isRooted Only check the test-keys , uperuser.apk and su but system can be rooted with many other way.

Like
TEST KEYS
DEV KEYS
NON RELEASE KEYS
DANGEROUS PROPS
PERMISSIVE SELINUX
SU EXISTS
SUPERUSER APK
SU BINARY
BUSYBOX BINARY
XPOSED
RESETPROP(EXPERIMENTAL)
WRONG PATH PERMITION
HOOKS

these are some key points

https://github.com/DimaKoz/meat-grinder

This uses some some native NDK methods to check so..

I can push this mechanisam as I've implemented this in my another app

Thanks n Regards:
Haneet Singh Chhabra

As a user If I had already registered and if I come back to application after a fresh installation. It shows option to register and not to login. This is confusing.

in line 60 and 61
database.execSQL("CREATE TABLE nearby_devices_info_table_backup " + "(id INTEGER NOT NULL, bluetooth_mac_address TEXT,distance INTEGER, lat TEXT,long TEXT,timestamp INTEGER, PRIMARY KEY(timestamp))");
there should be a check here that validates if the given lat long co-ordinates are valid lat-long cords also instead of just using TEXT datatype, wouldn't DECIMAL or POINT datatype should be used?

The last option in the ICMR approved labs appears to be 'Dadra And Nagar Haveli'. That option overlaps with the 'done' button in the footer section

With easing of lockdown Movement of people will increase so an navigation option should be added so that people can move from one location to another location
by safe (green) path (Contamination free or low risk) instead of people relying on Google Maps or for shortest route between two points

The current android room database present locally doesn't encrypt and store the information even locally which would be good security practice to do. This can be easily implemented with SQLCipher where the plaintext data like latitude, longitude, bluetooth_mac_address, timestamp are encrypted on the local device using a randomly generated symmetric key from the AndroidKeyStore for which this app already seems to contains support taking a look at the SecureUtils

Allow for an username or id system which can link multiple users to a single account and prevent confusion, for eg if a someone gets tested positive and uses multiple devices, does he get marked as +ve on all of them or just one, both can cause confusion as just marking a single entry will overlook the times user came in contact using the other device, and in the latter, single user might show up as 2 diff people who got tested +ve in stats...

After playing any video on the Media section, pressing the back button should open the Media home page but instead exits the app.

In case a person selects "Recently interacted or lived or currently live with someone who has tested positive for COVID-19" in the assessment section
The link in the subsequent bot for:
List of testing centers: https://icmr.nic.in/node/39071 lands the user on a URl which says Not Found.
In short, it returns 404 which should be fixed.

Instead of developing the App for two Platforms with two different codebases, you can have got in one codebase if you have used a framework like flutter. That would be much easier for developers to find a bug and that will be rectified with ease.

Anyone can easily change there location by using mock locations apps. Check if any other apps from the device is using in ACCESS_MOCK_LOCATION Permission.

The auto scrolling of stats of no of users, at risk and infected within a certain radius can be too fast for elders to read, also it causes unnecessary waste of time, it should paused when touching over it, allow manual scrolling or make it a normal larger list window which doesn't require scrolling...

Mechanism which suggest route people which avoid red zone or zone with more cases.
As lockdown is going to end soon, at least people avoid selecting a red zone path.

The reassess/reset button icon on the top right corner of the self-assessment page shows up as a green box with an X in it.
The logo needs to be fixed, as without a clear icon or caption it's purpose is ambiguous.

Device: Samsung M30S
One UI Core Version: 2.0
Android version: 10

Test cases are missing. Moreover we can convert the whole code to Kotlin.

Out of the blue, when I opened the app a couple of days ago, I received a toast stating "you have been logged out" and was taken to the splash/on-boarding screens. The scan service was running (persistent notification showing) unitl I opened the app. I had to go through the on-boarding and sign-up process again to resume the scan service. Another user of the app I know also experienced this "random" app logout. Unfortunately I do not have logs or a way to reproduce the issue.

The project misses a code of conduct. I have experienced name-calling in the first issue filed here.

I am suggesting to adapt a diverse participation friendly code of conduct like contributor covenant https://www.contributor-covenant.org/version/2/0/code_of_conduct/ and enforce the same to avoid such issues and to build a reporting mechanism.

There is no need to reinvent CoC, while widely accepted models like Contributor covenant existing

The gradle build of the project looks for a keystore.properties file, which is missing from the checked in codebase.

def keystorePropertiesFile = rootProject.file("keystore.properties")
def keystoreProperties = new Properties()
keystoreProperties.load(new FileInputStream(keystorePropertiesFile))

While the details are mentioned in the readme, please checkin a default file as is which needs to be configured by the developers running the build.

