Rapid Tests: Don't assume that the appointment of a test is accurate

[jeyemwey]

Avoid duplicates

• Bug is not mentioned in the FAQ
• Bug affects both Android and iOS, for specific issues / questions that apply only to one operating system, please raise them in the respective repositories:
  • Android repository -- see below
  • iOS repository -- unable to test
• Bug is not already reported in another issue -- see below

Technical details

• Device name: Google Pixel 4a
• iOS/Android version: Android 11
• App version: 2.2.1

Describe the bug

The rapid test integration assumes that the timestamp of the test is accurate (see e.g. Anbindung der Partnersysteme) and only has one timestamp. This creates problems if the test center is congested (and the actual time is later than the appointment) or the testcenter uses the appointment dates only for load balancing and does not care when you come in.

The second point can be an attack vector: If you come in earlier than your appointment, CWA will attest that you have a valid test for longer time since the relative time component calculates now() - t_appointment.

Steps to reproduce the issue

1. Book a test appointment for a rapid test far in the future (e.g. tomorrow) and receive a confirmation email for the booking.
2. Add the rapid test to CWA (tested on Android).
3. Go to the test center and check-in with your confirmation email. Try not to have a conversation that you should only be here tomorrow.
4. Take the test and wait until the result shows up in CWA.
5. The timer will say "Ergebnis liegt vor SEIT -H:-m:-s. Ausgestellt $date_of_actual_appointment".

I booked an appointment for 2021-06-05 on 2021-06-04, but already went to the test center today at 17:00. These are my results:

Expected behaviour

I would expect that the timestamp of the actual examination is used on the result screen. It is further unclear to me, why it seams to post the correct date in the welcome view, Date of adding the test to the app, maybe?

Possible Fix

• Either record the time when the test center tells CWA the final results and display that info to the user.
• Or add the actual examination time to the result set which is relayed by the backend. The test center (in my case at least) got the examination date correct in the results PDF which they sent me.

Additional context

The appointment date is also used in the URL/QR Code as the timestamp property.

corona-warn-app/cwa-quick-test-backend#82 and corona-warn-app/cwa-quick-test-backend#94 are connected, maybe?

---

Internal Tracking-ID: EXPOSUREAPP-7972

[Ein-Tim]

1. The implementation under iOS is different, but it has the same security flaw.
2. I would definitely connect this to Übernahme Testzeitpunkt (Schnittstellenlösung) cwa-quick-test-backend#94, which, if this is not only shown in the portal but also in the app, would solve this problem here.
   Maybe you'd like to ask there the question how they will implement this & wether it's planned to show the "real" time of the test in the app.

[heinezen]

Hello @jeyemwey

This should have been fixed in CWA 2.3. We'll close the issue here.

---

Corona-Warn-App Open Source Team

[jeyemwey]

Hi, thank you for the heads up and have a good week!

[Ein-Tim]

@heinezen Are you sure this has been fixed?
@vaubaehn was still able to get a negative countdown in corona-warn-app/cwa-app-android#3557 (comment) (@vaubaehn - sorry for interrupting your Friday evening here - but could you confirm that you are using version 2.3 or higher?) by changing the system time, so the problem with negative numbers doesn't seem to be fixed.
Could you elaborate how exactly this was fixed and provide the PRs fixing this?

In the meantime I'd like to ask you to reopen this issue.

[vaubaehn]

Hi @Ein-Tim

(@vaubaehn - sorry for interrupting your Friday evening here - but could you confirm that you are using version 2.3 or higher?)

I'm on 2.4.3.

You too have a nice evening, and a nice week-end to everyone!

[vaubaehn]

@Ein-Tim btw: the issue here are actually 2 issues: negativ counter and corona-warn-app/cwa-quicktest-onboarding#24.
However, neither have been fixed yet.

[heinezen]

@vaubaehn @Ein-Tim

I'll check back to see if there are things that we did not take into account.

---

Corona-Warn-App Open Source Team

[Ein-Tim]

@dsarkar Is there an update available here?

[mtwalli]

The counter has been removed completely , this issue should be closed

[mtwalli]

Currently Negative Rapid antigen test result display only the date

[Ein-Tim]

Hey @jeyemwey, please see #630 (comment). Would you like to close this issue now?

[jeyemwey]

Good for me! I thought the issue was resolved when the swab time was introduced about a year ago, but I will close this now anyways. Thanks for your help and time!