This blog post is about the German Corona-Warn-App and its communication strategy. So i’ll stick to German for it.
Am 16. und 17. Dezember wurden auf dem offiziellen Blog der Corona-Warn-App zwei Blog-Eintrag veröffentlicht. Der erste kündigt die neue Version 1.9 der App an, der zweite erklärt, wie in der neuen Version Begegnungen und Risiko berechnet werden.
Beide Blog posts sind meiner Meinung nach technisch ungenau, irreführend oder schlichtweg falsch. Der zweite Blog-Eintrag wurde auch nur nötig, weil der erste wenig über die tatsächlichen Änderungen aussagt, sodass viele Nutzer am Ende darüber verwirrt waren.
Due to me recently learning about Mike Kuketz’ (popular German privacy blogger) interesting stance that Threema is better in protecting your metadata than XMPP, I felt the need to write down some thoughts on metadata in instant messaging and XMPP specifically.
Given the recent release of the “Corona Warn App” by the German RKI (Robert-Koch-Institut) several users complained that it’s not possible to ensure the app from the Play Store is actually the same as the source code that was published, as the App is not built reproducible.
However, there is still some method to have certainty that the app and source code actually do match, and I’m going to describe this method in this blog post. As an example I’ll use the Corona Warn App (de.rki.coronawarnapp) version 1.0.0, but the method can be applied to any other App as well.
… or why it’s useless to have the most secure crypto system in the world, when using non-free and untrustworthy tools and libraries to implement it.
Assuming you found a security issue in OpenWhisperSystems you consider worth to report privately, how do you do so? Check the whispersystems.org website, you won’t find an e-mail address other than one to apply for a job.
In April, the European Commission issued a statement against Google for the way they promote and distribute their apps on the Android platform. Google answered last week with a public blog post, more like a marketing campaign, including a video, nice animated pictures and updated websites. Of course, as it’s Google responding, there are a lot of points “proving” the European Commission wrong.
Wait… If it is really proving, why make it a public marketing campaign and not just a letter to the European commission? Do you need to convince the public about something, if you can make points that convince the responsible people? Well, maybe the points they made are not that convincing to some people, so let’s check the details of this campaign. Continue reading
To use all the neat features from the microG project, which allows you to use all features of your Android smartphone without those shitty, proprietary battery-consuming Google blobs, your system is required to support signature spoofing. Currently only very few custom ROMs have built-in support for this feature, luckily you can use Xposed or a patching tool to add the feature to the systems that don’t have it.
But: What is all this about? Is signature spoofing a problem when not using microG? Will it influence my security?