Vaccination Certificate in Wallet (iOS)

[kevin-kraus]

Feature description

Show a pass in Wallet on iOS for quick access in certain situations by just double clicking the side- / home button.

For example if in the future the case arises that you need a proof of vaccination for certain places to enter (e.g. restaurants), you could access the vaccination certificate quicker by using the wallet shortcuts than searching the CWA and opening the tab for the certificate there.

Problem and motivation

User acceptance, simplicity of use and speed of processing for entry controls increase.

Is this something you're interested in working on

No

---

Internal Tracking ID: EXPOSUREAPP-7811

[Nils-witt]

For everyone interested in my little project: It´s now working well with my certificates and has now a client app: https://github.com/Nils-witt/VacxPass-iOS

All development in those repos took around 12 hours (+/-).

@ezadoo stated that a developer could build that feature in 6 hours, i wanted to see if it is really that easy and fast. So an afternoon later: Yes, it is. It´s an pretty simple Node.js implementation: https://github.com/Nils-witt/VacxPass-Server

[marvinsxtr]

I developed a small web app, which lets you add your certificates as a pass: CovidPass. It is developed in accordance with the GDPR and is hosted in Germany. Feel free to contribute

[ste-fle]

We do not recommend storing the certificate in the Apple Wallet due to privacy risks involved. Whether the CWA implements the feature does not change the risk here. This is the reason why the feature was rejected in the first place.

You can still use other methods than Apple Wallet to store the certificate:

• storing the certificate inside the CWA
• keeping a copy of the printout in your physical wallet or pockets

All solutions or workarounds in this thread should be used at your own risk and are not endorsed by the CWA team.

Corona-Warn-App Open Source Team

How is carrying a copy of the printout any different / more secure than having the certificate exported into the wallet app? It contains the same QR code so I don't really get why you would suggest this as a viable alternative while denying the wallet export due to privacy issues.

@heinezen For me the bigger privacy risk is an unlocked phone to show it and that I maybe hand over to someone who wants to scan the QR code.

+1

[heinezen]

@heinezen For me the bigger privacy risk is an unlocked phone to show it and that I maybe hand over to someone who wants to scan the QR code.

You can unlock your phone and keep it in your hands while the QR code is scanned.

---

Corona-Warn-App Open Source Team

[ezadoo]

When we are already talking about hypothetical choices, we should consider the possibility to disable the Wallet access from the lockscreen in the same way.

Also if you search in Google for the search term "Impfpass Apple wallet", etc you are getting already a huge amount of results from big news- and tech-websites wich are promoting all the mentioned apps and so the interest in this feature and the amount of users for this solutions will grow in the future.

[benzman81]

@heinezen For me the bigger privacy risk is an unlocked phone to show it and that I maybe hand over to someone who wants to scan the QR code.

You can unlock your phone and keep it in your hands while the QR code is scanned.

Corona-Warn-App Open Source Team

Even for ApplePay you are sometime required to give your phone to a person behind plexiglass so that the person holds it to the payment device. So handing a completly unlocked device to a person that could even run away with it is more a security issue than having the vaccination certificate in the wallet. Even the apple emergency pass is able to be shown on locked phones with even more sensitive information.

Since there are websites propagating the use of third party apps or websites you should really provide a safe implementation. Using thrids party apps or websites is an issue for the whole pandemic as, when certificate is needed to be uploaded, a thrid party company can collect many certificates and sell them or whatever and many people checking the certificate skip the fact that they should compare the certificate data against an ID.

[iMonZ]

@heinezen For me the bigger privacy risk is an unlocked phone to show it and that I maybe hand over to someone who wants to scan the QR code.

You can unlock your phone and keep it in your hands while the QR code is scanned. Corona-Warn-App Open Source Team

Even for ApplePay you are sometime required to give your phone to a person behind plexiglass so that the person holds it to the payment device. So handing a completly unlocked device to a person that could even run away with it is more a security issue than having the vaccination certificate in the wallet. Even the apple emergency pass is able to be shown on locked phones with even more sensitive information.

Since there are websites propagating the use of third party apps or websites you should really provide a safe implementation. Using thrids party apps or websites is an issue for the whole pandemic as, when certificate is needed to be uploaded, a thrid party company can collect many certificates and sell them or whatever and many people checking the certificate skip the fact that they should compare the certificate data against an ID.

