search

corona-warn-app / cwa-app-android

Native Android app using the Apple/Google exposure notification API. The CWA development ends on May 31, 2023. You still can warn other users until April 30, 2023. More information:
https://coronawarn.app/en/faq/#ramp_down
Apache License 2.0
2.44k stars 495 forks source link

Do not perform RootBeer checks #5114

Closed mhier closed 1 year ago

mhier commented 2 years ago

Avoid duplicates

Current Implementation

As discussed in #4264, the app is performing RootBeer checks to detect rooted devices and display potentially confusing messages on both rooted devices and non-rooted devices with a custom ROM.

Suggested Enhancement

Remove all those checks and do not display any such message.

Expected Benefits

The check and the display of the message is based on false assumptions about security. Many Android devices have a very limited time of support (2 years from release, i.e. often a lot less after purchase). Updating these devices with a custom ROM actually increases the security of the device. Still the RootBeer check fails on those devices - unless even more hacking is done to make the device pass again. Also for rooted devices, the security is not reduced, since "rooting" gives the owner of the device more control over her/his device, and not some malicious third party.

On the other hand, running the app on a stock, non-rooted Android 6.0 (which will pass the RootBeer checks by intent) definitively poses a thread to security, since many unpacked security issues exist on such old devices.

Finally, the device owner anyway will know about her/his device being rooted resp. running a custom ROM. If a device would truly be compromised by someone who maliciously roots a device without the owner knowing, he can also hack the RootBeer check to pass again, so this warning does not even reliably help in this case. (Plus the device owner would in that case likely not even know what to do and just click the warning away, since it does not offer any guidance for people who are not aware of these technical details.)

The display of such messages is problematic for two reasons:

  1. It may be displayed at random times (after any update of the app), hence it may still be visible e.g. to event staff checking the certificates. This may create confusion, as the majority of the people will not be able to distinguish this from a fraud certificate.
  2. It also adds to the general misconception that Android updates which are not endorsed by the device manufacturer are somehow dangerous.

The RootBeer checks seem to be influenced by false information spread by device manufacturers and the maker of Android about device rooting and installation of Custom ROMs being dangerous (cf. also the SafetyNet framework, which at least has some legit cause to protect DRM content). Also it is clear that manufacturers have an interest that users are hindered from updating their devices on their own and instead are buying new devices, especially since custom ROMs usually bring also new features. It is very convenient if sensitive apps like the corona warn app or some banking apps query some "device integrity" status and either display a warning or even completely stop functioning, since this proliferates the myth that such checks would be in the interest of the device owner (while the opposite is actually true - even protecting DRM content is not in the interest of the device owner but of the copyright holder of the content).

Since this is a publicly funded app, it should not commit to this strategy. In the end, allowing device owners to update their devices with custom ROMs even helps the environment, because devices can be used longer. It is bad enough that e.g. certain banking apps will be unusable due to the same issue (again, there is nothing unsecure about using a banking app on a rooted and/or custom ROM'd device) - luckily not all banks believe in these false security claims. This app should be a positive example.

In case I still haven't convinced you about security concerns: Would you consider it insecure to store the PDF of a vaccination certificate on a Windows PC? Probably not. In many German states it was even necessary to download the certificate through a website, which most people are likely doing on their PCs. It is quite normal to have Administrator rights on PCs and similar devices, hence it should be normal to have root access to Android devices, too.

Internal Tracking ID: EXPOSUREAPP-12921

larswmh commented 2 years ago

Thanks for your enhancement request @mhier. We have created an internal ticket for it and will raise this topic internally. Internal Tracking ID: EXPOSUREAPP-12921

Corona-Warn-App Open Source Team

MikeMcC399 commented 2 years ago

@mhier

Could you give an example of an error message produced by SafetyNet? What configuration produces this?

From what I understand reading https://github.com/scottyab/rootbeer which CWA uses to flag a root warning, this does not use SafetyNet. Have I misunderstood?

