Lazy as I am, I will do the 'report' on Stopp Corona App in english on twitter (german will be a blogpost). I will focus on cryptography, security and privacy.
So follow this thread, if you're interested in technical details.
First - what is it? Well, you can track your physical contacts via "digital handshakes" and it should be anonymous (or at least pseudonymous). If one of your contacts confirms an infection you will be notified. And they did an interesting job.
First, the handshake is done manually and based on Google Nearby (BTLE+Sound+Location+GoogleApis). No UUID is exchanged, only a publicKey. But what publickey? How did they do the notification? What data is exchanged, where and how is it stored?
The publicKey is a RSA 1024 Bit key, that is generated in both android and iOS at first start of the app. We can see it in the source or the march-bin:
The publicKey is a RSA 1024 Bit key, that is generated in both android and iOS at first start of the app. We can see it in the source or the march-bin:
The publicKey is a RSA 1024 Bit key, that is generated in both android and iOS at first start of the app. We can see it in the source or the march-bin:
In a dynamic analysis we can dump the keychain/KeyStore and verify this.
In a dynamic analysis we can dump the keychain/KeyStore and verify this.
In a dynamic analysis we can dump the keychain/KeyStore and verify this.
Encounters will be stored in a sqlite containing the publicKey, together with an incremental id and a timestamp. That is pretty nice.
But here's a minor con: The pubkey won't change - ever. Since they are still stored locally, this is atm only a minor drawback. Also: The handshake isn't signed - so you may just use any of your collected keys. Attack scenario is limited, just for fun?
More interestingly, there is a prepared data for "name, dob, city, zip" even though it isn't used. This might be a generated artifact from a data scheme, but it does not fit to "anonymous". Nevertheless it is never used - but rather filled with empty strings.
More interestingly, there is a prepared data for "name, dob, city, zip" even though it isn't used. This might be a generated artifact from a data scheme, but it does not fit to "anonymous". Nevertheless it is never used - but rather filled with empty strings.
More interestingly, there is a prepared data for "name, dob, city, zip" even though it isn't used. This might be a generated artifact from a data scheme, but it does not fit to "anonymous". Nevertheless it is never used - but rather filled with empty strings.
More interestingly, there is a prepared data for "name, dob, city, zip" even though it isn't used. This might be a generated artifact from a data scheme, but it does not fit to "anonymous". Nevertheless it is never used - but rather filled with empty strings.
So, what happens in case of an infected encounter? The app generates a *random* UUID and encrypts it with all stored pubKeys from the last 2 days.
Since I didn't want to trigger that function, I aborted it in BURP. The used scheme is "RSA/None/PKCS1Padding".
All infection messages are distributed to all clients, every client tries do decipher it using its private key. If your client is able to do so, that is 'proof' that you encountered an infected person.
There is some proof, that the content is not decrypted nor inspected on server side, as someone already put a hungarian "I was here" message there.
There is some proof, that the content is not decrypted nor inspected on server side, as someone already put a hungarian "I was here" message there.
There is some proof, that the content is not decrypted nor inspected on server side, as someone already put a hungarian "I was here" message there.
There is some proof, that the content is not decrypted nor inspected on server side, as someone already put a hungarian "I was here" message there.
Once you had an encounter the backend will be informed, that you had one, but not which handshake exactly. So what's left to say?
- Unsigned handshake -> You can use any publickey
(could've been solved with w.g. RSA blinded signature)
- Public Key doesn't change
- there are some questionable artifacts (street/name/zip/dob...)
- Someone left already a message there
- You will disclose some data, but it is interesting
CC @fs0c131y
You can follow @secresDoge.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more