That’s not true! The device stays in the hands of the owner. And only the owner will put the device on the payment device and no one else. I don’t know where you are but payment devices should always be outside of the glass. It’s the same thing you don’t give your wallet to the cashier and say: „take out the money“ if you pay with cash

[benzman81]

That’s not true! The device stays in the hands of the owner. And only the owner will put the device on the payment device and no one else. I don’t know where you are but payment devices should always be outside of the glass. It’s the same thing you don’t give your wallet to the cashier and say: „take out the money“ if you pay with cash

That is real world experiance and also happens with credit and giro card. Of course, it should not happen, but it happened and still happens to me, so your statement "That’s not true!" is wrong, I wouldnt come up with it if it does not happen ;-)

[iMonZ]

That’s not true! The device stays in the hands of the owner. And only the owner will put the device on the payment device and no one else. I don’t know where you are but payment devices should always be outside of the glass. It’s the same thing you don’t give your wallet to the cashier and say: „take out the money“ if you pay with cash

That is real world experiance and also happens with credit and giro card. Of course, it should not happen, but it happened and still happens to me, so your statement "That’s not true!" is wrong, I wouldnt come up with it if it does not happen ;-)

In which area do you live? I have never seen that kind of sad actions.

[jucktnich]

@iMonZ same here, some terminals can't be accessed, since there's a Plexiglas in between

[heinezen]

Since the feature is still declined and the situation regarding the IOS wallet has not changed so far, we will close this issue again. We will reopen the issue if a solution has been found.

---

Corona-Warn-App Open Source Team

[rogatec]

That’s not true!

The device stays in the hands of the owner.

And only the owner will put the device on the payment device and no one else.

I don’t know where you are but payment devices should always be outside of the glass.

It’s the same thing you don’t give your wallet to the cashier and say: „take out the money“ if you pay with cash

That is real world experiance and also happens with credit and giro card. Of course, it should not happen, but it happened and still happens to me, so your statement "That’s not true!" is wrong, I wouldnt come up with it if it does not happen ;-)

In which area do you live? I have never seen that kind of sad actions.

True story at the vaccination center for my first jab in Bavaria: I had to hand over my iPhone for scanning the registration, because the scanner cable was too short. So the iPhone was completely unlocked behind the glasses.

[ezadoo]

That’s not true!

The device stays in the hands of the owner.

And only the owner will put the device on the payment device and no one else.

I don’t know where you are but payment devices should always be outside of the glass.

It’s the same thing you don’t give your wallet to the cashier and say: „take out the money“ if you pay with cash

That is real world experiance and also happens with credit and giro card. Of course, it should not happen, but it happened and still happens to me, so your statement "That’s not true!" is wrong, I wouldnt come up with it if it does not happen ;-)

In which area do you live? I have never seen that kind of sad actions.

True story at the vaccination center for my first jab in Bavaria: I had to hand over my iPhone for scanning the registration, because the scanner cable was too short. So the iPhone was completely unlocked behind the glasses.

Exactly, I've experienced this too, also from both sides. As I did the checkin myself, I've experienced this problem multiple times.

But this case doesn't exist in the minds of the developers here stakeholders like BMG and RKI, neither does the option to disable the wallet access from lockscreen.

//corrected the responsibility

[dsarkar]

Dear @ezadoo, dear community.

We will come back to this thread with any news if there should be any new development regarding this issue, and of course in the meantime feel free to continue the discussion here. Just for clarification: The developers do not decide which features will be implemented. This is to be decided by several other stakeholders, amongst them BMG and RKI.

---

Corona-Warn-App Open Source Team

[Ein-Tim]

@dsarkar & @heinezen

Could you please let us know why exactly this feature has been declined? The reason @heinezen gives in https://github.com/corona-warn-app/cwa-app-ios/issues/2965#issuecomment-864567200 is a very general one.

Is the problem here also the accessibility from the lock screen?

[iMonZ]

https://www.computerbild.de/artikel/cb-News-App-Check-iOS-15.1-Impfnachweis-wandert-in-die-Wallet-30805397.html

[Ein-Tim]

@iMonZ Please see https://github.com/corona-warn-app/cwa-wishlist/issues/646#issuecomment-924325875 and what's written in the article:

Einen Haken hat die Sache aber wohl: Derzeit testet Apple das Feature nur mit Zertifikaten, die man in den USA ausgibt. Und die unterscheiden sich von denen, die wir in Deutschland als Impfnachweis in der Apotheke erhalten. Ob zum Launch von iOS 15.1 auch deutsche Impfnachweise in der Wallet Unterstützung finden, steht nicht fest.

