Germany’s Covid-19 Tracing App

Finally the contact tracing up is here. With big media attention the app was launched to public 2 days back, after the bumpy start with a complete strategic change from centralized to decentralized model. SAP and Deutsche Telekom cooperated and created an app-server environment in less than 2 months, chapeau for that performance. It comes at 20 million Euro, plus 2 to 3 million monthly for Deutsche Telekom, mostly to operate the hotline (not sure if they actual build an office building first, but anyway). Some might claim a start-up could have done it for a fraction, yes, maybe, would it be ready ? Would it be able to provide a system that can talk to the public healthcare system to create TAN’s to push alerts ?

You can download for Google and Apple. Interestingly the app was downloaded more than 1 million time within 2 days, after 3 days supposedly 8 million times and got more than 30.000 ratings/reviews (Android only) in that short timeframe (mostly positive) !
The team seem to work agile, they pushed out an update within 72 hours.

You can review and download the code at Github. I must admit, the documentation is really good, no one can claim this is not transaparent. Despite still so many people claim it would be used for tracking people and their whereabouts.
First thing to do ? Let’s look at the sourcecode and the underlying libraries by Apple/Google. Did not manage to build it with Android Studio 3.4, had to update to 4.0 to get it built and run on the phone, though it would fail after the initial info screens due to the missing Exposure Notification API on the phone. Guess that will be fixed once the Playstore app is updated.

Findings:

• Permissions
  As planned and communicated only the bare minimum to make this app work. You can see it does not require the coarse location permission usually required by BLE.

• Libraries
  A few of the standard libraries: ZXing Embedded, Joda Time, Room, SQLCipher, detekt and a some others.
  Most importantly Google’s Exposure Notifications API

• Why would you disallow the user making screenshots, if everything is transpraent and opensource ?

• Once you installed the apk file through Android Studio you cant install the official app, even after removing the app installed through adb.

Conclusion: Full transparency. It did materialize quite fast, too late for the first wave (no app can be ready for something totally new) but certainly in place if a second wave or individual hot-spots appear. I still have doubts if we reach a 60% penetration nut the initial figures are looking good. You can still argue about the quality of measuring the signal strength of Bluetooth and how many warnings we will see.

Daily Tech Observations 7

PEPP-PT

There has been some movement in the Pan-European Privacy-Preserving Proximity Tracing project over the last few days. Earlier it was announced an app would be released after the Easter period. This has not happened so far, some of the project partners have even pulled out (reference). The project is driven by the Arago founder Chris Boos.
Though the app is not out, both documentation and some sourcecode has been released under Mozilla Public License on github. This is a good move, it creates transparency and allows to fork the project if needed. I have not seen other projects in the same tracing space to release their sourcecode. Time to have some hands-on with the sourcecode, more in an upcoming post.

ROBERT Protocol

The ROBust and privacy-presERving proximity Tracing protocol (ROBERT) by Inria and Fraunhofer Institute. Both are member of the PEPP-PT tracing project but the documentation can or should be the base for any implementation of a tracing app. Find the documents at github. This is the only way forward to create transparent apps that will be accepted by general public. Highly recommended reading.
It is key to differentiate between the centralised and decentralised approach, read more here.

• Techchrunch: France’s Inria and Germany’s Fraunhofer detail their ROBERT contact-tracing protocol
• Venturebeat: What privacy-preserving coronavirus tracing apps need to succeed
• An Investigation Into PEPP-PT by Nadim Kobeissi

DP-3T

As the ROBERT protocol is a solution with a central component, there is also a group proposing the a decentralised approach, DP-3T – Decentralized Privacy-Preserving Proximity Tracing. This proposal is aligned with the mutual Apple-Google proposal. Also highly recommended reading. Sourcecode is available on github as well.
Drop by the comic style explanation by Nicky Case.

By Nicky Case (CC-0)

TCN Protocol

Similar to DP-3T , there is TCN (Temporary Contact Numbers,) a decentralized, privacy-first contact tracing protocol. Find the specification here.

