Wednesday, May 12, 2021

How Open Source Code allowed finding a security flaw in Germany’s Corona Warn App

Like in many other countries, one of the responses in Germany to the Covid-19 pandemic was to introduce a contact tracing app. Users can install the Corona Warn App on their phone and it tracks anonymized IDs of other app users detected via Bluetooth. If they are later tested positive for an infection with the SARS-COV2 virus other users that have been in close contact with them will get an alert.

The introduction of the app led to a discussion over the best privacy friendly model to implement such an app, and in the end Germany has decided to implement a decentralized model that is using a technology provided by Google and Apple in their mobile operating systems. A crucial aspect of the development was that the code of the app, developed by the German companies SAP and Telekom, was made publicly available.

The app is what is usually called Open Source or Free Software: Everyone can take the code, analyze it and even use or change the app’s code for other software projects.

The company Github, a subsidiary of Microsoft, is running the largest online platform to manage software source code. Most Open Source software developed today – and also some software that is not open – is using Github, and the German Corona Warn App is no exception.

Github recently announced that they  found a severe security flaw in the server code of the Corona Warn App. This is the code running on Internet servers that manage the data exchanged by the app, so there was no direct risk to users of the app. But nevertheless it was a severe flaw. It was a remote code execution vulnerability, which is one of the most severe types of security flaws. An attacker knowing about this flaw would have been able to run his own malicious code on these servers.

Github found this problem because it develops tools to automatically check software for security flaws. They recently implemented a new check for a common, problematic pattern in the Java programming language that can lead to security issues.

While developing a new check for this type of security flaw they used openly available code on their own platform to test the new security check. And while doing that found the flaw in the Corona Warn App’s server code. The fact that the code was open made it easy for an external entity – in this case Github – to find a dangerous security flaw. Github, of course, didn’t do anything malicious with the knowledge of that flaw. They reported it to the developers of the Corona app and it was fixed quickly.

Allowing others to more easily find security flaws is not the only advantage that making the code of the Corona app open has enabled. Some people want to avoid running phones largely controlled by corporations like Google and Apple and use alternative versions of the Android operating system. While Android is developed by Google, it is itself an Open Source software product. However what is installed usually on Android phones is a mix of open and closed parts of the Google Android ecosystem.

The developers of the official Corona app showed little interest to support these alternative Android versions without Google’s closed system, which contained the part responsible for the contract tracing. However some enthusiasts redeveloped these parts and thus allowed implementing a version of the Corona app that can be installed on such alternative Android versions. This alternative version of the Corona Warn App also runs on some phones from the Chinese vendor Huawei that do not come with the Google Play Store installed.

That applications developed by government institutions are provided with open code is still uncommon these days. But some think this should be the norm rather than the exception. A campaign led by the Free Software Foundation Europe with the claim “Public Money – Public Code” calls for a change here. They are demanding that software developed by tax payer money should always be free, the code should be public and usable by anyone for any purpose. With the Corona Warn App it seems they can point to a successful example.

Related Articles

Latest Articles