DIY Project: Create a Tracking and Tracing App Part 3

In this part we will have a short excursion into the world of radio signals, like wireless or bluetooth signals. As part of the tracing solution we must estimate the distance between two devices, it makes a difference if we stand next to a person (less than 2m) or being 5m and more apart for a potential transmission. The tracing app shall record only other devices in the nearby area, otherwise we will face a tsunami of false warnings after recording everyone in a 10m radius. The only way to measure or anticipate the distance is the signal strength of the received beacon signal.

Bluetooth Peripheral Mode

Bluetooth classic, made for higher speed and permanent connections, uses more energy and requires pairing before exchanging data between the devices (see previous post). We need to use the peripheral mode which was introduced with Android 5 (Lollipop) in 2014. The peripheral mode is mostly used by health devices, pedometers, etc. By today (2020) most Android phones should support this mode which is the key component, known as Bluetooth Low Energy Advertising, for the tracing app.
Bluetooth 5, supported since Android 8.0, introduced significant improvements to the BLE mode (reference). In the next post we will explore the BLE advertising and the related services.

Simple test to check if the Android device supports advertising

private BluetoothAdapter bAdapter = BluetoothAdapter.getDefaultAdapter();
..
if (bAdapter.isMultipleAdvertisementSupported())
	Log.i(TAG, "MultipleAdvertisementSupported supported.");
..

About Signal Strength

Theory

To be more precise we have to look at the strength of the received signal, also called RSSI (Received Signal Strength Indication), the measurement of power in a radio signal, measured in dBm. In short, the receiving device can measure the power of the signal and approximate the distance. Sounds simple, but it is not, radio signals is a huge field in science and research and I won’t attempt to replicate this in a blog post. The RSSI value often ranges between -100 and 0 dBm (in our context here), where -100 is the weakest signal and values near 0 the strongest.
Some links with references below for the interested reader. The main challenge is the signal strength depends on a number of parameters, the sending power, the distance (obvioulsy), external factors like reflection, absorption, interference and diffraction. It is very much an approximation, especially as we are talking about unknown devices (mobile phones) emitting the signals and not defined devices like industry beacons. In the literature you find a formular that estimates the distance in meters:

As you can see we do not have proper values for RSSId0 and Eta/n because we lack of reference devices and reference environments. We will experiment with values in the field test below.

References:

Android

For both Bluetooth and Bluetooth LE we can read the RSSI (values between -127 and 126) easily (Android Developer Documentation). See previous post for complete method.

For Bluetooth Devices

BluetoothDevice device = intent.getParcelableExtra(BluetoothDevice.EXTRA_DEVICE);
int rssi = intent.getShortExtra(BluetoothDevice.EXTRA_RSSI,Short.MIN_VALUE);

For Bluetooth LE devices

public void onScanResult(int callbackType, ScanResult result) {
	System.out.println(result.getRssi());
}

The method to calculate the distance based on above formular

double getDistance2(int rssi, int rssid0, float eta) {
	 return Math.pow(10d, ((double) rssid0 - rssi) / (10 * eta));
}

Field Test

Devices: Huawei P30 and Ubudu Beacon.

I use the app to read the RSSI value at the reference distance 1m.
In the first round I setup it outside at a grass field without surrounding building, walls etc.
The average RSSI value is about -83dBm with values ranging from -104 to -77dBm.
The second round in an office like environment, a room of about 3×3 metres. Now we have an average value of -51dBm with values ranging from -79 to -35dBm. In a second room I get -88dBm, -83dBm

RSSI Values at 1 meter distance

Now going back to our formular we calculate the distance with reference 1m RSSI value of 75dBm (best guess) and an eta of 2 (found this value when researching). Now setup again a 1m distance situation and check the caculated distance.

Calculated distance at 1 meter distance

This run with 2,1m average value differs 100% to the real 1 meter distance, the values having outliers up to 30m without touching the device or moving anything. If we need to rely on these values we need to capture at least 100 signals and average them to get anywhere near the real distance. I doubt changing eta and the reference RSSI will help as the RSSI value comes with these extreme outliers.

