[NEW] Brief VerificaC19 app analysis

[Maxelweb]

More specifically, libraries used by the application and possible related attack vectors or known bug.

[Kero2375]

Verifica-C19 decoding workflow:

• read qr-code using ZXing library (https://github.com/journeyapps/zxing-android-embedded)
• check and remove prefix ("HC1:")
• decode from Base45
• decompress with ZLIB
• decode according to COSE specification
• check the kid field of the COSE
• validate and decode the CBOR packet
• get certificate from the repository using kid
• check that it's not in the black-list

Encoding documentation: https://www.governo.it/sites/governo.it/files/Green_Pass_all_D.pdf

[Maxelweb]

VerificaC19 Test data for each country: https://github.com/eu-digital-green-certificates/dgc-testdata

[Maxelweb]

Verification Fragment: https://github.com/ministero-salute/it-dgc-verificaC19-android/blob/develop/app/src/main/java/it/ministerodellasalute/verificaC19/ui/main/verification/VerificationFragment.kt

Code reader: https://github.com/ministero-salute/it-dgc-verificaC19-android/blob/develop/app/src/main/java/it/ministerodellasalute/verificaC19/ui/main/codeReader/CodeReaderFragment.kt

Barcode scanning library for Java: https://github.com/zxing/zxing (ported in VerificaC19) and a possible bug as illegal characters: https://github.com/zxing/zxing/issues/624

[Kero2375]

EU GreenPass Json specifications: https://ec.europa.eu/health/sites/default/files/ehealth/docs/covid-certificate_json_specification_en.pdf