The package description doesn't do a particularly great job at explaining what this is:
This is the German "Coroana Warn App"[1], the official German contact tracing app but instead of using Google's Exposure Notification Framework (ENF) it relies on the microG implementation of the same API. It can either use a system-level microG implementation or fall back to the bundled implementation running purely as an app without any system permissions.
This makes the app fully free and 100% compatible with the upstream google based version.
In this case, the app itself is in fact open source. The problem is that it relies on a non-free Google/Apple service for detecting contacts. However, I agree: Even such a dependency should strictly be avoided by government apps. This includes not limiting an app to the Play Store and also using alternative channels such as F-Droid.
I agree on a philosophical level. I disagree on a corporate level. I have yet to have an experience with a government that actually maintains bleeding edge security and proper maintenance. The farther down you go the administration levels, the worse it becomes.
I really dont get the point of this app. If you are running microg instead of play services on your phone anyways also the corona warn app does use the micro g implementation of the exposure api, or am I missing something here?
If that is correct why is there a need to fork the app.
I absolutely agree that SAP and co who developed CWA should have coded their own open implementation of the exposure api... That would have maybe made the 20 million euros they received understandable.
> removes one layer of Google code, but keeps building on the Google layers beneath it.
Well, the layers beneath it are AOSP and free software. The situation is certainly not great, with source drops, nonfree firmware blobs, etc. But it is relatively easy to grab an AOSP source-tree for your device, make some changes, rebuild the OS and install this to your phone, given an unlocked/unlockable bootloader. In my opinion this is a highly desirable property of any system I'm using. It also enables things like GrapheneOS and CalyxOS which are Android distributions which focus explicitly on security and privacy.
> Can the Exposure Notification Framework be trusted less than the rest of Android?
ENF is part of Google Play Services and thus proprietary software. It is also a hugely scary and absolutely giant bundle of software you need to keep running in it's entirety, you cannot use just the ENF part. Play services can remotely update any software on your phone, they have also been known to "accidentally" not respect users (location)-tracking opt-out choices. So while I personally don't consider googles ENF implementation problematic (from their docs, the sources are ofc not available) the rest of play services most certainly is.
> Or does this support more hardware?
Apart from the already mentioned gapps free ROMS it supports modern Huawei phones (which also come without gapps). Making it work on Android 5 will probably happen (Google ENF supports Android 6+ afaik)
You can use it on a device without GApps, so without closed-source google code, using only the open source Android codebase (and the blobs and drivers from the manufacturer, depending on your device). This means you don't have to trust Google.
The biggest problem is identification. The latest Android system update for the low-energy bluetooth support which was needed for those tracing apps, added the generation of the random id centrally.
Which is security nightmare, like registering your private SSH key at Google. So Google knows now your health status, and via Google the NSA, and via the NSA all their partners.
BubuIIC|5 years ago
This is the German "Coroana Warn App"[1], the official German contact tracing app but instead of using Google's Exposure Notification Framework (ENF) it relies on the microG implementation of the same API. It can either use a system-level microG implementation or fall back to the bundled implementation running purely as an app without any system permissions.
This makes the app fully free and 100% compatible with the upstream google based version.
[1] https://en.wikipedia.org/wiki/Corona-Warn-App
IlIlI|5 years ago
kbit|5 years ago
MeinBlutIstBlau|5 years ago
fsflover|5 years ago
khir|5 years ago
If that is correct why is there a need to fork the app.
I absolutely agree that SAP and co who developed CWA should have coded their own open implementation of the exposure api... That would have maybe made the 20 million euros they received understandable.
detaro|5 years ago
Someone|5 years ago
If so, what is the gain here? Can the Exposure Notification Framework be trusted less than the rest of Android? Or does this support more hardware?
BubuIIC|5 years ago
Well, the layers beneath it are AOSP and free software. The situation is certainly not great, with source drops, nonfree firmware blobs, etc. But it is relatively easy to grab an AOSP source-tree for your device, make some changes, rebuild the OS and install this to your phone, given an unlocked/unlockable bootloader. In my opinion this is a highly desirable property of any system I'm using. It also enables things like GrapheneOS and CalyxOS which are Android distributions which focus explicitly on security and privacy.
> Can the Exposure Notification Framework be trusted less than the rest of Android?
ENF is part of Google Play Services and thus proprietary software. It is also a hugely scary and absolutely giant bundle of software you need to keep running in it's entirety, you cannot use just the ENF part. Play services can remotely update any software on your phone, they have also been known to "accidentally" not respect users (location)-tracking opt-out choices. So while I personally don't consider googles ENF implementation problematic (from their docs, the sources are ofc not available) the rest of play services most certainly is.
> Or does this support more hardware?
Apart from the already mentioned gapps free ROMS it supports modern Huawei phones (which also come without gapps). Making it work on Android 5 will probably happen (Google ENF supports Android 6+ afaik)
danhor|5 years ago
rurban|5 years ago