A few more random tests a different distances I come to the conclusion (with this specific test setup), the RSSI wont help us to measure the distance between two mobile phones, aka 2 persons properly. At most we can anticipate with an array of measured values and the the average if the device is less than 5m away, aka falls into a potential transmission candidate group.

Test Setup at 50cm resulting in 18cm average distance.

Header Image by Juanma_Martin from Pixabay

Daily Tech Observations 6

Google Community Mobility Reports

The latest report was released on April 16th. On top of the individual PDF files for each country you also can download a CSV file with all the data. With the CSV file at hand it is easier to compare countries or regions against each other and detect when lockdown came in place etc. Time to spin up your favourite visualization tool or for some hands-on Pandas-Bokeh action.

Tracing Apps

Despite announcing the release of such an app after Easter, there is nothing released yet. It is a challenge to release such an app, once pushed out to public you cant reverse or make significant changes to the key exchange algorithm etc. The rotating key mechanism need to be waterproof to avoid any tracking or identifying of persons just by looking at the local data storage and ‘wardriving’. Personally I believe no one want to do another quick shot like the ‘Datenspende-App’ (see next topic) and stay compliant with the below requirements. I highly recommend to read the read the contact-tracing-apps requirements by..

At all cost privacy has to be protected and we do not want any contact tracing in any non-health related crisis situations, eg. to be used to trace contacts in recent Hong-Kong events or during the Arab Spring in 2010.

I am very curious if and how they will release the source code for such an app.

Datenspende App

The RKI released the Datenspende app using anonymously health data from smart watches etc. (see previous post). Unfortunately they triggered a partially controversial discussion in media due to the fact that the usage of the data was not stated clearly enough, the app is implemented as closed-source by an external company and a few other problems like the lack of support of many health trackers. This resulted in quite a number of 1* ratings (refer to AppBrain). Though I absolutely believe in their good intentions and the good use of the data, RKI just had a bad start with this.

AppBrain Statistics

Google cooperating with Apple

Certainly makes most sense to have the same API features on OS level, though I am not sure how to publish this. Through an OS Update ? Here we would rely on the mobile phone manufacturers, quite a large number of phones have fallen out of the support cycles. Have a look at the specifications at the Apple website.

DIY Project: Create a Tracking and Tracing App Part 2

The tracing of contacts through mobile apps became the Number One hot topic in the last few days, governements and institutes of the EU countries are still working on technical solutions to trace transmissions of SARS-CoV-2 (though a bit late for the first wave that has hit most countries worldwide). At the same time there is an intense debate about these apps in terms of data usage, privacy, etc. The apps wont stop the spread or protect the person using the app but they should help to keep the situation under control in the times to come, maybe as a permanent tool to stay for a long period. Even more important not to build a tracking tool following examples of more authoritian states, but to have a solution that protect privacy.

In this blog series, looking at the technical aspects, we still touch both tracing and tracking for the matter of the discussion. In the last post we only touched the Bluetooth basics, now get into discovering nearby devices.

Android to discover Bluetooth devices

About device discovery

  • Discovery of Bluetooth devices is the step before pairing and coummunicating with another device. We can scan for nearby devices without the other devices (its owner) noticing it.
  • But for classic Bluetooth, the device need to be set to discoverable by its user, usually only for a limited period. It is consuming additional energy and would drain the battery faster if left on permanently (putting aside security concerns, see references).
  • BLE works like a beacon permanently being discoverable, certain location type application work like this, eg. to help navigate in buildings equipped with beacons.
  • The 3 key device attributes when discovering devices:
    Name: Not unique, just a label, can be set/changed by the user.
    MAC: The unique identifier (see previous post)
    Signal strength in dBm (more about this later)

Discover classic Bluetooth devices

We need to register a broadcast receiver and listen to the intents for discovery start and end. The discovery need to be triggered, it will run for about 12 seconds.