Also in https://github.com/corona-warn-app/cwa-app-android/issues/2552#issuecomment-793560593 @thomasaugsten wrote:

"Without SafetyNet or a reimplementation you are not able to send analytics information in the background this will not result in an error visible for the user. You will receive an error If you try to attend at the RKI survey when you receive a red exposure notification card."

(I assume there was a typo in "baking" and this should be "banking".)

MikeMcC399 commented 2 years ago

The Datenschutz-Folgenabschätzung für die Corona-Warn-App mentions SafetyNet in 5.6.10.2 Google SafetyNet in the section 5.6.10 Teilnahme an der Datenspende and it is mentioned again under 5.6.11 Einladung zu Befragungen and 5.9.3 Apple/Google

In 8.1.3 Erforderlichkeit it says:

"Die Echtheitsprüfung unter Verwendung der Drittdienste Apple DeviceCheck und Google SafetyNet ist als risikoreduzierende Maßnahme erforderlich. Sie dient dazu, zu verhindern, dass die Ergebnisse der Auswertung der im Rahmen der Datenspende oder bei den Befragungen durch das RKI erhobenen Daten durch massenhaft durch Dritte übermittelte Daten (z.B. im Rahmen konzertierter Angriffe) beeinträchtigt werden."

So according to this description, SafetyNet is only used in the context of optional Data Contribution and Surveys.

mhier commented 2 years ago

Interesting. This raises more questions than it answers:

  1. Will there be no SafetyNet check if the "Datenspende" is disabled? If yes, please add this to the message shown when SafetyNet check fails, also please perform a SafetyNet when trying to enable the "Datenspende" and disallow this action. At the moment, there is no visible connection between enabling the "Datenspende" and the SafetyNet check.
  2. Since the check merely displays a warning, how does this prevent the collection of fraud data? Will the "Datenspende" be effectively disabled when the SafetyNet check failed? The checkbox in the user settings is unaffected.
  3. The Datenschutz-Folgeabschätzung even recognises that using SafetyNet poses a significant thread to protection of data privacy (9.5.1.1). How can this possible be outweighed by the benefits? Why were not other methods used to mitigate the issue? Since also SafetyNet can be bypassed (I am doing that right now), it cannot be an argument that other methods are not perfectly watertight. (A classic Captcha when enabling the "Datenspende" could be the basis for a possible solution.)
  4. I find it quite irritating that apparently the "Datenspende" can apparently be correlated with other user data, because a unique token generated by a third party (Google) is shipped with the data. I now see that this is so some extend explained in the long text "Ihr Einverständnis" when enabling the Datenspende, but it also mentions "[...] bleibt Ihre Identität gegenüber dem RKI weiterhin geschützt". This part is basically untrue. It is possible to reveal my identity from the information which is sent to the RKI. The user has to trust that the RKI is not doing this. This is clearly not what most people will take away when reading the Einverständniserklärung (including me back then when I read it for the first time). In my opinion, this is an illegal way to obtain consent by fraud. Please fix this ASAP.
mhier commented 2 years ago

Could you give an example of an error message produced by SafetyNet? What configuration produces this?

In #4264 you can find a screen shot at the end. I am not getting the error message any more, because my phone now passes SafetyNet checks despite using LineageOS.

From what I understand reading https://github.com/scottyab/rootbeer which CWA uses to flag a root warning, this does not use SafetyNet. Have I misunderstood?

As I said, I am not getting the error message any more since my phone passes SafetyNet - so there must be some connection. Also as mentioned in the closing ticket of #4264 and also observed by myself, the "root warning" also triggers on unrooted phones when just using a custom ROM. Finally, as pointed out by @MikeMcC399, the Datenschutz-Folgenabschätzung directly mentions the use of SafetyNet.

Also in #2552 (comment) @thomasaugsten wrote:

"Without SafetyNet or a reimplementation you are not able to send analytics information in the background this will not result in an error visible for the user. You will receive an error If you try to attend at the RKI survey when you receive a red exposure notification card."