According to Apple (https://developer.apple.com/news/?id=7h3vwlh5) only SMART Health Cards are able to use this feature. So this feature is useless for Europe at the moment.

[ezadoo]

As it come to my attention that it is now possible to export the Certificate as pdf and a note that the pdf contains sensitive personal data and it should only be shown to authorized personal.

And I want to ask the same question that Ein-Tim asked regarding this topic elsewhere:

I don't understand why it isn't possible to just add a similar note and let the user add the DCC in their wallet. There is literally no difference to the PDF which can be created, the user could set it as their wallpaper on the Lock Screen and the app can't do anything against it. Still this feature was implemented while the wallet integration was declined...

Why is this from a privacy standpoint not a problem, and why isn't a similar note displayed and sufficient for a the Wallet-integration?

With the PDF Feature the decision here simply seems like hypocrisy.

[GunniBusch]

It’s very stupid saying that every one can see your private information. Because all people who want to see my certificate can make a Foto of it when they say they will check it. And When you loose your phone you can disable it with find my.

[nikolaykasyanov]

I wonder if official support for vaccination cards released in iOS 15.1 is going to change the stance on this feature request.

[Ein-Tim]

@nikolaykasyanov

Please see my comment above: https://github.com/corona-warn-app/cwa-app-ios/issues/2965#issuecomment-925176909

[Ein-Tim]

If you search for an official way to add your certificates to the Apple Wallet, I recommend https://github.com/GreenPassApp (Link to the App Store). It's an official app from the Austrian Red Cross.

[benzman81]

@Ein-Tim that was an awesome hint! The CWA could do it the same way as GreenPassApp asks you if you really want to add the pass to your wallet because it needs to be send to their server. This way the user can decide on its own.

[GunniBusch]

Isn’t there someone who can publish an modified version of the cwa with the wallet feature implemented to show the dev team an solution?

[ujay68]

Looks like this can be easily done even with a web app:

https://covidpass.marvinsextro.de/de-DE

Disclaimer: I have no affiliation with the operator of that site and I cannot verify whether it's secure and trustworthy.

Also possible via the TK App of the "Techniker Krankenkasse" health insurer:

https://www.tk.de/techniker/leistungen-und-mitgliedschaft/online-services-versicherte/tk-app-2027886

[danyowdee]

What is the process to get this feature reconsidered? The attack vector of “someone unauthorised can access the certificate” is, as other have pointed out, not a real one:

1. What information can be extracted?
2. How can this information be used against the victim?
3. What does the attacker need to achieve in order to carry out the attack?
4. What are the risks involved with the suggested solution?
5. What are the risks involved with a comparable attack scenario when the proposed solution is not implemented?

Question 1: The certificate encodes full name, date of birth, date(s) and make(s) of vaccine or date(s) when infection(s) was/were diagnosed, as well as the issuing authority. The certificate does not include information about the nationality/nationalities, place of birth, place(s) of residence or other personally identifying information.

Question 2:

• The combination of full name and date of birth can often (but not always) be used to find more personally identifying information, such as place of birth, places of residence, etc. All of this data could be used for stalking or doxxing the attack victim. Some of such data might be used to gain access to the victim’s accounts via social engineering.
• The date(s) and/or make(s) of vaccination could be used to undermine the victim’s standing, if (e.g.) it is a public figure. (Queue jumping, being vaccinated at all, artificially delaying vaccination, getting a vaccine not destined for the victim’s demographic at the time, etc.)
• The date(s) of previous diagnosed infection(s) can be used to discriminate against the victim e.g. when applying for a job or an insurance.

Question 3: In order to carry out the attack, the attacker has to come into physical possession of the (potentially unattended) device of the victim. They have to invoke Wallet (double tap on home or sleep/wake button), select the pass added by CWA, and scan/take a photo of the QR code.

Question 4: The suggested solution of giving the user the option, to add a vaccination certificate to Wallet, allows an attacker with physical access to the victims device to capture the information detailed under 1. If the device is left unattended, this can happen without the victim noticing the attack.