Register BC Receiver

private void initBCReceiver(){
	final BroadcastReceiver mReceiver = new BroadcastReceiver()
	{
		@Override
		public void onReceive(Context context, Intent intent){
			String action = intent.getAction();
			if (BluetoothDevice.ACTION_FOUND.equals(action))
			{
				BluetoothDevice device = intent.getParcelableExtra(BluetoothDevice.EXTRA_DEVICE);
				int rssi = intent.getShortExtra(BluetoothDevice.EXTRA_RSSI,Short.MIN_VALUE); // dBm
				System.out.println("Found: " + device.getName() + "," + device.getAddress() + "," +  rssi);
			} else if (BluetoothAdapter.ACTION_DISCOVERY_STARTED.equals(action)){
				System.out.println("ACTION_DISCOVERY_STARTED");
			} else if (BluetoothAdapter.ACTION_DISCOVERY_FINISHED.equals(action)){
				System.out.println("ACTION_DISCOVERY_FINISHED");
			}
		}
	};

	IntentFilter filter = new IntentFilter();
	filter.addAction(BluetoothDevice.ACTION_FOUND);
	filter.addAction(BluetoothDevice.ACTION_PAIRING_REQUEST);
	filter.addAction(BluetoothAdapter.ACTION_DISCOVERY_STARTED);
	filter.addAction(BluetoothAdapter.ACTION_DISCOVERY_FINISHED);

	registerReceiver(mReceiver, filter);
}

Now trigger the discovery

bAdapter.startDiscovery();
Discover Classic BT devices

Discover BLE devices

The BLe devices (beacons) constantly send their signal, we can pick it up in an async thread. The Android BT library supports this with less than 15 lines of code to capture the devices. Implement the callback and start/stop the scanning.

private ScanCallback leScanCallback = new ScanCallback() {
	@Override
	public void onScanResult(int callbackType, ScanResult result) {
		System.out.println(result.getDevice().getAddress() + "-" + result.getDevice().getName() + " rssi: " + result.getRssi() + "\n");
	}
};

public void startScanning(View view) {
	System.out.println("start scanning");
	AsyncTask.execute(new Runnable() {
		@Override
		public void run() {
			btScanner.startScan(leScanCallback);
		}
	});
}

public void stopScanning(View view) {
	System.out.println("stopping scanning");
	AsyncTask.execute(new Runnable() {
		@Override
		public void run() {
			btScanner.stopScan(leScanCallback);
		}
	});
}
Discover BLE devices

Interesting observations:
– The MS Designer Mouse is operating in both classic and BLE mode.
– The signal strength of devices can change without being physically being moved.

Conclusion

  • The Bluetooth classic mode is not feasible for the tracing requirement. It would drain batteries quickly and we cant disnguish between phones and other devices using solely the MAC (though we could identify manufacturers).
  • We need to consider the BLE peripheral model for our tracing app. Remember, we need to capture the unique key from another nearby user of the app, we cant achieve this without basic 2 way communication between the two apps.

Fun Facts

Stay safe and tuned..

References

Image by Free-Photos from Pixabay.

Daily Tech Observations 4

COVID-19 Apps

In the German Google Playstore we find one new app, the Corona-Datenspende. Released by the Robert-Koch-Institute the app uses data from smartwatches and fiteness tracker devices. It claims to be 100% anonymous, voluntary and compliant with GDPR regulations. According to their website 50.000 users already downloaded the app that correlate a potential infection with certain activity, heartrate and other values received from these devices. They still struggle with the support of the wide range of devices in the market but plan to support more manufacturers and devices asap. A good approach, we should use any opportunity to fight the spread.

COVID-19 Apps in Singapore

While we have to comply with GDPR in the EU and have to count on the participation and voluntary contribution of its citizen to use the app, Singapore released an app, Homer, that infected patients have to use when ordered to home-quarantine. You have to virtually report your home presence every few hours to the authorities. A strict move, but 100% in line with the local legislation in a highly populated country where the spread must stay under control. The third app, SwiftMed, is a contact tracing app for frontline officers.

#WirVsVirus Hackathon Results

I highlighted the hackathon organized by the government in one of my previous posts. You can see short pitches for each idea that made it to the finals in this YouTube playlist plus the other apps that didnt make into the finals (all in German language, use english subtitles if you need to). Good for some inspiration, it shows what different kind of ideas people can come up with in short time.

Other useful links

The website Visualcapitalist list a number of interesting visualizations around the COVID-19 topic. Highly recommended.

Most of the infection spread and distribution data is available at a couple of websites:

Stay safe and tuned..