Well, I understand some protection is needed for that case, but it does not have to be SafetyNet, nor does it has to check for "manipulations" of the operating system. Just making sure there is a human associated with the device is perfectly sufficient. Moreover, using SafetyNet for this purpose is not even so much helpful, since it is a quite common method to use a "farm" of phones for spamming etc.

(I assume there was a typo in "baking" and this should be "banking".)

Err, thanks. Corrected.

Ein-Tim commented 2 years ago

@mhier

The root information you see is not related to the SafetyNet checks.

Regarding your last point

In my opinion, this is an illegal way to obtain consent by fraud. Please fix this ASAP.

Please, open a new issue for this.

mhier commented 2 years ago

@mhier

The root information you see is not related to the SafetyNet checks.

Yes it is. It is no longer there since my phone passes SafetyNet.

Ein-Tim commented 2 years ago

@mhier

Yes it is. It is no longer there since my phone passes SafetyNet.

CWA uses rootbeer for root checks and not SafetyNet. That's also what @MikeMcC399 tried to explain above.

Source for root beer usage are the comments in https://github.com/corona-warn-app/cwa-app-android/issues/4264

Ein-Tim commented 2 years ago

There are two forms of safety checks, IIUC:

  1. Rootbeer, used to detect if a device is rooted, then the corresponding information box is shown during app start up
  2. SafetyNet, used to detect if the app or the device is somehow manipulated, to make donating data harder from manipulated devices/apps
mhier commented 2 years ago

There are two forms of safety checks:

1. Rootbeer, used to detect if a device is rooted, then the corresponding information box is shown during app start up

2. SafetyNet, used to detect if the app or the device is somehow manipulated, to make donating data harder from manipulated devices/apps

Ok, maybe this is true, maybe not. Clearly the message at app start vanished after tricking SafetyNet checks to pass. In any case, all my points stay valid, maybe just some applying only to one of the two checks.

Ein-Tim commented 2 years ago

Ok, maybe this is true, maybe not. Clearly the message at app start vanished after tricking SafetyNet checks to pass.

Probably because making the changes to trick SafetyNet also tricks Rootbeer :D

In any case, all my points stay valid, maybe just some applying only to one of the two checks.

Agreed, this issue is fine to stay open!

mhier commented 2 years ago

I have updated the first comment to take into account that there are multiple checks...

MikeMcC399 commented 2 years ago

image

image

mhier commented 2 years ago

Well, if these are two separate checks, the Rootbeer-based check upon app start is even more questionable. It does not only proliferate the false claim that root permissions granted to the device owner pose a security risk, also there are false positives in the sense that non-rooted custom ROMs will show the same "security note". Apart from the custom ROM effect (which doesn't seem to be intentional given the content of the message), this message simply "warns" the device owner about the device owner having root privileges on his device. Sounds a bit ridiculous, doesn't it? ;-) (Please let me know if I am missing some point here - I was w.r.t. data donation / surveys, but so far I didn't find any indication I missed a point about the startup message.)

MikeMcC399 commented 2 years ago

@mhier

I suggest you review this request and decide whether you want to make it applicable to both RootBeer and SafetyNet checks as the use-cases for the two different checks are different. The request started out as a SafetyNet request and now the title is "Do not perform SafetyNet/Rootbeer/etc. checks".

Also @larswmh would need to check the Internal Tracking ID: EXPOSUREAPP-12921 to see if it is aligned with your new scope.

mhier commented 2 years ago

The main point of this ticket was actually the RootBeer test, which I falsely thought to be a SafetyNet check. I will hence reduce the ticket description to that aspect only. Sorry about the confusion (which is actually caused by misleading messages from the app!).

The app publisher (RKI) on the other hand feels they have the duty to protect users and to warn them. So there is disagreement here between some users and the publisher.

