implement reproducible builds so they can be independently verified and compared with published versions in the different release channels. It would also help to ensure that no vulnerabilities are introduced at build time.

Starting in Android 11, localization is not necessary for the exposures api to work, as you can read in the following link.

https://blog.google/inside-google/company-announcements/update-exposure-notifications/

On Android 11, which will soon be released, users will be able to use Exposure Notification apps without turning on the device location setting.

The App keeps sending an error notification if you try to use it without using the location (Even if bluetooth is on)

I attach a screenshot of the notification and the android version used

It's a minor problem, but every now and then the notification keeps jumping and from what I can see it's something related to the app and not so much the API, although I may be wrong.

Thanks for your efforts and such a well done app

Buenas.
He leído que la aplicación que se muestra aquí es distinta de la de Google Play. La verdad es que es lo único que me echa para atrás para descargármela.
Hoy he mirado en Google Play y he visto que se actualizó el 15 de septiembre. Yo no tengo ni puñetera idea de programación, así que pregunto a los entendidos que hayan diseccionado la versión de Google Play: ¿La versión de aquí y la de G Play ya son las mismas?

Hola,

Hoy de casualidad he entrado en la aplicación y me ha aparecido un aviso para aceptar las condiciones de uso y la política de privacidad. Según pone, para usar RadarCOVID tengo que aceptarlas, pero no me ha saltado ninguna notificación al respecto.

Hará como una semana o dos que no entro a la aplicación. ¿Ha estado la app sin funcionar todo este tiempo?

Mi móvil es un Xiaomi Redmi Note 7.

Gracias.

The use of synthetics can throw exceptions, I would recommend changing to viewbinding in all views.

On Wed 14th July, version 1.4.1 of Radar COVID was released on Google Play Store. A week has passed and this repository still does not reflect new changes since v1.4.0 (released on June).

Is there an estimate date for when the source code will be disclosed?

F-droid is an alternative app store to Google Play Store which has only free open source apps. I would like to see Radar COVID on it, but they request that "the original app author has been notified (and supports the inclusion)." So I would like the author(s) to support such inclusion before requesting the inclusion to F-droid's team.

I just opened the issue for the request (in case Radar COVID authors support this), and got this comment. It seems there are Firebase and GMS stuff that make it not free open source. So I hope this can be replaced by MicroG's implmentation of the exposure api, if possible.

Thank you

I use the app everyday, but it doesn't update its own data since August 26th. I'm looking for a manual refreshing/updating button into the app in order to get the last data by myself.

Would be possible?

I have been with the Radar COVID installed for several weeks and today Galician translation was implemented. I updated the app but I cannot see the settings to change the language.

Do I have to uninstall and install again to select the language? If I do that all the tracking information will be lost, right?

My SO is LineageOS based on AOSP. I can't run the app; it shows a banner "Es necesario disponer de una versión actualizada de Google Services".

This dependency is not needed and makes non-Google Android systems reject the app.