[Data Donation] Android App integrity check alternatives #356
Comments
I'm looking forward to the docs you mentioned in corona-warn-app/cwa-app-android#2242 (comment), as I'm still unsure about the overall design on the new features. In specific, to what extend "survey" and "data donation" are two separate features, which does what and when, when SafteyNet is required, and so on, which I'm hoping the docs will clarify. |
We will have data donation of facts like how many red and green risk cards are displayed. |
Are you going to link the data from the data donation of a specific device together, e.g. to track for how long a device displays a high-risk warning (just an example, not saying that this couldn’t be tracked otherwise)? If not, are you technically capable of linking individual transmissons by a specific device using the SafteyNet attestations? I don’t know what those look like, whether they are "anonymous" towards the verifier or just pseudonymous. My approach would probably have been to enforce a delay at the scale of days or weeks between installation of the app / enabling the feature and being able to send data, though I don’t see a way to do that without allowing some link between some of the queries. Maybe an approach where multiple users are grouped together to share one identity towards the server could be thought out to address that. This would mean that an attacker would have to plan their attack in advance, and I believe this would already discourage people enough from disturbing the system “just because they can”. Additionally, you could monitor for extraordinary amounts of ‘registrations’. A second thing I’m wondering about: to my understanding, SafteyNet can attest different levels of ‘integrity’. Which level of integrity are you going to require, what constraints does this imply and how is this supposed to prevent abuse? |
The data donation is completely anonymous and no device specific information are linked to the data. It is also not possible to see when different submissions came from the same device. SafetyNet attestation is completely anonymous we only save a part of the nonce in a different table for 1 day to prevent replay attacks At the moment we plan to use only the app digest to check integrity of our app. |
Googles Page about SafetyNet says
If I understood that correctly, couldn't an attacker with evil intent hook into the SafetyNet Attestation using root and spoof the signature value(extracted from the real app)? |
@thomasaugsten Thanks for the link. @tomjschwanke I'm assuming that they are going to require |
@fynngodau I was thinking more of spoofing the correct
I'm not sure how easy it would be to forge that. |
When using SafetyNet, you should be aware that this alone is not sufficient to effectively block abusers. Typically, you'd want to implement additional measures like rate limiting, plausibility checks and so on. For example, Pokemon Go is well known to use SafetyNet, yet they also spot abusers by detecting if users travel large distances in short time. Check section 9 of this Google blog post:
Regarding |
Currently SafetyNet still accepts |
The ctsProfileMatch is easy to fake and also on old genuine devices can happens this property is false. |
This is a SafetyNet JWS token with valid signature from Google and payload as follows.
{
"nonce": "U2FmZXR5TmV0IGlzIGp1c3QgYSBzaW5pbmcgb3JhY2xlLg==",
"timestampMs": 1612411031981,
"apkPackageName": "de.rki.coronawarnapp",
"apkDigestSha256": "F9zzVF9dlcJ7i8MyoQRYQ0z58oON0kJeU6163tsgYvQ=",
"ctsProfileMatch": true,
"apkCertificateDigestSha256": [
"Dday+17d9vY5YtsnHu1+9QTHd9l3LUhEcqzweVOe5zk="
],
"basicIntegrity": true,
"evaluationType": "BASIC"
} According to this data, the token was created from official Corona-Warn-App 1.11.0 (check and compare No matter what any Google employee may tell you: SafetyNet is not and never was a sufficient abuse protection or integrity check. It is suitable as a rate limiter (if you require every request to carry a different nonce), however you could also implement rate limiting using other techniques and without needing to trust Google to have proper rate limiting. |
Internal Tracking ID: EXPOSUREAPP-4754 |
For your information, we are prepearing to release CCTG 1.13 without PPA and survey features. We can of course enable them again once a solution without Google SafteyNet can be used. |
The version 1.13 is now released an includes the PPA and survey feature |
Since you are already differentiating between |
@mar-v-in Could you explain what you did to get this to pass? Also see microg/GmsCore#1470 in order to pass the |
@dylangerdaly |
Closing this issue as the related internal ticket is set to |
What was the conclusion in the internal ticket? |
There is no explicit conclusion in the ticket, but fix version is set to 1.13. See @thomasaugsten's comment from further above:
|
To prevent wrong information via the data donation we check via SafetyNet the app digest and the certificate chain of the JWS signature on the data donation server. This is not a root check.
This is needed for the opt-in feature when the user wants to share the information when for example receive an exposure notification (data donation). The will exclude user user the micro-G implementation or the CTG app.
We should discuss if there any alternatives to check the integrity of the app without identify the user.
And is there a way to add microG or CTG in the app integrity check
Internal Tracking ID: EXPOSUREAPP-4754
The text was updated successfully, but these errors were encountered: