Active time is easy to fake

corona-warn-app / cwa-wishlist

Central repository to collect community feature requests and improvements. The CWA development ends on May 31, 2023. You still can warn other users until April 30, 2023. More information:

https://coronawarn.app/en/faq/#ramp_down

Apache License 2.0

105 stars 14 forks source link

Active time is easy to fake #88

Closed v1nc closed 3 years ago

v1nc commented 4 years ago

Avoid duplicates

[x] Bug is not mentioned in the FAQ
[x] Bug is specific for Android only, for general issues / questions that apply to iOS and Android please raise them in the documentation repository
[x] Bug is not already reported in another issue

Describe the bug

The "active status" time is easy to fake.

Expected behaviour

The "active status" should be calculated with the real time, not with device time. It should not be able to change "active status" behaviour by changing device time.

Steps to reproduce the issue

Remove the app if installed
Install it again
Change device date to 2 weeks in the past before opening the app
Open the app, activate Exposure Logging
An API Error is displayed, close the app
Change device date back to today
Open the app
Click on "Exposure Logging" details and close them 2-3 times until the errors are gone
App now displays "14 of 14 days active" and behaves as usual

Internal Tracking Id: EXPOSUREAPP-2107

jakobmoellerdev commented 4 years ago

This issue is closely related to https://github.com/corona-warn-app/cwa-app-android/issues/685

To sum things up: Currently, the decision is to rely on the automatic calculation of the date and time of the device and that manual tampering of this setting is not supported. This was done as we explicitly did not want to contact NTP servers directly for the first release.

This might change in the future, however, and it is currently not prioritised in the backlog. The fact that you are seeing API errors is due to the key timestamps. Faking the date will not actually result in you being able to fake out a submission. The only thing that could happen is that you retrieve key packages that are within different time constraints, up to a maximum of 14 days that are available on the server. As most people have no use and or benefit from changing the date/time detection on their device, this issue is not critical at the moment in our opinion and a "fake" has no impact on the EN system, just for your device.

jakobmoellerdev commented 4 years ago

As we do not see an impact when "faking" time, I will change this issue to an enhancement.

tkowark commented 4 years ago

We will also move this issue to the wishlist repository to open up discussion about this enhancement to a broader community.

dsarkar commented 3 years ago

Hi @v1nc,

Thanks for contributing here. The app now shows days installed instead of days active, therefore this issue is obsolete now. We suggest closing this issue.

Best wishes, DS

Corona-Warn-App Open Source Team

Ein-Tim commented 3 years ago

@dsarkar

It's still possible to just set the time to the future and the "days since installation" are wrong (e.g. faked). But, if the device time is wrong, the app shows an error and if there wasn't a risk calculation in the last 4 hours (connected to Wifi) or in the last 24 (connected to cellular) the app shows "Risiko-Überprüfung fehlgeschlagen."

dsarkar commented 3 years ago

@Ein-Tim Thanks. So, if not only wrong time, but also wrong date was detected, faking would not be possible, agreed?

Ein-Tim commented 3 years ago

@dsarkar Yes, agreed. Tested under iOS 14.5.1 on an iPhone 6s.

dsarkar commented 3 years ago

@Ein-Tim Actually, on iPhone 6s, 14.1, changing date only but not time, I still get "Risiko-Überprüfung fehlgeschlagen" fehlgeschlagen. Initially it is possible to change date and it shows more days installed, but then I gives the error "Risiko-Überprüfung fehlgeschlagen". So, my understanding is that at least for iOS this becomes obsolete. What do you think? I will check behaviour on Android. Thanks.

Ein-Tim commented 3 years ago

Initially it is possible to change date and it shows more days installed, but then I gives the error "Risiko-Überprüfung fehlgeschlagen"

Yes correct, this is also what I have been experiencing.

So, my understanding is that at least for iOS this becomes obsolete. What do you think?

Yes, I agree that this seems to be "fixed" under iOS because of the "wrong time/date" notification which leads to "Risiko-Überprüfung fehlgeschlagen".

dsarkar commented 3 years ago

@Ein-Tim Thanks for the feedback

MikeMcC399 commented 3 years ago

@dsarkar

Thanks for contributing here. The app now shows days installed instead of days active, therefore this issue is obsolete now. We suggest closing this issue.

I agree that the issue should be closed. The repro steps no longer produce the result they previously did because of functional changes in the app. The app could have been installed for more than 14 days (in which case it shows no date installed) and during this time exposure logging could have been deactivated all the time. In other words it could have been installed all the time, but was dormant.

Also there would be no benefit to faking the number of days installed. The use of the app is voluntary and these days all benefits are dependent on negative test status, vaccination status or recovery status. Nobody I know is asking to see how long somebody has had CWA installed since there are no significant conclusions that can be drawn from this information.

dsarkar commented 3 years ago

@v1nc @Ein-Tim @MikeMcC399 Thanks to everybody for contributing!

Corona-Warn-App Open Source Team