DIY Project: Create a Tracking App Part 1

The discussion about mobile phone location tracking of people and tracing back to potential transmissions is one of the hot topics at moment. In Germany we could expect an app officially being launched towards end of April. I attempt to go through the technical considerations by myself. A hands-on coding excursion with Android to use Bluetooth to scan nearby devices and exchange data with them.

The most basic requirements for a tracking app to be successful:

  • A person need to posses and carry a switched-on mobile (smart) phone.
  • The phone must have GPS and Bluetooth feature and both being enabled.
  • The location need to be recorded as fine-grain as possible. Use of GPS is mandatory, the celldata is way too coarse (see previous post). Though we might consider to skip location completely and rely on the paring of fingerprints solely, depending on the approach.
  • Approach 1: We record the location and time of a device (aka person) and transmit the data to a server immediately and try to match data with other devices on the server. Hard to implement in a GDPR compliant way and users most likely wont buy in.
  • Approach 2: We record the location and time on the device and any digital fingerprint of devices nearby. This anonymous pairings we transmit to the server. Once one device is flagged as infected, the server can flag any other device “paired” previously and push (or pull) a notification to the impacted devices. This way most data remains on the device. A more GDPR compliant way of solving this. Some details need to be worked out though in regards of matching and informing the respective user.
  • Approah 3: Even better if we could rely solely on the fingerprint of nearby devices and the timestamp.
  • The more user we have in the system, the bigger the impact and the chance to trace and inform and potentially stop spreading further.
  • We must have a mean to report an infection and inform affected other users (and still stay within the boundaries of GDPR).

Before walking into the Bluetooth space, some facts:

  • The not-for-profit organisation Bluetooth Special Interest Group (SIG) is responsible for thedevelopment of Bluetooth standards since 1998. (Wikipedia)
  • There is a regular update to the Bluetooth standard, by January this year SIG released version 5.2. It takes time for the hardware manufacturers to adopt the newer standards.
  • We need to distinguish between Bluetooth Classic and Bluetooth Low Energy (BLE). BLE was introduced with version 4 and supported by Android 4.3.
  • Bluetooth Classic is designed for continous short distance two-way data transfer at a speed of up to 5 Mbps (2.1 Mbps with Bluetooth 4). BLE was made to work with other devices at a lower speed and greater distance.
  • Android 8.0 onwards support Bluetooth 5 which is a significant milestone for Bluetooth technology in terms of range, speed and power consumption.
  • It is not possible to programmatically check the supported Bluetooth version in Android, though you can check if BLE is available on the phone.
  • The MAC address of the Bluetooth adapter is fixed and can’t be changed (except for rooted phones). This way it becomes the digital fingerprint.

Are we running out of MAC addresses ?

MAC addresses (used by ethernet, wifi and bluetooth adapters), as per IEEE 802 definition, have 48 bits (6×8 bytes).
Sample AC:07:5F:F8:2F:44
This would result in some 281 trillion (2^48) possible combinations, but the first 3 bytes are reserved to identify the hardware manufacturer. For above sample AC:07:5F it is Huawei. The remaining 3 bytes are used as unique identifier, resulting in only 16 million (2^24) unique devices. Quite likely this number would be used up more or less quickly by a big manufacturer. In reality we also could have 16 million unique manufacturer ID’s, Huawei owns about 600 of these, giving a total of currently 10 billion devices. We need to consider this numbers when we talk about unique fingerprints (MAC), though it is unlikely at a country level to have duplicates. In Germany we have ~83 million citizens and about 142 million mobile phones from different manufacturers, small chance that two persons (actually using the tracking app) will have the same MAC address.
You can check/download the identifiers here.

Lets get started with some coding..

Basic: Android to list paired devices

Before we jump into the more complex discovering, pairing and communication between devices (using threads,) we start with the basics. Lets enumerate the paired devices.

Required Permission

At minimum access to coarse location (since Android 6) is needed since Bluetooth can be used to derive the users location. I skip the code to request the permission, only location access being a critical permission. (complete code will be pusblished at the end).