• Private Contact Tracing Protocols Compared: DP-3T and CEN

Open-Source Corona Apps

Two mobile apps have been released in the US

• CovidWatch (Source)
• Private Kit: Safe Paths by MIT (Source)

COVID-19 Data

• Latest Google Community Report was released on April 23rd.
• Various organizsations continue to release data on a daily base, eg. Our World in Data or HDX (Humanitarian Data Exchange).

More Research and Whitepapers

• Heise Article

DIY Project: Create a Tracking and Tracing App Part 3

In this part we will have a short excursion into the world of radio signals, like wireless or bluetooth signals. As part of the tracing solution we must estimate the distance between two devices, it makes a difference if we stand next to a person (less than 2m) or being 5m and more apart for a potential transmission. The tracing app shall record only other devices in the nearby area, otherwise we will face a tsunami of false warnings after recording everyone in a 10m radius. The only way to measure or anticipate the distance is the signal strength of the received beacon signal.

Bluetooth Peripheral Mode

Bluetooth classic, made for higher speed and permanent connections, uses more energy and requires pairing before exchanging data between the devices (see previous post). We need to use the peripheral mode which was introduced with Android 5 (Lollipop) in 2014. The peripheral mode is mostly used by health devices, pedometers, etc. By today (2020) most Android phones should support this mode which is the key component, known as Bluetooth Low Energy Advertising, for the tracing app.
Bluetooth 5, supported since Android 8.0, introduced significant improvements to the BLE mode (reference). In the next post we will explore the BLE advertising and the related services.

Simple test to check if the Android device supports advertising

private BluetoothAdapter bAdapter = BluetoothAdapter.getDefaultAdapter();
..
if (bAdapter.isMultipleAdvertisementSupported())
	Log.i(TAG, "MultipleAdvertisementSupported supported.");
..

About Signal Strength

Theory

To be more precise we have to look at the strength of the received signal, also called RSSI (Received Signal Strength Indication), the measurement of power in a radio signal, measured in dBm. In short, the receiving device can measure the power of the signal and approximate the distance. Sounds simple, but it is not, radio signals is a huge field in science and research and I won’t attempt to replicate this in a blog post. The RSSI value often ranges between -100 and 0 dBm (in our context here), where -100 is the weakest signal and values near 0 the strongest.
Some links with references below for the interested reader. The main challenge is the signal strength depends on a number of parameters, the sending power, the distance (obvioulsy), external factors like reflection, absorption, interference and diffraction. It is very much an approximation, especially as we are talking about unknown devices (mobile phones) emitting the signals and not defined devices like industry beacons. In the literature you find a formular that estimates the distance in meters:

As you can see we do not have proper values for RSSId0 and Eta/n because we lack of reference devices and reference environments. We will experiment with values in the field test below.

References:

• Adaptive Distance Estimation Based on RSSI in 802.15.4 Network by Miroslav BOTTA, Milan SIMEK
• Evaluation of the reliability of RSSI for Indoor Localization by Qian Dong and Waltenegus Dargie
• IEEE 802 Documents in the IEEE Xplore Digital Library
• Wikipedia about dBm
• Wikipedia about RSSI

Android

For both Bluetooth and Bluetooth LE we can read the RSSI (values between -127 and 126) easily (Android Developer Documentation). See previous post for complete method.

For Bluetooth Devices

BluetoothDevice device = intent.getParcelableExtra(BluetoothDevice.EXTRA_DEVICE);
int rssi = intent.getShortExtra(BluetoothDevice.EXTRA_RSSI,Short.MIN_VALUE);

For Bluetooth LE devices

public void onScanResult(int callbackType, ScanResult result) {
	System.out.println(result.getRssi());
}

The method to calculate the distance based on above formular

double getDistance2(int rssi, int rssid0, float eta) {
	 return Math.pow(10d, ((double) rssid0 - rssi) / (10 * eta));
}

Field Test

Devices: Huawei P30 and Ubudu Beacon.