This is not about opinions. "Warning" the device owner about him having root privileges does NOT protect any user. This is a clear and obvious fact, and I think you agree with me. The RKI obviously is influenced by "alternative facts" spread by device manufacturers etc. to motivate people to buy new hardware instead of upgrading their operating system. Someone needs to stand up against the decision makers and tell them.

MikeMcC399 commented 2 years ago

So to summarize, the Internal Tracking ID: EXPOSUREAPP-12921 should now reflect the changed details of this enhancement request which is to remove the RootBeer check so that the message found in the screenshot section https://www.coronawarn.app/en/screenshots/#android_security_note is never displayed.

Currently this message may be output after app installation, reset or update to a new version. It can be suppressed in version 2.16 and later until the next app update. See https://www.coronawarn.app/en/faq/results/#root_detection_android.

mhier commented 2 years ago

Let me also summarise the arguments a bit more concise:

As a consequence, RootBeer does not do the intended job. There may be no way to achieve this protection, but this is not an argument to use a tool which does not achieve the goal, especially not if it has negative side effects (see ticket description).

MikeMcC399 commented 2 years ago
fynngodau commented 2 years ago

CCTG has replaced the root check at launch with a card that can be dismissed permanently, as a heads-up rather than a warning:

image

(Also, the data donation features are removed due to the SafteyNet requirements.)

mhier commented 2 years ago

Well, at least now everyone who understands what "root access" means will now understand the pointlessness of this check. The message essentially says "you can access your own sensitive personal information without limits" - congratulations, this is what I would expect from a device I am actually owning.

I still think no such check should be performed at all. I guess this is a lost cause. You may close this ticket. Thank you very much so far for the support (no irony intended, I know there are certain... constraints)!

MikeMcC399 commented 2 years ago

@mhier

The screenshot which @fynngodau kindly posted is for the community developed Corona Contact Tracing Germany - CCTG app which is derived from the official Corona-Warn-App (CWA) published by the Robert Koch Institute.

There hasn't been any change to the logic or message for CWA.

You may close this ticket.

If you like to close this ticket, you should be able to find the self-service button "Close issue" at the bottom of this thread.

mhier commented 2 years ago

Ah sorry, I didn't get the acronym...

I do not consider this issue solved one way or the other, until any root check has been removed from this app. Still, I think this is a lost cause since I guess this change won't happen. In that case a developer/maintainer might want to close this ticket as "won't fix" or so...

larswmh commented 2 years ago

@mhier we would like to keep this issue open as there was no feedback on the ticket yet. This does not necessarily mean it is a won't fix

Corona-Warn-App Open Source Team

r00t- commented 1 year ago

this ticket relies on the assumption that the app could be useful on rooted phones, which is not true anymore currently, see https://github.com/corona-warn-app/cwa-app-android/issues/5884

MikeMcC399 commented 1 year ago

@r00t-

this ticket relies on the assumption that the app could be useful on rooted phones, which is not true anymore currently

The FAQ [Google/Android]: Can I use the app on a rooted device? says:

" ... the app is not officially supported on rooted devices.

Since version 3.0 users of the Corona-Warn-App can warn others without a TAN. This will not work if you have rooted your device, as the SafetyNet check the app performs when attempting to warn others without a TAN fails.

Currently, unlocking the bootloader or similar modifications (such as installing microG) will cause the optional data donation and survey features to fail without an indication in the app. The reason for this is that these features require an integrity check via SafetyNet."

The storage of certificates is not affected. Much of the other functionality is in any case planned to be disabled during the ramp-down phase to "end-of-life" due to legal testing changes and political decisions.

r00t- commented 1 year ago

quoting your comment from #5884 :

https://www.coronawarn.app/en/faq/results/#root_detection_android, does not mention the restriction that a rooted device cannot be used to Warn without TAN.

imho the ability to warn other users is the primary feature of the app, if that feature were to be removed at any time, the app could just be disabled completely.

mtwalli commented 1 year ago

Not planned

mhier commented 1 year ago

I removed the app from my phone.