This release misses

1. Server code
2. Ios & Kaios apps
3. Cloud & Deploy functions.

This release does not help in transparency without 1 & 3

Don't see a reason why they're not allowed, can be useful in informing friends and family members about the stats in our area...

In order to prevent users from faking the green badge, It is essential to provide Bluetooth uptime % on home screen to ensure the risk status is not false positive. Organizations permitting entry based on green status can make an informed decision.

The application is vulnerable to location spoofers which let them allow to enable mocklocation and use any third party app and the major problem are the handset with root access which can manupulate the application location by systemizing the spoofing apps

Hi,

Thanks all for the nice app. Would like to contribute to the community.
It would be nice if we can show daily trends of death, recovery or new cases in % wise.

1. Does any API available for that?

To reproduce:

1.Click blue assist button from homepage
2.Check the button at the right corner without refresh icon.

Does this app comply with Meity released protocol? https://meity.gov.in/writereaddata/files/Aarogya_Setu_data_access_knowledge_Protocol.pdf

If yes from which versions?

The option to choose the name of a State or UT in the search section of ICMR approved labs doesn't populate the searched UT or State.
For instance, I tried searching Ladakh & still landed on Uttar Pradesh which is my home state by default.

Steps to reproduce:

1. Go to Useful Resources Section & Click on ICMR Approved Labs
2. Click on the CTA (Uttar Pradesh) in my case.
3. Enter the keyword 'Ladakh'
4. Nothing will be displayed about the search

There is not even an error on the page. A user can search for any name, it will only show the default state present unless the user explicitly selects a particular state or UT.

Android Build Version : 1.1.3

it's change Bluetooth name and doesn't allow other devices to connect them or causes trouble connecting with them.

In case the user turns of the bluetooth of cellphone. On launching the app, there is a modal to turn on the bluetooth. When a user clicks on the modal, another prompt appears on the screen which says, "Allow Aarogya Setu to enable Bluetooth?"

This little dialog box appears for approximately 3 seconds and vanishes & relaunches again.

Device details:
Huawei P20 Lite
Android Version 9
Resolution: 2280 * 1080

Since unless you implement the server yourself, which you can't (yet), there's virtually no way to compile the app. even if you somehow add all the properties, you'll have to manually "disable" each crash or bad api response.

basically, is it possible to compile a demo version of the app, without actual api calls (since no server side code has been released (yet) ).
even a fake api inbuilt into the app would work, because implementing the server by yourself is a tough thing to do

There are few minor cosmetic display issues when we choose language as Kannada:

1. When the assessment is taken and it is low risk, the "ok" button and auto-reply "ok" text are in english whereas all the questions and auto-answers before it appear in Kannada.
2. The button text in Kannada on the app home page for "call helpline" and "assess again" buttons is displayed out of the button layout border.

Empty catch block in CoronaApplication.java LineNo76

Once the assessment is finished by answering all the questions w.r.t low risk, the advisory message for low risk is displayed along with ok button under it. After we click the ok button under the message, there is one text message displayed with ok text and it seems to be redundant, we can exit the assessment window instead once the ok button is pressed.

CVE-2020-0022, affects devices running Android Oreo (8.0 and 8.1) and Pie (9.0) and can allow remote code execution over Bluetooth with no additional execution privileges needed without any user interaction. More here https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0022

Considering a major number of these devices in India may not have received Feb 2020 security update, it is better to give a warning pointing the risks before switching on Bluetooth 24/7.

Moshi is a modern, high performance and recommend serialisation library for kotlin and java by Square developers. Gson has some limitations and existing bugs which Moshi overcomes. If it's used in this codebase we can also reduce some amount of code.

After opening FAQs , back button should send you on main screen,

Once you hit back button of mobile, it closes your app,

Tested in Oneplus6

just a thought.

All proximity tracing applications take too many critical device permissions, and it should sunset from functioning after the covid19 crisis period.

A sunset policy is essential for all proximity tracing apps.

Since there isn't any method called to check whether mock location is enabled or not, hackers/miscreants can use any mock location app to hide their real location and report infection from this fake location.
Since the program does not have any checks for Temporary phone numbers ,
A user could register/login using a temporary phone number hide his location and report a fake covid infection case.
adding this simple permission check will prevent this

public static boolean isMockSettingsON(Context context) {
// returns true if mock location enabled, false if not enabled.
if (Settings.Secure.getString(context.getContentResolver(),
Settings.Secure.ALLOW_MOCK_LOCATION).equals("0"))
return false;
else
return true;
}

To support and run this app seamlessly on Android 10 or above there should be permission ACCESS_BACKGROUND_LOCATION. Because this permission is needed to be granted to access location in the background. Otherwise this application will not work on devices having Android 10 or above OS version. If it looks good to you then I'll be happy to work on it.

Please add a clear code of conduct for this repo.
People have a lot of devisive sentiments related to this app and it is very likely that this repo will be brigaded or the issues be used for insensitive comments.

Already I can see fights breaking out in GH Issues, with folks making personal attacks on each other.
To prevent this repo become a battlefield for politically motivated comments, a CoC is absolutely needed. See here for inspiration
https://help.github.com/en/github/building-a-strong-community/adding-a-code-of-conduct-to-your-project

For your reference, and to get the discussion started, I will add some great CoCs used by other OSS communities:

1. Rust-lang has a fantastic community with a good CoC that you can refer to https://github.com/rust-lang/rust/blob/master/CODE_OF_CONDUCT.md
2. Here is the one for Docker https://github.com/docker/code-of-conduct/blob/master/code-of-conduct-EN.md
3. Here's python's https://github.com/python/pycon-code-of-conduct/blob/master/code_of_conduct.md
4. Nodejs have separated their CoC into community guilines and Moderation policies. I really like their approach here https://github.com/nodejs/node/blob/master/CODE_OF_CONDUCT.md

You will need to have clear definitions of what infarctions are and how they will be handled.
Best of luck!

Also, separate out the discussion forum so that people who want to discuss items which are not issues/FRs, can do so without polluting the main repo. GH has discussion board built in.

PS. unrelated but just wanted to say that it is so amazing to have this app as an OSS project. Hats off to you guys.

Needless to add Gzip Interceptor .

F-Droid[1] is a community-maintained software repository for Android, similar to the Google Play store. Please distribute release and APK's via F-Droid as well.

This needs app to comply with Inclusion policy [2]

Quickstart Guide[3] have more info

[1] https://en.wikipedia.org/wiki/F-Droid
[2] https://f-droid.org/en/docs/Inclusion_Policy/
[3] https://f-droid.org/en/docs/Submitting_to_F-Droid_Quick_Start_Guide/

To reproduce :
Click the "?" button to the right side of the text "In your area within radius of"

This seems slightly hard to validate given the challenges in #16 Looking through the workflow of the code, the symmetric key encryption mode used for older Android devices is AES128 with ECB mode, as a sanity check:

1. Do not reuse the AES keys for multiple encryptions especially when in ECB mode. (This seems to be happening with initCipherForLessThanM() and generateKeysForAPILessThanM() being called for every encryption on API < M) which is used to locally encrypt the latitude and longitude fields with the key.
2. This however doesn't make it clear as to why there is an RSA keygen in generateKeysForAPILessThanM attempted every single time getCipher() is called especially when the RSA keypair isn't used in the encryption process at all, if it is, which public key is being used to encrypt this data? Is this the Aarogya Setu hosted public key?
3. Looking at the official android documentation, Android M (API level 23) from the build numbers list seems to support NoPadding based AES GCM from API level 10, if this is the case, why is the ECB mode continued to be used?

So this leads to the final question:

• Why is the encryption locally on older devices below Android M using AES 128 with ECB when it is insecure while GCM or CBC+MAC exists?
• Are there IV values which are changed for every symmetric encryption irrespective of initializing EncryptionUtil() or DecryptionUtil() since IV becomes the first block of the cipher text? It currently looks like this only happens once and the singleton instance with the same IV value continues to be used.

Please add binary releases corresponding to current production versions.
It will be good if release management can be done directly from this repo to play store https://github.com/codepath/android_guides/wiki/Automating-Publishing-to-the-Play-Store

Thanks for open-sourcing the Android App! A fantastic step towards openness and transparency. I would like to ask, will the iOS App be open-sourced in a similar fashion anytime soon? It will be another great step towards openness.

Thanks.

There was a comment about static code analyzers being unaware of dynamism of the app and the same will be addressed in a FAQ. Unable to locate the FAQ and reporting multiple CVEs as per MobSF .

Ideally, each of these issues must be verified / tracked separately. But looking for FAQ if any related to static code analysis that is missing in the release.

The auto scrolling data stats are not aligned properly to be seen, thus positioning themselves not in the middle but either in top or bottom of the readable space. Also, the space for the stats should be increased for better view and readability.

Device: Redmi 4
Android version: 7.1.2
MIUI version: MIUI global 11.0.2