A comprehensive, technobabble free explanation of how Bluetooth contact tracing (doesn't) work and why simple solutions are often not that simple, if not outright dangerous, when applied in real life.
With Android and Play, figuring out device compatibility is somewhat of a black art. Which really just is a nice way for saying 'the whole Android ecosystem is one giant compatibility hack'.
Good to see that PEPP-PT is about to go up in flames by breaking central promises (privacy; anonymity) even before the project leaves the vaporware stage.
The thing that doesn’t seem obvious to many is: PEPP-PT & Co aren’t temporary solutions that will be shut down, once the crisis is over, because COVID-19 is not going to go away any time soon. Even if we were able to get <insert your country here> COVID-19 free within the next couple of months, there are lots of places with poor medical care (slums, refugee camps,…) all over the world where the virus can survive and from where it can be imported again at any time.
Contact tracing only makes sense at the point of time, the virus gets imported (not during the epidemic). Since we never know if/when that will happen, we also can’t de-install our tracing apps. In other words, we are looking at a long lasting privacy invasion. Hopefully, nobody is still as naive is to believe that during this time (we are talking decades at best till the virus can be eradicated worldwide), the system won’t be repurposed and abused.
Version 4.13 is vulnerable to a man in the middle attack during login. The security hole requires a targeted attack to exploit. The risk assessment is low. The attacker may capture the session cookie and the encrypted password. Upgrading to 4.14 is highly recommended.
Ross Anderson explaining why contact tracing apps are bullshit.
Actually, I wonder why we are still discussing this. Contact tracing/tracking is something you do before it becomes an epidemic. We are way past that point.
Direct download links for the latest version of the Android platform tools (adb, fastboot, sqlite3):
PSA for those, thinking that privacy shouldn’t matter all that much during the COVID-19 crisis:
On average, every infected person passes the virus on to 2 to 3 others. For your “victims” that spells 14 days home alone without sex. Plenty of downtime to ponder who’s responsible.
I keep telling people that infection tracking via smartphone (app) is a crackpot idea. But, hey, as Arthur C. Clarke puts it:
Any sufficiently advanced technology is indistinguishable from magic.
Computers are magic for most people, miracle cures are in high demand during any crisis and therefore politicians would like to believe nothing better than the “technology will (somehow) save us” mantra. All will be well if only we had an(y kind of an) app!
Well, there’s Pan-European Privacy-Preserving Proximity Tracing for example. It builds on an interesting idea: assign a unique number to every smartphone. Let the smartphone constantly broadcast that number to all other devices in the immediate vicinity via Bluetooth. Once a day, every phone then rings up a central server to ask if any of the numbers, it has “seen” in the past 14 days have been reported as “infected”. If so, the user is prompted to get tested and, in case of a positive result, to report his own number. It’s a nice, privacy aware protocol (no data beyond the number is required and you stay anonymous the whole time), but ultimately useless. Why? Simple: We are past the point of no return at which we could have eradicated the virus through strict quarantine. COVID19 is in the general populace, meaning it will spread till we either develop a vaccine or herd immunity. Eventually we will reach a level of endemic infection at which the next next ping will come shortly after any test we do. In other words, the app would be telling the I should act, at all times, as if I had contracted the virus. Coincidentally, that’s exactly the same thing, we are already suppose to do. The only difference being that we don’t have an app to drive us crazy with suspense at the moment.
Of course, PEPP-PT is not entirely pointless. It may not do much in terms of disease control, but at least, this way, politicians will get a relatively harmless Gris-gris that might keep them from buying from highly questionable firms such as Palantir.
Ha! Fun! When you ask Google Play for anything, you get a binary blob in response which must be parsed, using the protobuf library. There are two version of that library available (v2.x and v3.x) that implement version 2 and 3 of the protocol buffer language respectively. Since the two languages are incompatible with each other, I always assumed that the libraries would be as well, but that’s not the case! Version 3.x of the library is actually backwards compatible and able to properly handle blobs created with v2.x!
Why is this so great? Well, Play is inherently tied to version 2 of the language, but the v2.x library lacks a lot of useful features, such as the ability to export a binary blob to JSON. You can only format a message as plain text which kinda looks like JSON, but won’t be parseable. For small stuff that’s sufficient, but you are completely at a loss when dealing with something bigger, such as search results.
So, here’s the same search result (“test”) in the plain text and in the json format. The later can easily be inspected in existing tools (Firefox for example).