-
Notifications
You must be signed in to change notification settings - Fork 14
Active time is easy to fake #88
Comments
This issue is closely related to corona-warn-app/cwa-app-android#685 To sum things up: Currently, the decision is to rely on the automatic calculation of the date and time of the device and that manual tampering of this setting is not supported. This was done as we explicitly did not want to contact NTP servers directly for the first release. This might change in the future, however, and it is currently not prioritised in the backlog. The fact that you are seeing API errors is due to the key timestamps. Faking the date will not actually result in you being able to fake out a submission. The only thing that could happen is that you retrieve key packages that are within different time constraints, up to a maximum of 14 days that are available on the server. As most people have no use and or benefit from changing the date/time detection on their device, this issue is not critical at the moment in our opinion and a "fake" has no impact on the EN system, just for your device. |
As we do not see an impact when "faking" time, I will change this issue to an enhancement. |
We will also move this issue to the wishlist repository to open up discussion about this enhancement to a broader community. |
Hi @v1nc, Thanks for contributing here. The app now shows days installed instead of days active, therefore this issue is obsolete now. We suggest closing this issue. Best wishes, DS Corona-Warn-App Open Source Team |
It's still possible to just set the time to the future and the "days since installation" are wrong (e.g. faked). |
@Ein-Tim Thanks. So, if not only wrong time, but also wrong date was detected, faking would not be possible, agreed? |
@dsarkar Yes, agreed. Tested under iOS 14.5.1 on an iPhone 6s. |
@Ein-Tim Actually, on iPhone 6s, 14.1, changing date only but not time, I still get "Risiko-Überprüfung fehlgeschlagen" fehlgeschlagen. Initially it is possible to change date and it shows more days installed, but then I gives the error "Risiko-Überprüfung fehlgeschlagen". So, my understanding is that at least for iOS this becomes obsolete. What do you think? I will check behaviour on Android. Thanks. |
Yes correct, this is also what I have been experiencing.
Yes, I agree that this seems to be "fixed" under iOS because of the "wrong time/date" notification which leads to "Risiko-Überprüfung fehlgeschlagen". |
@Ein-Tim Thanks for the feedback |
I agree that the issue should be closed. The repro steps no longer produce the result they previously did because of functional changes in the app. The app could have been installed for more than 14 days (in which case it shows no date installed) and during this time exposure logging could have been deactivated all the time. In other words it could have been installed all the time, but was dormant. Also there would be no benefit to faking the number of days installed. The use of the app is voluntary and these days all benefits are dependent on negative test status, vaccination status or recovery status. Nobody I know is asking to see how long somebody has had CWA installed since there are no significant conclusions that can be drawn from this information. |
@v1nc @Ein-Tim @MikeMcC399 Thanks to everybody for contributing! Corona-Warn-App Open Source Team |
Avoid duplicates
Describe the bug
The "active status" time is easy to fake.
Expected behaviour
The "active status" should be calculated with the real time, not with device time.
It should not be able to change "active status" behaviour by changing device time.
Steps to reproduce the issue
Technical details
Possible Fix
Only use time from NTP servers to calculate "active time"
Internal Tracking Id: EXPOSUREAPP-2107
The text was updated successfully, but these errors were encountered: