Contact diary (iOS) allow the import from the iOS contact list

[ouboub]

Hi

So far the contact have to be added manually, it would be very convient if, optionally, the Diary would have access to the iOs
contact list.

There is, however, no need to import all these contacts into the diary, since, otherwise a change in the iOS contact
list is not actualized in the Corona Diary.
The KontactTagebuch, available in the App store kontakt-tagebuch does precisely that.

Uwe Brauer

---

Internal Tracking ID: EXPOSUREAPP-3034

[Ein-Tim]

Related #304

[Ein-Tim]

Hey @ouboub

Apps using the Exposure Notification Framework (like Corona-Warn-App) are not allowed to ask for access to the iOS contact list, see https://developer.apple.com/contact/request/download/Exposure_Notification_Addendum.pdf:

[ouboub]

>> "ET" == Ein Tim ***@***.***> writes: Hey @ouboub Apps using the Exposure Notification Framework (like Corona-Warn-App) are not allowed to ask for acess to the iOS contact list, see https://developer.apple.com/contact/request/download/Exposure_Notification_Addendum.pdf:

Thanks! That is rather disappointing. BTW I don't understand Apple's attitude here. If the Corona-Warm-app allows the user to decide to give access to the contact list, that is then up to the users to decide to allow the access or not, so I don't see the problem. Or, on the other hand, does Apple suggest that even offering that access would allow for someone to access secretly these data, but that in turn would mean that there is a possible security breach with in the EN framework, which does not sound very assuring I must say. So the sentence you cite continues «unless otherwise agreed by Apple» Cwa developers: is there a possibility to ask Apple explicitly for permission to optically access the contact list? (Honestly otherwise I would stick to the contact diaries which already are available in the apple store) regards

[ouboub]

I thought about this issue. There is a contradiction. Apple does not allow the Corona Warn App to access, not even optionally, the iOS contact list, but what happens if I copy manually the content of my iOS contact list into the contact diary part of the Corona-Warn-App? Shouldn't apple prevent this also?

In other words, is the implementation compatible with Apple's philosophy (which is not very coherent in my opinion, but this is another issue). I am asking this, because I want to avoid that the whole Contact diary runs into trouble with Apple.

Any opinions?

regards

[heinezen]

@ouboub It is not really a contradiction as you manually copying the contact list into the contact diary is done with your consent. You can choose which contacts you copy over and when you do this. If the app has permission to access the contact list, it could potentially copy over all contacts at any time which is much less finegrained.

While this feature is not possible at the moment, we have added your feature request to the associated Jira ticket, so your ideas will not be lost.

Regards,
CH

---

Corona-Warn-App Open Source Team

[ouboub]

>> "CH" == Christoph Heine ***@***.***> writes:

@ch Or Hi Christoph,

@ouboub It is not really a contradiction as you manually copying the contact list into the contact diary is done with your consent.

I am aware that you are not representing Apple, however since you are somehow explaining/defending their position, let me reply to you.

You can choose which contacts you copy over and when you do this. If the app has permission to access the contact list, it could potentially copy over all contacts at any time which is much less finegrained.

I don't agree. There are two issues here. 1. The app imports, optionally of course, the content of you contact list. I fail to see why this is logically different from deliberately copying the content of the contact list into the app. It is less fine-grained as you say, but in both case you give your permission. This feature has been implemented for example by App Cluster diary https://apps.apple.com/de/app/cluster-diary/id1535388491?l=en (another the downside of this approach is that any change in the contact list has to be re-imported). Be it as it may, I can see that fine-graining is an issue here. 2. However approach number 2 is taken for example by the app KontaktTagebuch [[https://apps.apple.com/de/app/kontakt-tagebuch/id1535797892?l=en. a. How can either add an entry manually or you can, b. If you wish to do so, access the contact list and import single entries, for this meeting. You *cannot* import the whole list even if you wish. I fail to see why this second approach would be a security breach, well only if Apple is here implying that this functionality of accessing the contact list is not failsafe and that would cast a poor light on Apple's security policy. On the other hand, it should also be pointed out that the Corona Warn App is open source, so Apple could study the code and detect possible security breach easily. Since the document shown by @Ein_Tim offers the possibility to ask for explicit permission by Apple I have the impression that the Corona Warn App, would get that permission because of the open nature of its software development. Regards Uwe Brauer

[Ein-Tim]

A little update: Since version 2.12 of the Corona-Warn-App it is possible to scan QR codes from photos, although Apple also doesn't allow this in their Exposure Notification Addendum.

So I guess, theoretically, this would be possible to implement, if the CWA team just asks Apple for permission and Apple makes sure that the contacts don't leave the phone (and are sent to a server or similar).

[ouboub]

>> "T" == Tim ***@***.***> writes: A little update: Since version 2.12 of the Corona-Warn-App it is possible to scan QR codes from photos, although Apple also doesn't allow this in their [Exposure Notification Addendum](https://developer.apple.com/contact/request/download/Exposure_Notification_Addendum.pdf). So I guess, theoretically, this would be possible to implement, if the CWA team just asks Apple for permission and Apple makes sure that the contacts don't leave the phone (and are sent to a server or similar).

That would be very convenient. So should I open a new issue or what do you suggest? regards

[Ein-Tim]

@ouboub

Just leave this issue open, maybe @dsarkar could mirror my comment to JIRA?