Closed Ein-Tim closed 1 year ago
@Ein-Tim
You can check the current strings in Android on https://github.com/corona-warn-app/cwa-app-android/blob/release/3.0.x/Corona-Warn-App/src/main/res/values/srs_submission_strings.xml which include such an error message (srs_error_time_since_onboarding_unverified
).
I see you also asked a related question in https://github.com/corona-warn-app/cwa-server/pull/1949#issuecomment-1344450699.
@MikeMcC399
Thank you for the reference! So yes, there is such a check implemented, that's very good. However, it includes a variable for how long the app actually needs to be installed. Do you have an idea where I could find this variable? Maybe it's also kept secret for security reasons?
@Ein-Tim
Do you have an idea where I could find this variable?
You will need to read the code to find out how this message is used.
@MikeMcC399
I'll dig into it later, thanks!
I'll still leave this issue open should I be unsuccessful finding the value.
As I'm more familiar with iOS, I dug into the iOS code and found this file: https://github.com/corona-warn-app/cwa-app-ios/blob/release/3.0.x/src/xcode/ENA/ENA/Source/Services/PPAccessControl/Model/SRSPreconditionError.swift
It includes the line:
case insufficientAppUsageTime
Which is commented with this comment:
/// Precondition: the app was installed less than 48h
Conclusion: The app needs to be installed more than 2 days (48h) ago, so that a warning can be issued. I think this period of time is too short and should be extended to e.g. 5 days. I will open a new issue regarding this.
@Ein-Tim
The app needs to be installed more than 2 days (48h) ago, so that a warning can be issued. I think this period of time is too short and should be extended to e.g. 5 days.
Why do you think that 48 hours is too short considering the message?
For security reasons, you cannot send this type of warning until %d after you install or update the app. Please try again in %d hours.
@MikeMcC399
I don't think 48h are sufficient to protect against abuse. As I said, I'll open a new issue soon.
@Ein-Tim
I'm missing the data to support your opinion. You might like to take a look at the DSFA starting on page 191, 9. Risikoanalyse where you could find some helpful categorisations to frame your suggestion. Perhaps if there is a draft of the DSFA written for CWA 3.0 we could know how the 48 hours were decided, but realistically the DSFAs have been published only after the release and then delayed by several months, so probably that will not help.
@MikeMcC399
Don't get me wrong, there is no data supporting my opinion. But just judging from my gut feeling, after talking to many & reading many comments on Twitter under the BMG post, I have the feeling that there will be quite some trolls trying to abuse this feature. And, in my opinion, a wait time from two days will be acceptable for many of these people, if they can then troll others with red warnings. For sure, two days is better than nothing, but I still think that setting the bar higher, e.g. to 5 days, will filter out more trolls.
Also, I'd strongly suggest to NOT show the time until you can issue a warning in the app to not "feed the trolls" with helpful information reg. how long they will have to keep using the app. The message should just be that you haven't installed the app for a long enough period of time and that you should re-try it later.
I will also open a follow-up issue for this. In general, it's quite hard here to find the balance between justified interested of the normal user and reducing trolling attacks.
Internal Tracking ID: EXPOSUREAPP-14519 Internal Tracking ID: EXPOSUREAPP-14520
Your Question
Internal Tracking ID: EXPOSUREAPP-14519 Internal Tracking ID: EXPOSUREAPP-14520