<uses-permission android:name="android.permission.BLUETOOTH"/>
<uses-permission android:name="android.permission.BLUETOOTH_ADMIN"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />

Check and Activate Bluetooth Adapter

public class MainActivity extends AppCompatActivity {

    private static final String TAG = "bt.MainActivity";
    private BluetoothAdapter bAdapter = BluetoothAdapter.getDefaultAdapter();

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);

        checkAndRequestPermissions();

        if(bAdapter==null){
            Log.i(TAG,"Bluetooth not supported.");
        } else {
            Log.i(TAG,"Bluetooth supported.");
			
	        if(bAdapter.isEnabled()){
				Log.i(TAG,"Bluetooth enabled.");
				if (!getPackageManager().hasSystemFeature(PackageManager.FEATURE_BLUETOOTH_LE))
					Log.i(TAG, "BLE not supported.");
				else
					Log.i(TAG, "BLE supported.");
			} else {
				Log.i(TAG,"Bluetooth not enabled.");
				startActivityForResult(new Intent(BluetoothAdapter.ACTION_REQUEST_ENABLE),1);
			}
        }
    }
..

List existing pairings

Quite simple to iterate through the existing pairings and list their name and MAC Address

private void showPairedDevices(){
	Set<BluetoothDevice> pairedDevices = bAdapter.getBondedDevices();
	if (pairedDevices.size() > 0) {
		for (BluetoothDevice device : pairedDevices) {
			String deviceName = device.getName();
			String deviceMAC = device.getAddress();
			Log.i(TAG,"Device: " + deviceName + "," + deviceMAC);
		}
	}
}
I/bt.MainActivity: Device: HUAWEI P20,AC:07:5F:XX:XX:XX
I/bt.MainActivity: Device: moto x4,0C:CB:85:XX:XX:XX

In the next post we will discover nearby Bluetooth devices and setting up a communication channel between two devices.

Stay tuned for more tracking..

References

Image by Brian Merrill from Pixabay

Daily Tech Observations

As the pandemic crisis continues, more discussion, data exchange and research is happening and progressing in the digital space. I wont mention the massive increase of security threads here (reference info at Trendmicro), but rather look at the non-malicious activities.

PEPP-PT

The PEPP-PT (Pan-European Privacy-Preserving Proximity Tracing) project around a number of prominent research institutes across Europe is working on a proximity-based solution utilising BLE technology embedded in mobile phones. It will be in line with GDPR regulations and to be used on a voluntary base. It is supposed to track and report your whereabouts adn nearby other app users to a server anonymously only, and inform you when you have been close to an infected person, all that without using personal information, which is the key concern of many parties. A key element for the success of such a solution is the penetration factor. It need to build up a database with a significant number of users and traces. Instead of releasing yet another app, they try to piggyback into existing apps, such as NINA (an app to publish and warn about local dangerous incidents in Germany). It has not been published yet, I assume the technical field test was successful is reported, still they have to sort out the communication channels in the case of an infected user.

COVID-19 Apps

There are no new apps in the Google Playstore since my last post, though I have to correct the app I mentioned previously, TraceTogether, only appears for Singapore based accounts. In the German Playstore we see two apps, the app “COVID-19” transmits the status of a COVID test to the respective user, only reducing the need to physically visit a place to retrieve the results. The other app, Coronika, tries to assist individuals to trace their locations and contacts.

Google to hand over anonymous location data

Google and the other big players are in active talks in various countries with the respective authorities about releasing data, either aggregated or anonymous or both. Depends very much on the local regulations. In the context of stopping the pandemy this would provide valuable insights. Aggregated data can help to identify streams of persons or hotspots of too many people in the same area or similar. If anonymization alone is good enough to protect personal data, I would question, the trace that everyone leaves with an Android phone (location services enabled) would easily allow to identify an individual or a small group, you just look at regularly visited places to identify someone’s home or office etc.

You know you can not only see your traces in Google Maps but also export the data (as well delete it permanently if you want) with the Take-Out feature?

Your Timeline – Google Maps
Take Out – Personal Google Maps Data

You are looking for some well formatted data to play with ? Download your own location data and have some hands-on datascience exercise. Easy to request and download, all nicely packaged in self-explaining JSON formatted monthly files.

Stay tuned and safe !