Question 5: Except for the chance of capturing the extractable data without the victim noticing the attack when the device is left unattended, all negative outcomes already exist today, without implementing the proposed solution. In addition, though, forcing users to unlock their devices in order to access the certificate QR code has risks of its own:

• Users will be tempted to use weaker Passcodes for easier access to the certificate at the point of contact.
• The passcode can be spied on, giving an attacker unrestricted access to all on-device data, even exposing other passwords, (through keychain) and OTP two factor authentication codes.
• An unlocked device can be snatched out of the user’s hands, giving the thief unrestricted access to most device data.

I think the last point makes an immensely strong case, that not implementing the proposed solution of opt-in support for adding a vaccination certificate to Apple Wallet actually creates a larger attack surface, with more severe consequences for the attack victim, than not doing so. Further, with the feature being opt-in, every user can do their own risk assessment, and come to a conclusion on whether or not this risk is worth the benefits on their own.

[Gernot]

I have the strong impression that we blow hypothetical risk scenarios way out of proportion here. We can have a look at existing implementations that have Wallet integration for the very same passes (GreenPass App, TK app, various web services) and see that those things are not an issue.

The functionality is optional (and can't be non-optional, in iOS a pass can only be added to the wallet with user consent) and the users have additional full system control over the wallet being accessible in the locked state. However they have the true benefits of not having to unlock their phone for their passes (that is a security plus in my book…). And in case they have a watch they sync passes with, that makes a good backup in case the phone runs out of battery. With the added importance of the pass these days, this is a huge plus.

With other apps already having wallet integration with, to my knowledge, none of the issues considered here, it is hard to explain why the CWA doesn't do this. I am strongly for reopening the issue.

[GunniBusch]

If I had time, I would open an Online Partition for CWA implementing apple wallet, but I don't :-(

[treysis]

What's the privacy concern anyways? If I lose the printed paper, everyone can see all my data just fine and I don't even have the option to remotely delete it.

[BernhardBln]

By the way, there are already services that allow you to import your certificate into your wallet, and yes, it is accessible from the Lock Screen without unlocking the phone (tried it myself).

And yes, I would prefer if this was possible right from the covid app, not only for vaccination certs but also for test results that got imported into the app :)

https://www.heise.de/ratgeber/Tipp-Corona-Impfausweis-im-Apple-Wallet-auf-iPhone-hinterlegen-6283647.html

Update: Didn‘t see the previous comments that mentioned this already, but still want to point out it would be nice to have this feature also for tests

[abrenner94]

@dsarkar So is there a plan to implement this feature?

[dsarkar]

@abrenner94 Currently there is plan to implement this feature.

EDIT: So sorry, typo:

Currently there is NO plan to implement this feature. It had been declined in the past due to privacy concerns. However, it might be reevaluated at some point.

[Ein-Tim]

@dsarkar

There is plan to implement this feature OR there is no plan to implement this feature?

If this will be implemented, please reopen this issue.

[GunniBusch]

What privacy concern? It’s absolutely safe, some people have the QR code on a peace of plastic in their pocket. And other countries are implementing this, you don’t implement this, because you are to lazy I bet, and the money the government spend is not enough for you.

[dsarkar]

Dear @GamerHD007,

Thanks for your comment. In general, the decision which features are implemented lies not the competence of the development team, but other stakeholders, which involve several governmental entities.

[ezadoo]

Then this topic should be discussed again with the different stakeholders and governmental entities. Because if an PDF-Export is no privacy-concern with an displayed warning, then the same should be applied to the Wallet too.

@dsarkar Was the topic discussed and declined as Wallet Integration in general or only regarding the vaccination certificate? As it becomes again more relevant to have a covid-test, and an test result contains less private (health) data, would it be necessary/useful to create an different issue for the Wallet Integration for covid-tests, so this Test topic could be discussed officially?

[treysis]

It's the hobbyist lawyers of the RKI again.

[danyowdee]

In general, the decision which features are implemented lies not the competence of the development team, but other stakeholders, which involve several governmental entities.

@dsarkar can you please let us know whom we need to petition in order to get the decision not to implement this functionality re-evaluated?

I have outlined above, how the lack of this functionality actually puts users of “Corona Warn App” at risk, and I’m happily volunteering to elaborate and discuss this point directly with the stakeholders in opposition to adding the functionality.

