
Source code of Germany’s official covid-19 contact tracing app - JesseMReeves
https://github.com/corona-warn-app
======
bibinou
previously:
[https://news.ycombinator.com/item?id=23401582](https://news.ycombinator.com/item?id=23401582)

------
bjarneh
I have to say the main reason I did not install my country's (Norway) corona-
tracing-app is that they said it could not be made safe if the source code was
public. Nice to see other countries do the right thing.

~~~
rozab
Does your government have much of an open source culture? I think these
arguments were already had (and won) in the UK, for instance.

[https://github.com/alphagov](https://github.com/alphagov)
[https://github.com/hmrc](https://github.com/hmrc)
[https://github.com/UKHomeOffice](https://github.com/UKHomeOffice)

~~~
gspr
> Does your government have much of an open source culture?

I'd say no, but it's a bit surprising, because it does have a pretty decent
open _data_ culture. The weather [1] and mapping [2] data services are world-
class, for example.

[1] [https://hjelp.yr.no/hc/en-us/articles/360009342833-XML-
weath...](https://hjelp.yr.no/hc/en-us/articles/360009342833-XML-weather-
forecasts)

[2] [https://kartverket.no/en/data/Open-and-Free-geospatial-
data-...](https://kartverket.no/en/data/Open-and-Free-geospatial-data-from-
Norway/)

~~~
birktj
Even though it is getting better, I would argue Norway still has a pretty bad
open data culture. As far as I know Kartverket has only released the N50 with
the more detailed N5 data still not being available to the public. The biggest
pain points for me is the fact that marine depth data of a certain resolution
is classified information [1] and they still wont release nautical maps for
free.

I am hoping the open trend will continue because the Norwegian government sits
on some really high quality data that could see a lot of interesting uses.

[1] [https://www.kartverket.no/en/data/bathymetric-data-and-
DTM-o...](https://www.kartverket.no/en/data/bathymetric-data-and-DTM-of-the-
Seabed/)

------
Kovah
It is still unbelievable, that the German government paid 20 Million Euro for
these apps. Hopefully the request for details about the contracts[1] will be
answered by the corresponding gov agency.

[1]: [https://fragdenstaat.de/anfrage/kostenaufstellung-der-
corona...](https://fragdenstaat.de/anfrage/kostenaufstellung-der-corona-
tracing-app/)

~~~
gspr
What I find far more unbelievable is that countries – at least European
countries that through the EU have a common legal framework – did not get
together and share the bill for the development of a common open source app.
Perhaps each country would have to do some minor local customization, but
surely the vast majority of the code could be shared?

I frequently find myself pondering this whenever my government announces yet
another contract for (the admittedly decent) IT services for interacting with
state entities.

~~~
Someone
The money isn’t spent on the app; it’s spent on the backend, and there,
scaling efficiency gains are limited because of diversity in computer systems.

Also, the app would have to be translated in many more languages. If you don’t
want that to increase time to market, it will cost a lot of money.

~~~
funcDropShadow
But in my understanding the backend of the german app is generic, since it
only receives random IDs from the mobile apps and assembles a list of them to
download again.

------
sudeepj
How does one know whether the app in playstore is compiled from this very repo
+ specific commit and not some other fork of it?

Edit: This is not questioning this particular app. A lot of govt are making
their tracing app open source [1]. Since making it open source is supposed to
increase trust hence the question.

[1] India app: [https://github.com/nic-
delhi/AarogyaSetu_Android](https://github.com/nic-delhi/AarogyaSetu_Android)

~~~
johannes1234321
For one: because this would be extra work within a short time frame. The
source shows no extension points. Outside small tech circles nobody would have
said anything if it were closed, if they have bad intention they could have
made it closed.

For second: we can easily see that the app doesn't use GPS or similar, which
is a nice indication

For third: Germans overall trust their government to not lie as much as other
governments

For forth: Researchers will reverse the app

The only way this thing can work is, if the population trusts it, installs it
and keeps their phone on. If the population doesn't trust it, it's doomed.
It's in the self-interest of the project to be trustworthy and transparent.

If you understand German you might enjoy this podcast with two of the
developers: [https://ukw.fm/ukw030-die-corona-warn-
app/](https://ukw.fm/ukw030-die-corona-warn-app/)

~~~
the_gipsy
This is not answering the question beyond "it would require some effort to do
so". It is not unusual to have a different binary published, than what's in a
public repo.

The following points you go on about are mostly irrelevant.

~~~
johannes1234321
Well, then don't use the app from the app store and compile it yourself ...

~~~
chopin
Does that work, though? Afaik the app needs Google's or Apple's blessing to
use the API.

~~~
johannes1234321
No idea, but as those are closed source one can have the same doubts, so you
need an OpenSource alternative to the API, which is in the works in order to
be used in that app: [https://github.com/theScrabi/CoraLibre-android-
sdk/](https://github.com/theScrabi/CoraLibre-android-sdk/) and
[https://github.com/corona-warn-app/cwa-app-
android/issues/75](https://github.com/corona-warn-app/cwa-app-
android/issues/75)

That combined with an Android based on AOSP and trust issues should be reduced
(while the bad government can still track you using cell towers and for that
app one could still place Bluetooth beacons everywhere and the server's could
still store more information (while the only keys transmitted are those of
infected, which is quite little) ... so yeah, pick your level of conspiracy

------
doener
Official site:
[https://www.coronawarn.app/en/](https://www.coronawarn.app/en/)

------
hathym
France also released the source code of its StopCovid19 app[1]

[1] [https://gitlab.inria.fr/stopcovid19](https://gitlab.inria.fr/stopcovid19)

------
xorfish
[https://github.com/DP-3T/documents](https://github.com/DP-3T/documents)

Here is the protocol it is based on.

------
Findus23
for reference, this is the source of the Austrian contact tracking app:
[https://github.com/austrianredcross/](https://github.com/austrianredcross/)

~~~
bonzini
And the Italian one: [https://github.com/immuni-
app](https://github.com/immuni-app)

------
WhyNotHugo
I'm very happy to see so many countries moving in the right direction.

It's not every country, but we're slowing moving there. :)

------
HissingMachine
I'm a hopeless optimist and romantic when it comes to software, and I really
would have liked to see the covid app being done in some way that built
confidence and inspired hope and optimism. My vision was that it could have
been more like open source Eurovision where developers that participate had
the chance to introduce themselves to the public, and some of the development
and design could have been screen cast to us unfortunate souls trapped in our
homes for months for some entertainment value and inspiration for budding
developers. But eh, instead we get something good, something bad, but much of
the same old same old, and in the end, I'm staying as far as I can from these
apps as a result. Sad, there was a chance to do something amazing.

------
s9w
This was officially released just a few hours ago by the way:

[https://play.google.com/store/apps/details?id=de.rki.coronaw...](https://play.google.com/store/apps/details?id=de.rki.coronawarnapp)

------
mttjj
@dang, can we get a title update to include the apostrophe in "Germany's"?

Or just change the title to how it's documented on the site? "Corona-Warn-App:
The official COVID-19 exposure notification app for Germany"

------
zelphirkalt
Will this app work without permanent Internet connection? (Will it buffer its
data until one has working connection again and then upload data?)

~~~
dominik3
Yes, it does work without an permanent internet connection. The whole point of
this app is to be decentralized. No data is uploaded unless you share your
sent tokens if you are infected. This requires an approval from the health
departments to prevent abuse. The apps download the tokens of infected persons
and check if they had contact locally on the device.

------
rmoriz
While everyone is looking at the code or press releases, only very few seem to
research about how Bluetooth distance measurement works and if it's reliable
enough with thousand of different smartphones out there having different chips
and antenna characteristics.

The app may be great but the design simply seems not to work as expected.

------
tpetry
The more interesting part is that security audits for the frontend did find
multiple high risk security issues in the app, which have been fixed by the
developers.

But the organisation was not allowed to make a security audit of the backend.
I mean the most critical part security wise was not allowed to be verified.
This does not feel good.

------
sdiw
India also released source code of Aarogya Setu app

[https://github.com/nic-delhi/AarogyaSetu_Android](https://github.com/nic-
delhi/AarogyaSetu_Android)

------
fock
are the (known) Android bluetooth-RCEs fixed everywhere, where this runs?

~~~
Uhrheber
Of course not, why are you even asking?

------
vault
Do you know how many contact tracing apps I can install? Do they conflict with
each other? I'm thinking about travellers who often cross borders.

~~~
berdario
I installed 2 of the ones using the Exposure Notification API, just to check
what happens in this circumstance (the german app is implemented differently,
though) and Android allows access to it to only one app at a time. You can
choose/enable/disable manually which app you want to grant access to the api.

------
f1refly
Requires google play services to run with the developers not caring at all

~~~
mxscho
Technically, you are free to implement the Exposure Notification [1] API for
your own potentially open-source alternative of Google Play Services, right?
Or why would this currently not be possible?

[1]
[https://en.wikipedia.org/wiki/Exposure_Notification](https://en.wikipedia.org/wiki/Exposure_Notification)

~~~
johannes1234321
People are working on that: [https://github.com/corona-warn-app/cwa-app-
android/issues/75](https://github.com/corona-warn-app/cwa-app-
android/issues/75)

Edit: and also see [https://github.com/theScrabi/CoraLibre-android-
sdk/](https://github.com/theScrabi/CoraLibre-android-sdk/)

------
buboard
Covid has been curtailed without the need for these apps (in all the places
that opened up). Why do people insist on pushing them to people? There is no
evidence they work, even when with months of testing. No matter how anonymized
you try to make them, the authorities and evil state actors will find ways to
abuse the data -- it's like a law of nature now that all data will be abused.

E.g. in case of a bombing or riots, the police can arrest bystanders and use
phones to tell who was standing next to whom.

Pushing these for security theater has long term bad consequences. I was
hoping people would know that after the 1000th repetition but alas, people are
incorrigible

[https://www.nbcnews.com/tech/tech-news/coronavirus-
contact-t...](https://www.nbcnews.com/tech/tech-news/coronavirus-contact-
tracing-apps-were-tech-s-chance-step-they-n1230211)

[https://www.wired.co.uk/article/contact-tracing-app-isle-
of-...](https://www.wired.co.uk/article/contact-tracing-app-isle-of-wight-
trial)

~~~
JoeSmithson
Covid has been curtailed mainly with extremely expensive lockdowns.

The purpose of the apps is to control the spread going forward, without
lockdown.

~~~
_-___________-_
> Covid has been curtailed mainly with extremely expensive lockdowns.

Citation needed. We don't know conclusively what curtailed it in places where
it has been curtailed, since there were many different control approaches
occurring at the same time.

There are also several countries where lockdown effectively ended weeks or
months ago, and spread is not occurring despite a lack of widespread use of
these apps, not to mention a variety of approaches to lockdown itself with no
obvious correlation between strictness of the approach and mortality/infection
stats.

