[Android] Anonymisation of the Shared Data Seems to Be Random

RalicaY commented 3 years ago

Describe the bug

Anonymisation of the shared data seems to be random: certain personal data is sent anonymised although no option for anonymisation is set. Whether the data gets sent anonymised or not is currently depending on the certificate's type and the debug level which has been set. Yet, here as well, there is no uniform approach.

Technical details

Android Verifier 1.2.0-RC-1

MykhailoNester commented 3 years ago

When debug mode ON in settings default level of anonymization selected - Level 1 - normal capture You can switch to level 2/3. But when generate zip file from one certificate two times it should generate same result.

MykhailoNester commented 3 years ago

Preconditions: select:

Debug mode ON in settings
Level 1 - normal capture
select country: de, ua.
Validate with: Ukraine

device-2021-09-28-122941

STR for vaccination Level 1.: Scan this QR code with date in future.

Share zip file: JSON structure of payload.json should be:

{
   "dateOfBirth":"1990-99-99",
   "person":{
      "familyName":"Xxxxxx",
      "givenName":"Xxxxxxxx",
      "standardisedFamilyName":"XXXXXX",
      "standardisedGivenName":"XXXXXXXX"
   },
   "recoveryStatements":null,
   "tests":null,
   "vaccinations":[
      {
         "certificateIdentifier":"URN:UVCI:V1:DE:XXXXXXXXXXXXXXXXXXXXXXXXXX",
         "certificateIssuer":"UK",
         "countryOfVaccination":"UA",
         "dateOfVaccination":"2021-10-27",
         "disease":"COVID_19",
         "doseNumber":1,
         "manufacturer":"ORG-100031184",
         "medicinalProduct":"EU/1/20/1507",
         "totalSeriesOfDoses":2,
         "vaccine":"J07BX03"
      }
   ],
   "fullName":"Xxxxxxxx Xxxxxx"
}

For level 2 - traceable capture:

{
   "dateOfBirth":"1990-99-99",
   "person":{
      "familyName":"Xxxxxx",
      "givenName":"Xxxxxxxx",
      "standardisedFamilyName":"XXXXXX",
      "standardisedGivenName":"XXXXXXXX"
   },
   "recoveryStatements":null,
   "tests":null,
   "vaccinations":[
      {
         "certificateIdentifier":"URN:UVCI:V1:DE:D0B1Q4VXDPGUVIWHA99FGY34OC",
         "certificateIssuer":"UK",
         "countryOfVaccination":"UA",
         "dateOfVaccination":"2021-10-27",
         "disease":"COVID_19",
         "doseNumber":1,
         "manufacturer":"ORG-100031184",
         "medicinalProduct":"EU/1/20/1507",
         "totalSeriesOfDoses":2,
         "vaccine":"J07BX03"
      }
   ],
   "fullName":"Xxxxxxxx Xxxxxx"
}

Level 3 - full take:

{
   "dateOfBirth":"1990-01-01",
   "person":{
      "familyName":"Nester",
      "givenName":"Mykhailo",
      "standardisedFamilyName":"NESTER",
      "standardisedGivenName":"MYKHAILO"
   },
   "recoveryStatements":null,
   "tests":null,
   "vaccinations":[
      {
         "certificateIdentifier":"URN:UVCI:V1:DE:D0B1Q4VXDPGUVIWHA99FGY34OC",
         "certificateIssuer":"UK",
         "countryOfVaccination":"UA",
         "dateOfVaccination":"2021-10-27",
         "disease":"COVID_19",
         "doseNumber":1,
         "manufacturer":"ORG-100031184",
         "medicinalProduct":"EU/1/20/1507",
         "totalSeriesOfDoses":2,
         "vaccine":"J07BX03"
      }
   ],
   "fullName":"Mykhailo Nester"
}

MykhailoNester commented 3 years ago

QR test:

Level 1:

{
   "dateOfBirth":"1990-99-99",
   "person":{
      "familyName":"Xxxxxx",
      "givenName":"Xxxxxxxx",
      "standardisedFamilyName":"XXXXXX",
      "standardisedGivenName":"XXXXXXXX"
   },
   "recoveryStatements":null,
   "tests":[
      {
         "certificateIdentifier":"URN:UVCI:V1:DE:XXXXXXXXXXXXXXXXXXXXXXXXXX",
         "certificateIssuer":"UK",
         "countryOfVaccination":"UA",
         "dateTimeOfCollection":"2021-10-01T99!99!99X",
         "dateTimeOfTestResult":null,
         "disease":"COVID_19",
         "resultType":"NOT_DETECTED",
         "testName":"NAA test",
         "testNameAndManufacturer":null,
         "testResult":"260415000",
         "testingCentre":"Centre",
         "typeOfTest":"NUCLEIC_ACID_AMPLIFICATION_WITH_PROBE_DETECTION"
      }
   ],
   "vaccinations":null,
   "fullName":"Xxxxxxxx Xxxxxx"
}

Level 2:

{
   "dateOfBirth":"1990-99-99",
   "person":{
      "familyName":"Xxxxxx",
      "givenName":"Xxxxxxxx",
      "standardisedFamilyName":"XXXXXX",
      "standardisedGivenName":"XXXXXXXX"
   },
   "recoveryStatements":null,
   "tests":[
      {
         "certificateIdentifier":"URN:UVCI:V1:DE:4WXYMGWTJMR6M08RJ18RMHF42Y",
         "certificateIssuer":"UK",
         "countryOfVaccination":"UA",
         "dateTimeOfCollection":"2021-10-01T21:00:00Z",
         "dateTimeOfTestResult":null,
         "disease":"COVID_19",
         "resultType":"NOT_DETECTED",
         "testName":"NAA test",
         "testNameAndManufacturer":null,
         "testResult":"260415000",
         "testingCentre":"Centre",
         "typeOfTest":"NUCLEIC_ACID_AMPLIFICATION_WITH_PROBE_DETECTION"
      }
   ],
   "vaccinations":null,
   "fullName":"Xxxxxxxx Xxxxxx"
}

Level 3:

{
   "dateOfBirth":"1990-01-01",
   "person":{
      "familyName":"Nester",
      "givenName":"Mykhailo",
      "standardisedFamilyName":"NESTER",
      "standardisedGivenName":"MYKHAILO"
   },
   "recoveryStatements":null,
   "tests":[
      {
         "certificateIdentifier":"URN:UVCI:V1:DE:4WXYMGWTJMR6M08RJ18RMHF42Y",
         "certificateIssuer":"UK",
         "countryOfVaccination":"UA",
         "dateTimeOfCollection":"2021-10-01T21:00:00Z",
         "dateTimeOfTestResult":null,
         "disease":"COVID_19",
         "resultType":"NOT_DETECTED",
         "testName":"NAA test",
         "testNameAndManufacturer":null,
         "testResult":"260415000",
         "testingCentre":"Centre",
         "typeOfTest":"NUCLEIC_ACID_AMPLIFICATION_WITH_PROBE_DETECTION"
      }
   ],
   "vaccinations":null,
   "fullName":"Mykhailo Nester"
}

ltranvan commented 3 years ago

After discussion with Steffen S. (Author of the SPEC-document) and Hendrik (development) following resolution:

Anonymization option is coupled to the debug mode option. (means there is no extra option for anoynmization).
Anonymization is only used for personal data in the shared files only for debug level 1 and level 2. -So in case that the software is implemented correctly as described above, it is then correct and the ticket can be closed.

RalicaY commented 3 years ago

Successfully retested, Verifier App 1.2.4-acc (28) Galaxy XCover 4, Android 9

eu-digital-green-certificates / dgca-verifier-app-android

[Android] Anonymisation of the Shared Data Seems to Be Random #223

Describe the bug

Technical details