I use the app to read the RSSI value at the reference distance 1m.
In the first round I setup it outside at a grass field without surrounding building, walls etc.
The average RSSI value is about -83dBm with values ranging from -104 to -77dBm.
The second round in an office like environment, a room of about 3×3 metres. Now we have an average value of -51dBm with values ranging from -79 to -35dBm. In a second room I get -88dBm, -83dBm

RSSI Values at 1 meter distance

Now going back to our formular we calculate the distance with reference 1m RSSI value of 75dBm (best guess) and an eta of 2 (found this value when researching). Now setup again a 1m distance situation and check the caculated distance.

Calculated distance at 1 meter distance

This run with 2,1m average value differs 100% to the real 1 meter distance, the values having outliers up to 30m without touching the device or moving anything. If we need to rely on these values we need to capture at least 100 signals and average them to get anywhere near the real distance. I doubt changing eta and the reference RSSI will help as the RSSI value comes with these extreme outliers.

A few more random tests a different distances I come to the conclusion (with this specific test setup), the RSSI wont help us to measure the distance between two mobile phones, aka 2 persons properly. At most we can anticipate with an array of measured values and the the average if the device is less than 5m away, aka falls into a potential transmission candidate group.

Test Setup at 50cm resulting in 18cm average distance.

Header Image by Juanma_Martin from Pixabay

DIY Project: Create a Tracking and Tracing App Part 2

The tracing of contacts through mobile apps became the Number One hot topic in the last few days, governements and institutes of the EU countries are still working on technical solutions to trace transmissions of SARS-CoV-2 (though a bit late for the first wave that has hit most countries worldwide). At the same time there is an intense debate about these apps in terms of data usage, privacy, etc. The apps wont stop the spread or protect the person using the app but they should help to keep the situation under control in the times to come, maybe as a permanent tool to stay for a long period. Even more important not to build a tracking tool following examples of more authoritian states, but to have a solution that protect privacy.

In this blog series, looking at the technical aspects, we still touch both tracing and tracking for the matter of the discussion. In the last post we only touched the Bluetooth basics, now get into discovering nearby devices.

Android to discover Bluetooth devices

About device discovery

• Discovery of Bluetooth devices is the step before pairing and coummunicating with another device. We can scan for nearby devices without the other devices (its owner) noticing it.
• But for classic Bluetooth, the device need to be set to discoverable by its user, usually only for a limited period. It is consuming additional energy and would drain the battery faster if left on permanently (putting aside security concerns, see references).
• BLE works like a beacon permanently being discoverable, certain location type application work like this, eg. to help navigate in buildings equipped with beacons.
• The 3 key device attributes when discovering devices:
  – Name: Not unique, just a label, can be set/changed by the user.
  – MAC: The unique identifier (see previous post)
  – Signal strength in dBm (more about this later)

Discover classic Bluetooth devices

We need to register a broadcast receiver and listen to the intents for discovery start and end. The discovery need to be triggered, it will run for about 12 seconds.

Register BC Receiver

private void initBCReceiver(){
	final BroadcastReceiver mReceiver = new BroadcastReceiver()
	{
		@Override
		public void onReceive(Context context, Intent intent){
			String action = intent.getAction();
			if (BluetoothDevice.ACTION_FOUND.equals(action))
			{
				BluetoothDevice device = intent.getParcelableExtra(BluetoothDevice.EXTRA_DEVICE);
				int rssi = intent.getShortExtra(BluetoothDevice.EXTRA_RSSI,Short.MIN_VALUE); // dBm
				System.out.println("Found: " + device.getName() + "," + device.getAddress() + "," +  rssi);
			} else if (BluetoothAdapter.ACTION_DISCOVERY_STARTED.equals(action)){
				System.out.println("ACTION_DISCOVERY_STARTED");
			} else if (BluetoothAdapter.ACTION_DISCOVERY_FINISHED.equals(action)){
				System.out.println("ACTION_DISCOVERY_FINISHED");
			}
		}
	};

	IntentFilter filter = new IntentFilter();
	filter.addAction(BluetoothDevice.ACTION_FOUND);
	filter.addAction(BluetoothDevice.ACTION_PAIRING_REQUEST);
	filter.addAction(BluetoothAdapter.ACTION_DISCOVERY_STARTED);
	filter.addAction(BluetoothAdapter.ACTION_DISCOVERY_FINISHED);

	registerReceiver(mReceiver, filter);
}

Now trigger the discovery

bAdapter.startDiscovery();

Discover Classic BT devices

Discover BLE devices

The BLe devices (beacons) constantly send their signal, we can pick it up in an async thread. The Android BT library supports this with less than 15 lines of code to capture the devices. Implement the callback and start/stop the scanning.

private ScanCallback leScanCallback = new ScanCallback() {
	@Override
	public void onScanResult(int callbackType, ScanResult result) {
		System.out.println(result.getDevice().getAddress() + "-" + result.getDevice().getName() + " rssi: " + result.getRssi() + "\n");
	}
};

public void startScanning(View view) {
	System.out.println("start scanning");
	AsyncTask.execute(new Runnable() {
		@Override
		public void run() {
			btScanner.startScan(leScanCallback);
		}
	});
}

public void stopScanning(View view) {
	System.out.println("stopping scanning");
	AsyncTask.execute(new Runnable() {
		@Override
		public void run() {
			btScanner.stopScan(leScanCallback);
		}
	});
}

Discover BLE devices

Interesting observations:
– The MS Designer Mouse is operating in both classic and BLE mode.
– The signal strength of devices can change without being physically being moved.

Conclusion

• The Bluetooth classic mode is not feasible for the tracing requirement. It would drain batteries quickly and we cant disnguish between phones and other devices using solely the MAC (though we could identify manufacturers).
• We need to consider the BLE peripheral model for our tracing app. Remember, we need to capture the unique key from another nearby user of the app, we cant achieve this without basic 2 way communication between the two apps.

Fun Facts

• Did you know that Bluetooth is named after the king Harald “Bluetooth” Gormsson of Denmark and Norway in the 10th century ? ..and why ?
• Jim Kardach (Intel), developing the new communication standard, reading Frans G. Bengtsson’s historical novel The Long Ships about Vikings and King Harald Bluetooth.
• The famous Bluetooth logo is a merge of Harald’s initials ᚼ, Hagall and ᛒ, Bjarkan. (Source: Wikipedia)

Stay safe and tuned..

References

• Forbes Article August 2019, Wired Website and Bluetooth.com
• Overview Security concerns at Wikipedia
• Bluetooth documentation developer.android.com
• Bluetooth LE documentation developer.android.com

Image by Free-Photos from Pixabay.

Daily Tech Observations 4

COVID-19 Apps

In the German Google Playstore we find one new app, the Corona-Datenspende. Released by the Robert-Koch-Institute the app uses data from smartwatches and fiteness tracker devices. It claims to be 100% anonymous, voluntary and compliant with GDPR regulations. According to their website 50.000 users already downloaded the app that correlate a potential infection with certain activity, heartrate and other values received from these devices. They still struggle with the support of the wide range of devices in the market but plan to support more manufacturers and devices asap. A good approach, we should use any opportunity to fight the spread.

COVID-19 Apps in Singapore

While we have to comply with GDPR in the EU and have to count on the participation and voluntary contribution of its citizen to use the app, Singapore released an app, Homer, that infected patients have to use when ordered to home-quarantine. You have to virtually report your home presence every few hours to the authorities. A strict move, but 100% in line with the local legislation in a highly populated country where the spread must stay under control. The third app, SwiftMed, is a contact tracing app for frontline officers.

#WirVsVirus Hackathon Results

I highlighted the hackathon organized by the government in one of my previous posts. You can see short pitches for each idea that made it to the finals in this YouTube playlist plus the other apps that didnt make into the finals (all in German language, use english subtitles if you need to). Good for some inspiration, it shows what different kind of ideas people can come up with in short time.

Other useful links

The website Visualcapitalist list a number of interesting visualizations around the COVID-19 topic. Highly recommended.

Most of the infection spread and distribution data is available at a couple of websites:

• European Centre for Disease Prevention and Control
• EU Open Data Portal
• Humanitarian Data Exchange
• Harvard Dataverse (more data than the distribution figures)

Stay safe and tuned..

FB aquires WhatsApp – Bye and Thanks for the Fish

WhatsApp known for its massive security issues, still used by millions of people as a free replacement of SMS and MMS, was acquired by FB, one (maybe the) biggest data harvester in the internet. I dont use FB, the acquisition is a reason to finally move on to another more secure communication tool: Threema  (Made in Switzerland app with end-to-end encryption). Hope they wont sell privacy for money. Please help to spread the word.

It is NOT free, but is time to understand FREE comes at a price !

Android Investigations (2)

Not enough with the foul play from the previous part, developer also hook on current affairs, like catastrophes and incidents.

Let’s search in the market for “japan nuclear”. We find about 50 apps with these keywords. There are lot of good apps, or apps with good intention, showing current radiation level, etc. Most of them are free. This shows apps can be useful, even in bad days.

But now look at the other side of the medal, some developer try to make cash with apps covering some kind of radiation apps, or try to promote poor games with the crises. Let me put one thing straight, if your app is paid and you donate the revenue to the Japan rebuild/crisis efforts, it is perfectly fine, if not you should be ashamed.
How can I verify if the app is charity related ?

Apps covering Japan nuclear crisis

Continue reading →

Android Investigations

I love to examine the physics of the Android market, specifically since it is open and there is no controlling, approving or censoring authority (like the other shop from the fruit department). Anything can be submitted to the market, as long it is not breaking some basic rules and no one flag it as inappropriate (even then I am curious who looks at the flagged apps).

Quite often I browse through news apps and games to see how other developers start new apps in the market, to get ideas and gather more insights of the market ecosystem. I came across another pattern for some new apps, specifically homebew ones. The way the developer try to promote his app by self-praise. This can be achieved by..

App name and description, Keywords and Developer Name

Now you can see more apps with a title including the words free, best, cool,..

Continue reading →

The first 7 days in the Android App Market

After 7 days of existence in the market, 28 user downloaded the application and 50% kept it.
Just learning more about the Android market physics, I updated the application to version 0.2 Beta.
Featured on AndroidZoom, Thanks ! Lets see if there is an impact.

CountRoid on AndroidZoom

I am keen to find out more about the backend of the market. How many applications in total, how many added per day/hour ? How many removed ? How many not being updated for time x ? Language distribution ? Who makes most applications (country) ? How many triggered as spam ?

You want to use the awesome CountRoid ? Point your phone here:

QR Code

You want to know how to create this QR code ?
Goto http://zxing.appspot.com/generator, select URL and enter market://search?q=pname:{your_packagename} (e.g. com.awesome.application). Download the image and print it on your car, T-Shirt, place it on your website or tattoo it on your forehead.

The first 24 hours in the Android App Market

I have a few concepts and ideas in mind for Android applications, some require more knowledge about the platform, some require a proper datasource and some require more time. But still I was very curious how the market works. I didnt want to add another Test or Hello World app to the market, because it is mere market spam. So what is the most simple app you could think of  ? A button that counts ! With a complexity level slightly above “Hello World”. Never mind, I created a 2-button counting app named CountRoid to learn about the physics of the market publishing process. I spare you the description how to do it, it is well documented and easy.

Just some observations:

• The new application immediately showed up as Just In under Tools, also on the market browser Androidzoom. A few minutes of fame being the first in the list.
• After 10 minutes another 20 applications showed up in front of me. One day later I cant find it anymore (after giving up scrolling down any longer).
• In the first few hours zero downloads (are we surprised ? You search for counter or count and you find dozens of more or less fancy counting apps)
• There are counting apps that cost money !
• After 24 hours 21 downloads ! How did they find it ? (we will never know). But from  a statistics point of view quite realistic. 300.000 new Android activation every day, so there is a chance someone comes across my app.

I need seriously start thinking about a roadmap for the app ! And if you are completely crazy about counting stuff, go ahead and search for countroid. Its free 1! And there will be no paid advanced version in the future. Unlimited counting !

Android Market

Countroid on Android Market

@ Androidzoom

After 24 hours

CountRoid Screenshot