I'm not sure if this is the right place to post this but here goes...

Use Case Scenario:

• Child breaks own phone playing football in the garden.
• Parent can't afford to replace their phone until payday so lends their own phone to their child for a few hours a day until then.
• Parent receives a message indicating they have been in close contact with someone who is now presenting Covid-19 symptoms

Q. Is it possible to determine who (parent or child) the message is intended for?

Q. Can shared access be detected?

Describe the bug
When phone is on battery saver mode and the screen turns off, the app notifies the user. Turning the screen on dismisses the notification (before you are able to read it). I assume it is a notification to tell me to turn on location or bluetooth.

To Reproduce
Steps to reproduce the behaviour:

1. Turn on battery saver.
2. Turn off the screen.
3. Device notifies almost immediately.
4. Turning on the screen you can very briefly see the notification as it is dismissed.

I also believe the app is also notifying periodically with the screen off. But I cannot see the notification fast enough to confirm it.

Expected behaviour
The application shouldn't notify me every time I turn the phone display off. If there is an issue with tracing when in battery saver it should notify me when I turn the feature on.

Smartphone (please complete the following information):

• Device: Pixel 3 XL
• OS: Android
• Version: 10
• Security Update: April 5, 2020

Describe the bug

See https://github.com/nhsx/COVID-19-app-Android-BETA/blob/43a167f8dba422fd9001b64f9c4fd82275abb1c8/app/src/main/java/uk/nhs/nhsx/sonar/android/app/util/BrowserUtils.kt:

const val URL_INFO = "http://covid19.nhs.uk/"

Expected behaviour
Ideally, all calls to openUrl() should be for https:// accessible resources.

Describe the bug
Many people in the UK get mobile phones from their work place.
Employees with company provided android phones may have their device setup with Android Enterprise features enabled that may include global proxies, vpns, custom root certificates installed and enhanced monitoring of applications and activity of the device.

This list might help understand some of the features: https://developers.google.com/android/work/requirements

Which raises a few issues:

• Should employers forbid this application on corporate devices?
• Should employers distribute this application on corporate devices (user's may not have install privileges)?
• How does this affect the privacy promises of the application to users?
• Are there any code changes that the application can take to protect privacy on these company provided devices?

Expected behaviour
Users and employers are at least provided guidance on this topic and understand the risks (if any).
Given the privacy goals of the application, efforts should be made to minimise the privacy risks here; although to what extent that is possible may depend on how intrusive the Android Enterprise features are at intercepting network traffic, recording application behaviour and accessing device storage.

I presume that this app needs to be able to use mobile data in the background to support people using phones while away from Wi-Fi. If so it maybe worth asking the user to allow this while in Data Saver mode too.

While trying to run the tests on my device, I recieve an java.lang.NullPointerException: Attempt to invoke virtual method 'void androidx.test.uiautomator.UiObject2.click()' on a null object reference during the testEnableBluetooth test.

From reading through the test and the traceback, I believe it is due to the test looking for a button text of "Allow" or "ALLOW" in order to allow permissions; however my device appears to show a prompt of YES and NO (for Allow and Deny respectively).
This presumably could also apply to other devices with other prompt designs for permissions.

Describe the bug
As far as I know, there is a limitation on iOS that it only sends limited information when the iOS device is in the background. How can the Android app track the iOS device in the background when there is no unique identifier which identifies the user?

Describe the bug
So according to the epidemiologists that we have been working with on OpenTrace you want to scan every 5 minutes. The only way to do that on Android is to use AlarmManager and cheat by having your onRecieve method schedule another alarm. You aren't doing that, and thus your app is subject to getting dozed by the operating system.

To Reproduce
Run this app long enough and it will stop scanning and broadcasting on some handsets under some manufacturer specific battery optimizations, etc.

Expected behaviour
There's really no reason an Android app should be limited. Our app scans every 10 seconds, runs for days, doesn't drain the battery.

Add any other context about the problem here.

You can see a proper implementation here in our project:

https://github.com/kunai-consulting/OpenTrace/blob/develop/android/app/src/main/java/ai/kun/socialdistancealarm/alarm/BLETrace.kt

The TCN project works the same way as our does.

Describe the bug
Not a bug as such, but a significant UX flaw.

All notifications are funnelled through createNotificationChannelReturningId() in NotificationHelper.kt, which uses a single NotificationChannel with default_notification_channel_id to show them.

https://github.com/nhsx/COVID-19-app-Android-BETA/blob/43a167f8dba422fd9001b64f9c4fd82275abb1c8/app/src/main/java/uk/nhs/nhsx/sonar/android/app/util/NotificationHelper.kt#L133

As the persistent notification is displayed at all times, it seems likely that some users will disable this. However, doing so will disable all notifications, including contact alerts.

To Reproduce
Steps to reproduce the behaviour:

1. Long press on the persistent notification to disable it.
2. Perform any activity that would normally display a notification e.g. disabling Bluetooth.
3. The notification is not displayed.

Expected behaviour
The Android guidelines are clear that different categories of notification should be assigned to separate channels. This means users can disable one type of notification but other types will continue to be displayed.

In the context of this app, it would probably make sense for the persistent notification to have its own separate channel. The Bluetooth and Location disabled notifications could share a channel as they behave in a similar fashion. Finally, the contact alerts should certainly be in a separate channel so it's as hard as possible for users to accidentally disable them.

It would also be worth adding an in-app prompt for users who have disabled the contact alerts, asking them to re-enable this notification.

According to the app's website, it says you need Android 8+ for the app to work but the minSdkVersion in the build.gradle file is set to 24 (Android 7) instead of 26 (Android 8).

Please provide meaningful code comments and KDOC.

Describe the bug

Multiple folks have reported issues with Australia's TraceTogether based app (COVIDSafe) interfering with apps that interface with continuous blood-glucose monitors (CGM) used to manage diabetes:

• https://twitter.com/DiabetesAus/status/1255671094800871426
• https://twitter.com/jim_mussared/status/1256501782148075520

NHSx's app also uses GATT, and switches the device between peripheral and central modes, so is likely to trigger the same issue.

This may vary based on device model, as not all Bluetooth controllers can run in both Bluetooth Classic and LE modes simultaneously.

While this is likely to be a bug in some medical device software, contact tracing software operating in GATT mode triggers this issue through its constant manipulation of the Bluetooth controller in the background.

NHSx should validate this behaviour before public release.

To Reproduce

1. Pair/bond a CGM to a phone via Bluetooth and install its app
2. Install NHSx COVID-19 app
3. Verify that the CGM app is operating correctly (eg: alerting on changes to blood-glucose levels in the background)
4. Repeat the test for multiple models of CGM
5. Repeat the test for multiple phone models
6. Repeat the test for other bluetooth medical devices (eg: pacemakers)

The source code here is "1.0.0", and was published 3 weeks ago. However the published binary is actively being updated, as recently as yesterday. Was the source a one time release and it's now proprietary? Or are you intending this to be open source, in which case can you release the source code, ideally with git history.

Describe the bug
This app is described / advertised as an app that does not track user's location, yet it asks for location permissions upon installation.

This will surely rouse (perhaps unnecessary) suspicion to the end user. Can this not be avoided?

It even goes so far as to say that the app may want to access the users location all the time in the background...

Note: I created this issue after reading issue #26, which described a different but related problem:

Describe the bug
So, like most thread safety issues this only shows up under load, but I suspect you are seeing strange Bluetooth error message at random times particularly on some handsets like older Samsungs.

To Reproduce
Load up an older Samsung S7 with Bluetooth requests

Expected behaviour
You shouldn't get errors, but you do.

Additional context
I've done lots of load testing and development on Android as part of projects with HP and Cisco, and I have my own BLE open source project. I suggest you adopt a Kotlin object and sync on it as you interact with the different Android Bluetooth APIs.

See https://github.com/kunai-consulting/OpenTrace/blob/develop/android/app/src/main/java/ai/kun/socialdistancealarm/alarm/BLETrace.kt as a reference.

Describe the bug
Blank notification after installing the app

To Reproduce
Steps to reproduce the behaviour:

1. Follow the app on boarding process
2. Notification appears
3. No text in notification

Expected behaviour
Text appears in the notification

Desktop (please complete the following information):
N/A

Smartphone (please complete the following information):

• Device: OnePlus 5
• OS: Android
• Version 10

Additional context
N/A

The Android App is not using a mask when scanning for iPhone background advertisements. iPhone background advertisement manufacturer data one-hot encodes UUIDs. If an iOS device has multiple background service advertisements, your Android App will fail to discover the iOS device. Instead you can use the partial manufacturer data filter to provide a mask for the manufacturer data when setting it to the scan filter. This should mask out only the bit that matches your UUID.
Manufacturer data:
01 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00
Correct mask to use:
00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00

Describe the bug
A clear and concise description of what the bug is.

Firstly, anyone reading this, please can you double check my interpretation of what the code is doing and ideally actual apps; as I have not run the app, only looked through code and could be wrong.

I noticed on the website that:

https://covid19.nhs.uk/privacy-and-data.html

The app will not be able to track your location and it cannot be used for monitoring whether people are self-isolating or for any law enforcement purposes.

The app cannot access your personal identity or any other information on your phone.

However, the application appears to capture, store locally and in some cases send to the backend the timestamp of BLE events to millisecond accuracy (storage, seconds for the web request?) which is likely shared in close proximity to the device that it connected to and is storing a similar event.

Millisecond accuracy is pretty granular and even second can be pretty revealing, especially in smaller communities.

Often the general public is not the list of suspects the police have for a crime; it is usually a far narrower list of suspects, so whilst timestamp pairs may be relatively anonymous for the rush hour commuters on the Central Line; they probably are less so for the set of people who were caught on CCTV entering a park in the evening where perhaps a mugging occurs.

So a few questions for this issue:

• Is my understanding wrong?
• If crimes happen should law enforcement be encouraged to use the timestamps (assuming any appropriate warrants are acquired) to match up victims event times with any suspected criminals event times and perhaps any other purposes they may have for correlating whether two people met or not.
• Can the docs or the app be updated to make it clear to law enforcement that this capability exists.

My read through the code:

• Current timestamp provider: https://github.com/nhsx/COVID-19-app-Android-BETA/blob/acfb01e3c40ac8f35cb85b55208e6efa3a10241d/app/src/main/java/uk/nhs/nhsx/sonar/android/app/ble/Scanner.kt#L38
• Generate timestamp using provider: https://github.com/nhsx/COVID-19-app-Android-BETA/blob/acfb01e3c40ac8f35cb85b55208e6efa3a10241d/app/src/main/java/uk/nhs/nhsx/sonar/android/app/ble/Scanner.kt#L190
• Timestamp proxied through: https://github.com/nhsx/COVID-19-app-Android-BETA/blob/acfb01e3c40ac8f35cb85b55208e6efa3a10241d/app/src/main/java/uk/nhs/nhsx/sonar/android/app/ble/Scanner.kt#L210
• Timestamp in millis: https://github.com/nhsx/COVID-19-app-Android-BETA/blob/acfb01e3c40ac8f35cb85b55208e6efa3a10241d/app/src/main/java/uk/nhs/nhsx/sonar/android/app/ble/SaveContactWorker.kt#L47
• Timestamp stored in JSON for web request to backend https://github.com/nhsx/COVID-19-app-Android-BETA/blob/acfb01e3c40ac8f35cb85b55208e6efa3a10241d/app/src/main/java/uk/nhs/nhsx/sonar/android/app/diagnose/review/CoLocationApi.kt#L62

To Reproduce
Trigger a BLE event and check storage and then trigger a web request (diagnosis exercise?) that would send the events centrally?

Expected behaviour
The documentation to be clear on this subject for law enforcement purposes.

Screenshots
Sorry only a code review.

Desktop (please complete the following information):
Git hash in the links for source code seen.

Smartphone (please complete the following information):
Android app; suspect Ios is similar.

Additional context
Add any other context about the problem here.

Problem: This app tracks your GPS location in the background.

Expected: App does not track your GPS location

Describe the bug
app/build.gradle has minifyEnabled set to false for release builds. Also no shrinkResources = true setting.

To Reproduce
Steps to reproduce the behaviour:

1. Build a release apk
2. Notice that the apk file is an absolute unit and therefore less likely to be installed on people's phones

Expected behaviour
minifyEnabled set to true and shrinkResources set to true.
APK is smaller and code obfuscated for security

Additional context
Whitelist classes and packages in the app/proguard-rules.pro that need to be left unobfuscated for the app to work.

Describe the bug
I noticed in from code review that the notification flow, upon receiving data from Firebase messaging, may make a few web requests:

• A request sent to the ACKNOWLEDGMENT_URL in Notificationhandler
• AtRiskActivity may be then loaded which has links to load gov.uk and nhs.uk content
• AtRiskActivity flow suggests a Diagnosis submission to api.svc-covid19.nhs.uk for users feeling unwell

There may be enough metadata in the timing and sizes of responses and dns queries on the network to determine or just guess (perhaps wrongly) a user is submitting a diagnosis - and the guess is perhaps as worrying as a true determination as the network actor may react in the same manner.

A network actor might be your VPN provider, ISP, employer, landlord, the housemate who set up the router, your local pub whoever controls or monitors the WiFi or mobile network. Some will likely be able to identify a user from a devices hostname or mac address when they use the WiFi.

Expected behaviour
Some of this request data is unnecessarily reactive to the notification event; the advice content could be pre-emptively cached (perhaps from a nightly download) I'm guessing the total size of the pages is tiny or could be and etags would keep full downloads to a minimum.

The domain names chosen could be less obvious: if a cloud provider is handling requests, do they have an ambiguous domain you can hide behind? If not, why not use a domain like gov.uk where it would be less clear whether someone is submitting a Covid19 diagnosis or using another government service like getting a new driving licence.

if any network metadata risks remain, they should be documented clearly so the user can make a choice; like preferring to submit data whilst on 4g only and not WiFi..

Upon registration "deviceModel" and "deviceOSVersion" are submitted.

I believe there is an argument against doing so for the purposes of privacy. I can't see why this information is needed.

If this is required for crash reports then I propose that information is instead sent upon a crash with the users permission and only when necessary.

What are the arguments for this data?

Describe the bug
From examining https://github.com/nhsx/COVID-19-app-Android-BETA/blob/master/app/src/main/java/uk/nhs/nhsx/sonar/android/app/registration/ResidentApi.kt#L46 it appears that the app relies on an external HTTP server to generate a key pair, which it then stores:

fun confirmDevice(deviceConfirmation: DeviceConfirmation): Promise<Registration> {
    ....
    val request = HttpRequest(POST, "$baseUrl/api/devices", requestJson)

    return httpClient
        .send(request)
        .map { json: JSONObject ->
            val key = json.getString("secretKey")
            val publicKey = json.getString("publicKey")
            ...
            keyStorage.storeServerPublicKey(publicKey)
            keyStorage.storeSecretKey(key)
            ...
        }
}

Since this key pair was generated by an external service the "private" key is, by definition, not private.

This implementation flaw is separate from the basic design flaw of any centralised approach to contact tracing. The basic design flaw allows a government to trace the movements and meetings of its citizens. This implementation flaw additionally allows the government to forge records of such movements and meetings, and to create valid digital signatures for the forged records.

AssertJ Core 3.x, which is used within some of the tests, only supports Android API Level 26+, but the Application is stated to support a minimum SDK version of 24, which evidently is less than 26.

As a result, attempting to run the test suite will eventually result in the exception java.lang.ClassNotFoundException: Didn't find class "java.time.Duration" on path: ... being raised - with java.time.Duration having only been introduced at API Level 26.

Is there a workaround available for this? An older version of AssertJ exists that supports older Android API levels, however this causes an error within the TestRxBleClient class when attempting to change the build to use that version.

Idea: To take best advantage of the centralised model, there should be a secondary app (running on any appropriate OS/hardware), available only to law-enforcement or for special use in specific areas.

The secondary app should function broadly similarly to the primary app, initiating BLE contacts with the primary app and reporting its contacts as usual to the primary server. However, this app should also:

• Report its identifiers and location back to a secondary server. When the app is installed alongside an existing piece of infrastructure (such as ANPR/Facial recognition cameras, contactless payment terminals, transport hubs etc), identifiers for this infrastructure should also be passed to the secondary server.

• Transmit more often and at maximum power to allow the greatest number of BLE contacts to be created - without regard to battery usage, on an OS/hardware platform which allows for this.

Very valuable additional information could be gathered and inferred if sufficient instances of the secondary app can be ran, spread across the country. Using administrator access to the data on the primary server (including BLE contacts between primary app users, and the secrets shared by the primary app during signup), this secondary app and secondary server will allow for:

• Visitors to infection hot-spots to be highlighted in datasets, regardless of whether their primary app shares a BLE contact with someone who subsequently reports themselves as infected.
• Real-name identities, locations and demographic information to be added to the infection-control dataset by cross-referencing data between the primary server, the secondary server and datasets for existing surveillance platforms (such as ANPR/Facial rec cameras etc which have the secondary app nearby). This additional information could increase the usefulness of the primary app to health authorities.
• Undesirable persons to be tracked more easily, and their contacts with others to be easily determined. This will allow for improvements to our society beyond simply reducing virus infections.

The secondary app/server need not be known to the developers of the primary app, and should be developed separately.

Can there be a Glitter / Matrix chat room so that contributers can help bootstrap other contributers to get started and answer questions without the core maintainers needing to get involved? (We don't want to take up any of their precious time!)

(Pinging @lampholder )

When we are asked about allowing location tracking in the permissions dialog (when running android R) the most obvious options are:

• While using the app,
• Only this time, and
• Deny.

Lots of people will think they're doing the right thing by clicking 'While using the app'. In fact, the user has to click a link 'Allow in setting' and then 'Allow all the time' in order to do the right thing.

To Reproduce
Steps to reproduce the behaviour:

1. Click continue, enter postcode, click continue.
2. Click 'Enable Permissions' and you get this:

If you choose the top option you get:

Expected behaviour
Before being presented with the 'Enable Permissions' button the user should be told that for the app to work they have to click the Allow in setting link and then click [ ] Allow all the time.
(Ideally show a couple of photos of what these screens the user will be presented with will look like)

Smartphone (please complete the following information):

• Device: emulated Pixel XL
• OS: Android R

I just tried to build it, and got the following errors,

• Where:
  Build file '/COVID-19-app-Android-BETA/app/build.gradle' line: 49
• What went wrong:
  A problem occurred evaluating project ':app'.

Missing property sonar.baseUrl please see README for instructions

After reading the readme it suggests a secret/property needs to be added, however doesn't specify what and or where that would be found to be added, and the same for the other 2 it mentions in the readme.

Describe the bug

The Android app will not discover iOS devices running the app in the background if they are running any other peripheral service (eg: TraceTogether).

At present, it appears to check for an explicit Apple manufacturer-specific data field value:

https://github.com/nhsx/COVID-19-app-Android-BETA/blob/acfb01e3c40ac8f35cb85b55208e6efa3a10241d/gradle.properties#L29

https://github.com/nhsx/COVID-19-app-Android-BETA/blob/acfb01e3c40ac8f35cb85b55208e6efa3a10241d/app/src/main/java/uk/nhs/nhsx/sonar/android/app/ble/Scanner.kt#L67-L73

The value is: 01 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00

Instead, it should check the Apple manufacturer data:

1. Byte 0 is 0x01 (Overflow area)
2. Byte 10 bit 0x40 is set
3. Ignore all other byte/bit values

This could be partially be done with ScanFilter by passing the additional manufacturerDataMask parameter, but you need to ignore the other types of Apple BLE submessages.

To Reproduce

1. Have another app on the iOS device advertising a peripheral in the background with a different service ID (eg: Singapore's TraceTogether app)
2. Run the iOS version of the NHSx app with it in peripheral mode
3. Run the Android version of the NHSx app with it in central mode

Expected behaviour

The Android device in central mode should be able to discover the iOS device in peripheral mode with the app in the background.

Additional context

http://www.davidgyoungtech.com/2020/05/07/hacking-the-overflow-area

This issue wouldn't impact iOS devices finding each other, as CoreBluetooth handles parsing overflow data for apps.

I haven't run a live test of this issue to reproduce it, or test that this would be enough to make it actually work. I also haven't tested how the NHSx app interacts with having TraceTogether on the same device.

But as is, from reading the source code, this definitely doesn't work, regardless of what the other peripheral app does.

Describe the bug

First off, I am not an Android developer, I am a database man that's happy to help with testing ;)

I followed the instructions in #24 - they helped me a lot.

Anyway I got the app to build and have my phone connected via USB with the USB Debugging option switched on. When I run gradlew one of the unit tests fails though:

What am I doing wrong?

> Task :app:connectedDebugAndroidTest
Starting 2 tests on SM-A705FN - 10

uk.nhs.nhsx.sonar.android.app.AndroidSecretKeyStorageTest > testAll[SM-A705FN - 10] SUCCESS

[InstrumentationResultParser]: test run failed: 'Instrumentation run failed due to 'Process crashed.''
[XmlResultReporter]: XML test result file generated at C:\android\COVID-19-app-Android-BETA-master\app\build\outputs\androidTest-results\connected\TEST-SM-A705FN - 10-app-.xml. Total tests 1, passed 1,

> Task :app:connectedDebugAndroidTest
Tests on SM-A705FN - 10 failed: Instrumentation run failed due to 'Process crashed.'
DeviceConnector 'SM-A705FN - 10': uninstalling app.android.covid19.test
DeviceConnector 'SM-A705FN - 10': uninstalling app.android.covid19
Task :app:connectedDebugAndroidTest in app Finished

> Task :app:connectedDebugAndroidTest FAILED
:app:connectedDebugAndroidTest (Thread[Execution worker for ':' Thread 2,5,main]) completed. Took 39.451 secs.
:app:outputInstrumentationErrors (Thread[Execution worker for ':' Thread 2,5,main]) started.

> Task :app:outputInstrumentationErrors
Task :app:outputInstrumentationErrors in app Starting
Custom actions are attached to task ':app:outputInstrumentationErrors'.
Caching disabled for task ':app:outputInstrumentationErrors' because:
  Caching has not been enabled for the task
Task ':app:outputInstrumentationErrors' is not up-to-date because:
  Task has not declared any outputs despite executing actions.
Task :app:outputInstrumentationErrors in app Finished
:app:outputInstrumentationErrors (Thread[Execution worker for ':' Thread 2,5,main]) completed. Took 0.025 secs.

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':app:connectedDebugAndroidTest'.
> There were failing tests. See the report at: file:///C:/android/COVID-19-app-Android-BETA-master/app/build/reports/androidTests/connected/index.html

Desktop (please complete the following information):

• OS: Windows
• Version 10

Smartphone (please complete the following information):

• Device: Samsung Galaxy A70
• OS: Android
• Version 10

Use case scenario:

• Bob and Alice are less than 2 meters apart separated by a wall
• The received bluetooth signal strength is less on both phones than it would be in the open air.
• Neither person can cough/sneeze through a wall

Q. Can it be presumed that when environmental factors reduce received signal strength they always reduce risk of cross-infection too or is further detail required?

The application does a device registration process during startup. However, when the app is uninstalled and installed again it does no longer work, as i believe it tries to register the device again when it is already registered

Can we automatically run the github actions against the PRs?

I can see github action workflows are already setup. It would be great if it would run against PRs.

If someone raised a PR that achieved this would you be ok with it?

Have you considered BT5 extended advertising? It is available in Android 8 and higher.
This mechanism would eliminate the need of opening a connection to every nearby device to send them the anonymized user ID (which I understand is how it works as of now). This would potentially be more battery efficient and faster.
The Gatt server would have to be maintained as a fallback for older devices though.

Describe the bug

Individuals are tracked by Google Analytics.

When accessing the Privacy Policy tracking code is passed from the application to the covid19.nhs.uk website which is processed by Google Analytics. Data captured could be used to re-identify an individual.

https://github.com/nhsx/COVID-19-app-Android-BETA/blob/43a167f8dba422fd9001b64f9c4fd82275abb1c8/app/src/main/java/uk/nhs/nhsx/sonar/android/app/util/BrowserUtils.kt#L20-L25

Expected behaviour

Individuals are NOT tracked by Google Analytics

Hey @edent - as per the README, I noticed that tests are being run manually before pushing PRs, along with releases being handled from a local machine also.

With this being an open source app, github actions would be free to use. This would allow you to run the tests for the project when PRs are opened. You could even handle the release process of the app via github actions also. I recently wrote a blog post about how we are doing this @ Buffer here.

With the above in place, I believe that you'd not only helping to ensure quality standards but also remove time spent on manual checks. If this is something that you think would benefit the project, I'd be more than happy to help set this up 🙂

Describe the bug
The code as it stands is likely to be flaky on OnePlus devices, which did not (and may still not on current models) follow Google's guidance on Doze and foreground services. All services are killed, including foreground services, typically after an hour. Googling "Oneplus service kill" will provide more context.

You should restart your service frequently, regardless of whether the service is running fine otherwise; this will restart OnePlus's internal logic and stave off killing.

I have deployed a similar app and had this really screw up my data: my bachelor's dissertation studied anonymous contact tracing with BLE enabled smartphones (i.e. exactly what you are doing). See section 4.4.2 of the dissertation for more bug descriptions beyond this. Another show-stopper to be aware of is that some devices report completely wrong RSSI values (!)

To Reproduce
Run on a OnePlus device. I know for a fact 5Ts used to demonstrate this behaviour.

Expected behaviour
Foreground services should not be killed.

Smartphone (please complete the following information):
OnePlus devices.

(Edit) this can be done with AlarmManager with an inexact alarm I think...

I took some measurements of the network connections made by the NHS app and observe that it makes connections to a server in.appcenter.ms. This seems to be part of the operation of the appcenter SDK used by the app. Connections are made both on initial install of the app and also intermittently while it is left running.

GeoIP services indicate that in.appcenter.ms is likely located in Virginia, US and RTT measurements that I've taken are consistent with this.

Will the production version of the app also use the appcenter SDK and make similar connections? If so, does that raise privacy concerns re export of data (including meta-data) of UK citizens to the US?

When trying to build the application I get the following error:

`FAILURE: Build failed with an exception.

• What went wrong:
  Execution failed for task ':app:processDebugGoogleServices'.

File google-services.json is missing. The Google Services Plugin cannot function without it. `