MohGovIL / Ramzor

https://corona.health.gov.il/en/ramzor-model
Creative Commons Zero v1.0 Universal
20 stars 11 forks source link

Publish the source code for Ramzor app #4

Closed emanuelb closed 3 years ago

emanuelb commented 3 years ago

The source code for Ramzor app on Android/iOS is not published/open-source, please publish the code in github, thus enabling developers and testers to look at the code and suggest improvements, find bugs, etc.. see related issue in hamgen repo https://github.com/MohGovIL/hamagen-react-native/issues/289 which include source-code for hamagen app, the repo includes 215 issues & 74 PRs. I opened 77 issues (20 was closed) in hamagen repo, some are security & privacy issues, and would like to check the source-code of the Ramzor app as well.

kaplanlior commented 3 years ago

We know current MOH plans are to not release Ramzor app as Open Source (contrary to @MohGovIL/hamagen-react-native ). Hopefully enough likes / comments to this issue would change that.

cool-RR commented 3 years ago

If the MOH truly commits to providing a secure and safe solution with the Ramzor app, releasing the code as open source will go a long way towards that goal. +1,000

bedoron commented 3 years ago

Please release the code so we can audit it

svetamorag commented 3 years ago

Right now, there is no plan to publish the source code for the "Ramzor" app. The application is not developed as an open source app, and it contains features that cannot be published without compromise MOH infrastructure or application users. Parts of it will be posted here, like the verification function. But most of the code is not related to the certificates or the verification process and cannot be published here for security and privacy reasons.

BarYamin commented 3 years ago

@svetamorag, With enough reverse-engineering, eager developers will be able to find all of the inner workings the app has.

By making the code open-source, you are allowing developers who are not interested in reverse-engineering to give their input on the security & raise bugs, which would otherwise be exposed by people who are mostly interested in malicious activity.

shevron commented 3 years ago

Now that I know this app's code contains things that make it either too insecure, too buggy or too fishy to be shared by MoH, I probably won't install it.

ailaG commented 3 years ago

The application [...] contains features that cannot be published without compromise MOH infrastructure or application users.

If the application is so vulnerable, as you say, that with reverse engineering people may find practical ways to exploit it, then it shouldn't be installed on so many phones. It should be rewritten if things are as dire as you describe in that comment.