[GunniBusch]

I think the responsible person is from the Rki. The contract page is here: https://www.rki.de/DE/Service/Kontakt/kontakt_node.html;jsessionid=6632B869771DA5B1EE1C1582E80F008D.internet081

But in my opinion, it would also helping if we would at least get a Apple Watch app, because it would complied with the „very good“ privacy understanding of the rki.

[boecko]

@Gernot

I have the strong impression that we blow hypothetical risk scenarios way out of proportion here. We can have a look at existing implementations that have Wallet integration for the very same passes (GreenPass App, TK app, various web services) and see that those things are not an issue.

You nailed it! There is a german phrase for it. "Der Markt regelt"

Your comment applies to the CovPassCheck-App, too.

Just look at this issue

[kevin-kraus]

This issue is once again a prime example of why digital progress in Germany takes forever or doesn't happen at all. Germany destroys its own progress far too often with nonsensical data protection rules.

[treysis]

@kevin-kraus Not exactly. There are scenarios where data protection is good and can be well integrated and regarded. But people still "protest" against them. This here, however, is indeed over exaggerated. The problem is: if it goes to court. there are only two outcomes: right or wrong. So the risk is quite always quite high.

[ezadoo]

@treysis But where's the data protection issue with the potential Wallet integration?

As it wouldn't be mandatory and the user would have to decide proactively to use this feature, if a similar notice as seen with the pdf export is shown.

So data protection seems to be used simply as "killer argument".

[Ein-Tim]

Theoretically the argument that Wallet passes are by default synced via iCloud could be used, however, if I store the exported PDF in the iCloud the app can't do anything against it.

So besides of "The certificate would be available on the lockscreen thus other people with physical access to your device could scan the certificates QR code and steal your certificate", I don't see other good arguments against this feature.

[BernhardBln]

But everyone else (in a shop or restaurant) scanning the certificate could do the same, which is why the certificate doesn‘t say much without checking the ID card…

[ezadoo]

@Ein-Tim Yes. And the access from lockscreen without password can also be deactivated, if you disable the double-click in the settings.

[Ein-Tim]

Good News everyone!

iOS 15.4 Beta 1 added support for EU digital Covid Certificates in the wallet app. See iOS & iPadOS 15.4 Beta Release Notes:

Verifiable health records now support adding vaccination records in the EU Digital COVID Certificate (EU DCC) format to the Wallet and Health apps. (79917344)

h/t @achisto

FYI @dsarkar, I suggest you transfer this info to the internal ticket.

[kevin-kraus]

Good News everyone!

iOS 15.4 Beta 1 added support for EU digital Covid Certificates in the wallet app. See iOS & iPadOS 15.4 Beta Release Notes:

Verifiable health records now support adding vaccination records in the EU Digital COVID Certificate (EU DCC) format to the Wallet and Health apps. (79917344)

h/t @achisto

FYI @dsarkar, I suggest you transfer this info to the internal ticket.

Awesome! Thanks for the info!

[idoodler]

Good News everyone!

iOS 15.4 Beta 1 added support for EU digital Covid Certificates in the wallet app. See iOS & iPadOS 15.4 Beta Release Notes:

Verifiable health records now support adding vaccination records in the EU Digital COVID Certificate (EU DCC) format to the Wallet and Health apps. (79917344)

h/t @achisto

FYI @dsarkar, I suggest you transfer this info to the internal ticket.

Just before everyone updates to iOS 15.4 Beta 1:

You can't add them to your Wallet app right now as only verrified records can be added and the verification isn't working right now.

[iMonZ]

Good News everyone! iOS 15.4 Beta 1 added support for EU digital Covid Certificates in the wallet app. See iOS & iPadOS 15.4 Beta Release Notes:

Verifiable health records now support adding vaccination records in the EU Digital COVID Certificate (EU DCC) format to the Wallet and Health apps. (79917344)

h/t @achisto FYI @dsarkar, I suggest you transfer this info to the internal ticket.

Just before everyone updates to iOS 15.4 Beta 1:

You can't add them to your Wallet app right now as only verrified records can be added and the verification isn't working right now.

Let's try to fix them, dear cwa team!

But actually, what do they mean with verified? If Apple uses the same servers as cwa(RKI) then a scan of the QR code should be enough for verifying, right?

Someone has a documentation to this topic?