Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

Active time is easy to fake #88

Closed
3 tasks done
v1nc opened this issue Jun 25, 2020 · 12 comments
Closed
3 tasks done

Active time is easy to fake #88

v1nc opened this issue Jun 25, 2020 · 12 comments
Assignees
Labels
enhancement New feature or request mirrored-to-jira This item is also tracked internally in JIRA ready-to-close

Comments

@v1nc
Copy link

v1nc commented Jun 25, 2020

Avoid duplicates

  • Bug is not mentioned in the FAQ
  • Bug is specific for Android only, for general issues / questions that apply to iOS and Android please raise them in the documentation repository
  • Bug is not already reported in another issue

Describe the bug

The "active status" time is easy to fake.

Expected behaviour

The "active status" should be calculated with the real time, not with device time.
It should not be able to change "active status" behaviour by changing device time.

Steps to reproduce the issue

  1. Remove the app if installed
  2. Install it again
  3. Change device date to 2 weeks in the past before opening the app
  4. Open the app, activate Exposure Logging
  5. An API Error is displayed, close the app
  6. Change device date back to today
  7. Open the app
  8. Click on "Exposure Logging" details and close them 2-3 times until the errors are gone
  9. App now displays "14 of 14 days active" and behaves as usual

Technical details

  • Mobile device: Nexus 5
  • Android version: 6.0.1

Possible Fix

Only use time from NTP servers to calculate "active time"


Internal Tracking Id: EXPOSUREAPP-2107

@jakobmoellerdev
Copy link

This issue is closely related to corona-warn-app/cwa-app-android#685

To sum things up: Currently, the decision is to rely on the automatic calculation of the date and time of the device and that manual tampering of this setting is not supported. This was done as we explicitly did not want to contact NTP servers directly for the first release.

This might change in the future, however, and it is currently not prioritised in the backlog. The fact that you are seeing API errors is due to the key timestamps. Faking the date will not actually result in you being able to fake out a submission. The only thing that could happen is that you retrieve key packages that are within different time constraints, up to a maximum of 14 days that are available on the server. As most people have no use and or benefit from changing the date/time detection on their device, this issue is not critical at the moment in our opinion and a "fake" has no impact on the EN system, just for your device.

@jakobmoellerdev jakobmoellerdev self-assigned this Jun 26, 2020
@jakobmoellerdev
Copy link

As we do not see an impact when "faking" time, I will change this issue to an enhancement.

@tkowark
Copy link
Member

tkowark commented Jul 1, 2020

We will also move this issue to the wishlist repository to open up discussion about this enhancement to a broader community.

@dsarkar
Copy link
Member

dsarkar commented May 19, 2021

Hi @v1nc,

Thanks for contributing here. The app now shows days installed instead of days active, therefore this issue is obsolete now. We suggest closing this issue.

Best wishes, DS


Corona-Warn-App Open Source Team

@Ein-Tim
Copy link
Contributor

Ein-Tim commented May 19, 2021

@dsarkar

It's still possible to just set the time to the future and the "days since installation" are wrong (e.g. faked).
But, if the device time is wrong, the app shows an error and if there wasn't a risk calculation in the last 4 hours (connected to Wifi) or in the last 24 (connected to cellular) the app shows "Risiko-Überprüfung fehlgeschlagen."

@dsarkar
Copy link
Member

dsarkar commented May 19, 2021

@Ein-Tim Thanks. So, if not only wrong time, but also wrong date was detected, faking would not be possible, agreed?

@Ein-Tim
Copy link
Contributor

Ein-Tim commented May 19, 2021

@dsarkar Yes, agreed. Tested under iOS 14.5.1 on an iPhone 6s.

@dsarkar
Copy link
Member

dsarkar commented May 19, 2021

@Ein-Tim Actually, on iPhone 6s, 14.1, changing date only but not time, I still get "Risiko-Überprüfung fehlgeschlagen" fehlgeschlagen. Initially it is possible to change date and it shows more days installed, but then I gives the error "Risiko-Überprüfung fehlgeschlagen". So, my understanding is that at least for iOS this becomes obsolete. What do you think? I will check behaviour on Android. Thanks.

@Ein-Tim
Copy link
Contributor

Ein-Tim commented May 19, 2021

Initially it is possible to change date and it shows more days installed, but then I gives the error "Risiko-Überprüfung fehlgeschlagen"

Yes correct, this is also what I have been experiencing.

So, my understanding is that at least for iOS this becomes obsolete. What do you think?

Yes, I agree that this seems to be "fixed" under iOS because of the "wrong time/date" notification which leads to "Risiko-Überprüfung fehlgeschlagen".

@dsarkar
Copy link
Member

dsarkar commented May 19, 2021

@Ein-Tim Thanks for the feedback

@MikeMcC399
Copy link
Contributor

MikeMcC399 commented May 19, 2021

@dsarkar

Thanks for contributing here. The app now shows days installed instead of days active, therefore this issue is obsolete now. We suggest closing this issue.

I agree that the issue should be closed. The repro steps no longer produce the result they previously did because of functional changes in the app. The app could have been installed for more than 14 days (in which case it shows no date installed) and during this time exposure logging could have been deactivated all the time. In other words it could have been installed all the time, but was dormant.

Also there would be no benefit to faking the number of days installed. The use of the app is voluntary and these days all benefits are dependent on negative test status, vaccination status or recovery status. Nobody I know is asking to see how long somebody has had CWA installed since there are no significant conclusions that can be drawn from this information.

@v1nc v1nc closed this as completed May 19, 2021
@dsarkar
Copy link
Member

dsarkar commented May 19, 2021

@v1nc @Ein-Tim @MikeMcC399 Thanks to everybody for contributing!


Corona-Warn-App Open Source Team

@dsarkar dsarkar removed the mirrored-to-jira This item is also tracked internally in JIRA label May 19, 2021
@heinezen heinezen added the mirrored-to-jira This item is also tracked internally in JIRA label May 20, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement New feature or request mirrored-to-jira This item is also tracked internally in JIRA ready-to-close
Projects
None yet
Development

No branches or pull requests