Downgrade to Android 5.x? #15
Comments
CovPass and CovPass Check App cannot be installed on Android 5. The developers would need to say if there are any plans to change this. https://digitaler-impfnachweis-app.de/ and https://digitaler-impfnachweis-app.de/covpasscheck-app/ both say: which is confirmed by CovPass and CovPass Check do not need or use the Exposure Notification API. (The Corona-Warn-App is supported starting with Android 6 only, not Android 5 (see https://www.coronawarn.app/en/faq/#minimum_requirements). |
So why on earth is product development strategy so reluctant to ignore the many owners of older devices for such an important application? |
The developers would need to answer about whether it was a goal to develop for Android 5 or what might have prevented a release on that platform. I expect that there are other essential external library dependencies for the CovPass / CovPass Check Apps which are incompatible with API 21 (Android 5). The security libraries were an issue on the Corona-Warn-App, not just the Google Exposure Notifications System API. |
|
I don't see any technical reason why API 21-22 is not supported. My guess was because of covpass-android/dependencies.gradle Line 200 in 0589db7 But Android 6.0 (API 23) added some fundamental encryption features like symmetric key generation and storage in the Android KeyStore. |
So there is a risk that someone physically attacks my phone to find out that I have been vaccinated! |
|
I don't work on this project and I also haven't fully looked into the code. I just waned to share some insights based on my professional experience and give an assumption why API 21 devices are not supported. I don't know all the (security & legal) requirements of the project, but you have to remember that we are talking about personal health data. We should also not argue based on opinions. If security would not matter this app could also support API 14+ (which is actually not that hard to achieve, even in 2021). But as I said, thats not practical for a project with such a sensitive usecase. Sorry for turning this issue into a discussion. Maybe some of the maintainers can give a concrete feedback. |
|
@G00fY2, thanks for your background information which I did not mean to criticize. |
|
Hi, this would be problematic from a security perspective, since EncryptedSharedPreferences no longer securely encrypts data below Android 6. |
|
As I had explained above, I (and assumedly many others) don't care where somebody could eavesdrop the fact that I am vaccinated. I'd rather have the comfort of the app on my phone. Why don't you let the users decide? |
|
A question to the maintainers: What are the technical issues preventing this application from being installed on Android 5 considering that the only task of this app is the provide an electronic copy of the vaccination pass? |
|
Maybe it is just me wondering how the Luca app is usable on Android 5.1 and the two official ones are not. |
|
@eberlems The Luca app already had some bad press (e.g. see the CCC analysis) for its security and privacy practices. @radekg Regarding the technical issues: As already mentioned, on Android 5 we can't guarantee secure encryption of your data. Please keep in mind that this actually is medical data. While you might prioritize convenience higher than securtity for yourself, there are lots of non-technical people out there who will get upset if their data gets stolen by hackers - because they use an utterly insecure Android version that can probably be hacked by simply visiting the wrong website or installing the wrong app. Also, a piece of paper is indeed easier to keep safe than an Internet-connected device full of security holes. We have some responsibility to non-technical users and we have to treat this medical data wth care. |
As already mentioned, we, the potential users of the app, don't care. So let us decide.
This is a very abstract excuse. The certificate is intended to be presented to the public, so what?
So give them a warning when the certificate gets imported and let them confirm. |
@wkornewald I want to install this app on a device that is controlled by myself and not planning on supporting it for a wider community so my question essentially boils down only to: if I build this for Android 5 and install myself on a non-rooted device, will the certificates be properly recognized by the various readers out there. That's all I would like to know. |
|
The app in the store is 100% the same code as in this repo. So, if you build the app yourself and modify the code to support Android 5 then yes, everything will work with the prod app. I’d recommend using the latest stable release branch instead of main. Do this at your own risk. ;) On the other hand, a better time investment could be to install the latest Android version e.g. via LineageOS. Then at least you’ll have most of the latest security fixes (though your firmware and maybe some drivers will still be vulnerable). |
|
For those who want to have a digital eu certificate on their Android 5 phone, I just found this CWA fork: |
Is it possible to downgrad to Android 5.x or does it require the Exposure Notification API like cwa-app-android?
The text was updated successfully, but these errors were encountered: