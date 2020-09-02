The user of the Corona Flasher app will not receive more information from Google and Apple than the users of smartphones who do not have the program installed, the security company says.

Coron flasherdid not find any obvious security problems, according to a study by the security company Nixu, which HS commissioned from the company.

At the same time, the company points out that, in fact, Google and Apple have designed most of the app. Through this, the two major technology giants are defining what kind of smartphone applications states can develop in general to trace coronavirus infections.

The Corona Flasher app has been available for free download at Google and Apple app stores since Monday. According to THL, on Wednesday afternoon, Koronavilkku had already been charged to about 1.4 million smartphones.

When When you open the application for the first time, it asks you to accept the terms of use and check that you have voluntarily activated the application.

When you open the Coron Flasher for the first time, the application will guide you how to use it.­

After that, the use of the Coron Flasher requires only that the Bluetooth feature of the phone is switched on. You can turn on Bluetooth in the phone’s context menu or in Bluetooth settings.

The application runs automatically in the background all the time, even if the application is not even open.

If The user of the Coron Flasher application receives a positive result from the coron virus test, he receives a code from healthcare professionals, either by phone or text message, which he can enter into the Coron Flasher himself.

In this case, all other users of the Coron Flasher application who have been long enough and close enough to be infected for a certain period of time will receive an exposure warning for their application.

An exposure warning explains how the recipient should act.

If you have not been near the person who reported the infection, the Coron Flasher main view will read: “No exposures detected.”

HS wanted to find out more about how the application is coded and how it is ensured that it is actually secure to use.

The Department of Health and Welfare (THL) and the application company Solita, which developed Koronavilku, published open source application online last week, so it’s free to view.

In addition, THL, Solita and the Cyber ​​Security Center of the Ministry of Transport and Communications have told the public in detail how Koronavilkku works and how it has been done.

However, HS wanted a report from a project-independent security company.

Security company Nixu experts spent two days conducting the investigation. Normally, the company would set aside a considerably longer time to audit the mobile application.

Thus, based on Nixu’s investigation, it is not possible to say unequivocally whether security vulnerabilities can be found in the Coron Light.

In his study, Nixu focused on the source code of the Coron Flasher Android app as well as Google’s documentation and excluded, for example, the review of Apple’s Ios app.

Among other things, Nixu ensured that the version of the application found in the Google App Store matches the source code published by THL and Solita.

The company also monitored network traffic for the Corona Flasher app installed on the Android phone. It only sends a message to the Corona Flash backend server as it should be.

Cyber ​​Security Center made his own statement About Corona Flash before it was released for download to app stores.

The Cyber ​​Security Center also did not detect any significant security risks in the application.

Can Corona Flasher reveal users’ location information?

When To download and open the corona flash on your Android phone, the app may ask if it can access your phone’s location information.

This is a technical feature of the Android operating system. With Bluetooth, it may be possible to infer the location of a phone, so Android apps that ask for Bluetooth permission will also have to ask for access to location information, Nixu experts say.

Coron flasher However, based on Nixu ‘s investigation, does not use location data, ie it works exactly as THL and the developer Solita have publicly stated.

The application does not ask for, send, or save location information. Its operation is not based on a gps location system at all.

The corona flash can thus be used without worrying about whether the application can track the user’s location information.

What information does Corona Flasher collect?

When the user accepts the use of the application, it starts sending random identification numbers around it via Bluetooth. According to Nixu, the app sends these tags about four times a second.

The identification numbers, on the other hand, change on average every fifteen minutes.

At the same time, Koronavilkku also listens for tags sent by other Koronavilkku applications nearby.

The application performs such a scan once every five minutes for about four seconds.

The main view is this when the application does not know that the user has been exposed to the coronavirus.­

Coron flasher keep a record of the identification numbers it has sent and the identification numbers it has received from other telephones.

The corona light does not pair with each other, as it usually does with Bluetooth technology, for example, when the phone and the wireless headset are connected.

In practice, the corona flasher only sends pieces of the message that the other device hears or does not hear.

However, these tags remain on those devices. They don’t go anywhere on the internet at this point.

Solitan technology expert Sami Köykkä described at a news conference organized by THL on Friday that the tags are on the phone inside an interface created by Google and Apple like in a small safe.

There is no access to the source code of this interface, so it is much more laborious to study. Nixu only had time to check a few things about it.

Otherwise, trust Apple and Google, which has accurate documentation of what they do. Nixu went through it and found it reliable.

The Coron Flasher uses Bluetooth Low Energy technology, which also consumes less energy and is one of the reasons why the Coron Flasher cannot be charged on some older smartphones.

What happens when you report an application for coronavirus?

If The user of the corona flasher application receives a positive result in the coronavirus test and enters the one-time unlock code received from healthcare professionals into the application, the identification numbers stored on his phone are uploaded to the Kela server via the Internet.

All phones with the Coronator Flash application are connected to Kela’s server, from where they download codes from the devices of patients with the coronavirus.

This information is processed by the application on your phone.

According to Nixu’s report, Koronavilkku retrieves data from the back-end server every few hours.

If The coron flashing application detects that the user has been close enough to the person who has been diagnosed with a coronavirus infection at that time, he receives an exposure warning to his application.

THL and the software developer have jointly defined certain limit values ​​that must be exceeded before a user receives an exposure warning for their application. These limit values ​​are retrieved from the Kela server.

The THL has assumed that more than fifteen minutes at a distance of less than two meters from a coronavirus patient is sufficient for exposure.

In the exposure warning tells you what to do. But the user receives no information other than that he may have been exposed to the coronavirus in the last fourteen days.

He does not know where this may have happened and who the sick person is.

The authorities also do not know to whom the exposure warnings will go.

It is a so-called distributed technology, meaning there is no central server to monitor data.

Cyber ​​Security Center According to the study, the implementation of the server system entity has taken into account protection against several general risks.

Nixu did not have access to evaluate how the server systems were implemented.

What does it mean that Coron Flasher relies on an interface developed by Google and Apple?

Nixun according to the analysis, most of the corona application is actually designed by Google and Apple. Each state just puts its own interface on top of the parts designed by these companies.

In addition to this, country-by-country implementation of how data moves on the Internet between Koronavilkku applications and servers located on phones has been implemented.

Google and Apple have not released the source code for their contributions. Admittedly, Google has released individual shares of it. In addition, according to Nixu, the company offers good documentation that goes beyond individual shares of what it has done.

The solution from Google and Apple is quite complex, according to Nixu, as it seeks to protect user privacy, minimize power consumption, and provide the easiest-to-use interface on which each state can build its own application as easily as possible and make serious mistakes difficult.

For example, Google does not allow the app to process location information or phone contacts at all, to prevent the country-specific app from providing solutions that could inadvertently leak information about the phone user.

Free Google and Apple’s share of states would hardly have succeeded in making equally high-quality applications, Nixu estimates.

Overall, therefore, it is best that the technology giants have come up with a unified solution that works with the operating systems of both companies.

This will also allow the interest rate applications of different states to work with each other in principle in the future.

In the process However, Google and Apple have the power to determine what an app needs to be in order to be available for download to their app stores at all.

Nixu throws in the idea: Is it up to Google and Apple to tell states how they should handle the tracking of people exposed to the coronavirus? Where can such developments lead in the future?

In any case, the Corona Flasher app does not create any additional or new risk, according to Nixu.

No more information about a smartphone user will go to Google or Apple than would be the case even if you had not installed the Corona Flasher app.

“In the common interest, we recommend that everyone install the Corona Flasher app,” says security company Nixu in its assessment.