Location / Bluetooth Permissions

[dbrgn]

Right now there is a lot of confusion whether enabling bluetooth and most importantly location is technically required for contact tracing to work.

See this thread for example, with lots of replies and a lot of confusing and contradicting information: https://twitter.com/adfichter/status/1265552302091403266

From what I understand, the DP-3T Android app uses Google's Exposure Notifications API to detect exposure and does not in any ways interact with the BLE stack.

In the Exposure Notifications API FAQ, it is written:

This is reflected in the AndroidManifest:

https://github.com/DP-3T/dp3t-app-android-ch/blob/d87796564efd2cb8fc73e3cb6efb8b75233562a7/app/src/main/AndroidManifest.xml#L14-L15

So the permissions in DP-3T are clear, and no location access will be required. However, the question remains whether the location needs to be enabled at all for SwissCovid to work. The Android developer documentation mentions:

So from what I understand, location access is only required to initiate a BLE scan, because that is precisely the way how the location of a user is being estimated. Just having the BLUETOOTH permission does not allow you to determine the location of a user.

So in essence, this boils down to two questions:

1. Do current Google Exposure Notification APIs require that location services are enabled on the device? (I cannot test this since self-compiled versions of the app do not get access to this API, correct?)
2. If this is currently required, is there a technical reason why access to the Exposure Notification API (which happens by whitelisting, if I understand this correctly) does not imply a permission to scan for BLE advertisement frames? (After all, even if the Google Exposure Notification stack does perform scans, the app has no access to them and thus cannot determine the user's location.)

Not needing to enable location services would be a big improvement with regards to user trust.

[markbosshard]

Related problem but from an Android user's perspective: The SwissCovid App asks me to turn on Location permissions (and yes Android this makes sense; using Bluetooth permwe are technically traceable, so OK! Even if it will make many users sceptic...).

But: if its not in the manifest the App never asks me for that Permission. (How) can I still enable it for just this app on Android (OxygenOS)? Thanks a lot!

Update: I understand it a bit better now. Having the general location service on my device on is sufficient. This is why I only get the error from SwissCovid on my standby screen: During Battery Saver Location service is not running (which is my desired behavior; this saves enormous amounts of battery). Do you have a solution for this? Thanks for more testing in the android battery saver mode!

Message when general device location off (same message appears on standby screen when in battery saver - not screenshottable unfortunately):

[simonroesch]

The SwissCovid app uses the ExposureNotification framework provided by Google. This is integrated as part of the Google Play Services and only whitelisted public health authority apps get access to the framework. The whole Bluetooth advertisement and scanning is done by the Google Play Services and therefore our app does not require the BLUETOOTH_ADMIN or ACCESS_FINE_LOCATION permission. But unfortunately it is a restriction of the Android system that BLE scanning can only be performed, when the global device location services switch is turned on. This is intended behaviour on Android (see https://issuetracker.google.com/issues/37065090) but extremly confusing for this usecase.

[markbosshard]

How to enable this permission during battery saver? Or you are saying we cant use SwissCovid in battery saver at all?

[simonroesch]

You have to configure battery saver in such a way that it does not disable location services, otherwise it will not be possible to register any contacts.

[markbosshard]

1) a high number of users on Android uses the battery saver almost permanently. Even as a techie I was not able to set this exception for location within 5mins of research. Definitely take this into your tutorial!

2) make sure not to enable the whole GPS module when drafting this battery saver exception. Constant GPS draws a lot of battery and I do not think we need to put this burden on users just to run a Bluetooth tracing app.

[dbrgn]

Thank you @simonroesch for the explanation. The technical choice on their end makes no sense to me (granting access to a Covid tracing app should imply no use of location data), but I see that there's nothing you can do about it. Maybe it's because the tracking framework is distributed in the Google services and not in Android itself, so that part of the code might not have a way to circumvent the location permission...

[markbosshard]

Please Upvote the google issue or even leave a comment there if you find this relevant as well: https://issuetracker.google.com/issues/37065090

[dbrgn]

@markbosshard note that requiring the location permission for BLE scans is correct and will most likely not change. Upvoting that issue will not help privacy.

By scanning for BLE beacons, you can geolocate a device. Therefore Google (correctly!) has decided that apps initiating BLE scans will require location services starting with Android 6.

This case is different though because Google themselves provide the Covid API (and the app does not access BLE), so I assumed that they can circumvent the location services requirement. I assume the reason why this is not the case is that the Covid API is being distributed through Google Play Services, and I assume that Google Play Services (acting like an application on the system) cannot circumvent this permission requirement without an Android OS update/patch.

Even if Google would release an Android update that disables the location requirement for the Covid API, it would only reach a small percentage of devices.

[treysis]

@dbrgn Exactly. In Android 11 it might be possible, but with just PlayServices Google cannot circumvent the requirement.

However, you could reject the location permission for every app except PlayServices. Unfortunately, also PlayServices uses GPS from time to time, and this cannot be disabled starting with Android 9.

I think Google should implement a user-controllable switch inside PlayServices which disables location access by PlayServices except for contact tracing.

[max-wittig]

I'm just wondering why the German version of the tracing app doesn't require the app to run in the background. Repo at: https://github.com/corona-warn-app/cwa-app-android

[treysis]

Puh, good question. But I noticed the same. It only gets updated when I actively open it. Android seems to kill it in the background.