Closed moritonal closed 4 years ago
moritonal
commented
4 years ago I'll understand if the debate was that this was done because of the possibility for scammers to encourage people to install the wrong app, but I'd argue:
djcater
commented
4 years ago In your example, the venue check-in would be sent to the server as part of the URL if someone scanned it with their camera app, meaning it could be logged on the server side. Even using a fragment instead, the web server would still have the ability to read it with JavaScript. In the current model, the check-in process stays within the app and on the phone. I'm guessing that's by design for privacy reasons.
moritonal
commented
4 years ago Thanks @djcater, so you're right, that's the downside. I am fairly sure that once an App registers to handle a URL then it intercepts requests to the server, meaning the case you described would happen once, but I'd also accept that's too much for some people. Although they could still download the App manually if they'd wished to?
teymour-aldridge
commented
4 years ago In your example, the venue check-in would be sent to the server as part of the URL if someone scanned it with their camera app, meaning it could be logged on the server side. Even using a fragment instead, the web server would still have the ability to read it with JavaScript. In the current model, the check-in process stays within the app and on the phone. I'm guessing that's by design for privacy reasons.
It's not inconceivable to run a small web server which serves only a single page and doesn't store any logs.
nhs-covid19
commented
4 years ago Thanks for your interest in the NHS Covid-19 project, and for your suggestion. The behaviour is as-designed. There are various security, privacy and user experience trade-offs that have all had to be balanced out, and some of these have been discussed here. Currently there are no plans to change this behaviour.
Describe the bug The QR doesn't direct users to install the App. This means that it doesn't piggyback on the years of effort to teach the general public that QR codes direct users to content. I've watched three people today try scan the App with their camera, see it fail to link them anywhere and give up on the process.
When you scan the QR code with native camera app you get the following details:
As I understand the QR is a piece of text, with 3 payloads (split by the ":" character) with a JWT token encoded as Base64. What I'm recommending is that you place it within a URL which the App declares a deep link and universal link.
To Reproduce Steps to reproduce the behavior:
Expected behavior What I expected is something like the following. This is a QR code that deep-links into Twitter. Twitter understands the query param and uses it, or provides a web version.
The NHS App would look something like this.
If the App is installed, then the user flow is as before, with the App activating to handle the URI deep-link from the native Camera app. If the app is not installed then the NHS App should redirect users to a webpage to download the app at this point for their platform.
I apprectiate the user flow at this point might just be to continue and not go through the starting process, but at least we've guided the user into starting the install flow.
Desktop (please complete the following information):
Smartphone (please complete the following information):
Anything else:
A few of my comments are echoed in this blog which talks about a few ways the QR could be less dense which would also help uptake.
The QR codes I've generated from here are smaller than the ones generated from here. This is because I have a lower error-correction (given there's rarely something occluding the code).
I used this site to debug the QR codes.