Corona-Warn-App: transparente Kommunikation?

This blog post is about the German Corona-Warn-App and its communication strategy. So i’ll stick to German for it.

Am 16. und 17. Dezember wurden auf dem offiziellen Blog der Corona-Warn-App zwei Blog-Eintrag veröffentlicht. Der erste kündigt die neue Version 1.9 der App an, der zweite erklärt, wie in der neuen Version Begegnungen und Risiko berechnet werden.

Beide Blog posts sind meiner Meinung nach technisch ungenau, irreführend oder schlichtweg falsch. Der zweite Blog-Eintrag wurde auch nur nötig, weil der erste wenig über die tatsächlichen Änderungen aussagt, sodass viele Nutzer am Ende darüber verwirrt waren.

Continue reading

How to verify that apps from play store match their source code

Given the recent release of the “Corona Warn App” by the German RKI (Robert-Koch-Institut) several users complained that it’s not possible to ensure the app from the Play Store is actually the same as the source code that was published, as the App is not built reproducible.

However, there is still some method to have certainty that the app and source code actually do match, and I’m going to describe this method in this blog post. As an example I’ll use the Corona Warn App (de.rki.coronawarnapp) version 1.0.0, but the method can be applied to any other App as well.

Continue reading

European Commission vs post-truth Google

In April, the European Commission issued a statement against Google for the way they promote and distribute their apps on the Android platform. Google answered last week with a public blog post, more like a marketing campaign, including a video, nice animated pictures and updated websites. Of course, as it’s Google responding, there are a lot of points “proving” the European Commission wrong.

Wait… If it is really proving, why make it a public marketing campaign and not just a letter to the European commission? Do you need to convince the public about something, if you can make points that convince the responsible people? Well, maybe the points they made are not that convincing to some people, so let’s check the details of this campaign. Continue reading

microG Signature Spoofing and its Security Implications

To use all the neat features from the microG project, which allows you to use all features of your Android smartphone without those shitty, proprietary battery-consuming Google blobs, your system is required to support signature spoofing. Currently only very few custom ROMs have built-in support for this feature, luckily you can use Xposed or a patching tool to add the feature to the systems that don’t have it.

But: What is all this about? Is signature spoofing a problem when not using microG? Will it influence my security?

Continue reading