
How I helped fix Canadaʼs Covid Alert app - todsacerdoti
https://seancoates.com/blogs/how-i-helped-fix-canadas-covid-alert-app
======
burke
> I'll be honest: I barely knew anything about the CDS and I expected some
> runaround from a government agency like this, and I was pleasantly surprised

I'm one of the team that did the initial implementation of the server and iOS
app before handing it off to the CDS for the latter part of implementation,
and I've been really, really impressed with the CDS. They're a great model for
what tech in government should look like.

~~~
ghostpepper
I had no idea there was a Canadian Digital Service - I'm glad to hear that it
not only exists but that it's a relatively efficient government organization.

On a somewhat-related note: you wouldn't happen to be / know who is
responsible for the BC CDC Covid results service, would you?

I was disappointed to see this page, which asks for personal information
including your PHN, served over HTTP.

Not only that but there is actually a disclaimer saying it's fine to ignore
the big red padlock because the iframe uses HTTPS (which is also technically
not true as far as I can tell - the iframe _redirects_ to HTTPS though).

~~~
danudey
> I had no idea there was a Canadian Digital Service - I'm glad to hear that
> it not only exists but that it's a relatively efficient government
> organization.

Canada is kind of... weird, in this regard. I knew about the CDS, and was on
their mailing list (they talk about pretty neat stuff and it sounds like a
neat place to work), so this didn't surprise me, but...

So a while ago, we (the company I worked for at the time) had some servers
hosted at a hosting company based here in Vancouver, though the servers were
in Seattle.

Well, we got an e-mail from our host, forwarding some automated e-mails that
_they_ had received from the Canadian government (possibly the CDS, but I
don't think so) notifying us that we had open memcached ports (11211) on some
of our servers.

I went and checked the configuration, and sure enough we'd had a configuration
error, where memcached would only accept one IP address to bind to, but our
script had provided two (because the servers had an internal and external),
creating an invalid config which was never deployed, so memcached was just
listening on [::]:11211, and since it wasn't supposed to be open we didn't
have any ACLs on the access routers. We fixed the configuration issue and
switched to a default-deny policy and all was fixed, but it was surreal that
an e-mail from the government was what tipped us off.

~~~
bonestamp2
That's funny, and it reminds me of something we discovered too.

We use bugsnag on many of our client web apps to catch javascript runtime
errors and with one of our apps we frequently come across problems that
reference javascript functions and variables that aren't ours.

Sometimes it turns out to be a benign plugin, but in many of these cases it is
a known virus or dangerous browser plugin that is trying to log keystrokes,
mine crypto, extract banking info, etc.

We have gotten to the point where we can often tell them which virus they
have, how we know, and include removal instructions. Our app is very expensive
so most customers are people who need our tools and use the app everyday,
which means we can often tell them when they got the virus too. It's way out
of scope for our role in their life, so it's a little bizarre for everyone
involved, but the customers seem to appreciate it at least.

------
yoru-sulfur
I used to work at CDS a couple year back, worked with both Tim and John (The
people who responded to the GitHub issue).

I'm glad to hear that his interactions with them were relatively without
friction. A big part of what they're trying to do is lead by example for how
modern software development can take place somewhere like the government
(Taking a lot of cues from GDS and 18F).

------
rubatuga
As a Canadian, many thanks to OP for removing unnecessary requests to Google!

~~~
jszymborski
Came here to similarly give thanks to this outstanding Canadian citizen.

~~~
scoates
🇨🇦

~~~
fouc
Interesting, flags get past the emoji filter on HN?

~~~
CraftThatBlock
Flags are character code in Unicode (matching with the ISO country code), so
this "emoji" is "CA"

------
shaggyfrog
I’m glad that the Canada COVID-19 contact tracing app is open source and
available on GitHub, and I’m glad people can push fixes to it, but this kind
of bug exists because it’s using React Native unnecessarily, and dragging in a
zillion dependencies.

I don’t see why both the iOS and the Android versions can’t be fully native,
besides a desire to have a single codebase. The apps aren’t doing anything
fancy, UI-wise. They are basically just integrating with the native contract
tracing system framework on each platform.

Dragging in React Native and its giant web of dependencies makes the codebase
harder to audit and manage from a security perspective. It’s also a product of
Facebook, which is greatly concerning from a privacy point of view.

I still have this app installed on my iPhone and I keep it up to date, but I
really wish it was built differently.

~~~
mikewhy
> but this kind of bug exists because it’s using React Native

Considering how this issue was from a package that isn't included with React
Native, this seems like a bit of a stretch.

~~~
kennywinker
the native way of doing this on iOS would be `SCNetworkReachability` which is
part of the built-in SystemConfiguration framework. That call requires the
endpoint to check as an input - thus prompting the developer to think about if
they are contacting an unnecessary third party.

So while this isn't really the specific fault of react native, it does seem to
me to be the fault of a non-native framework that encourages developers to use
higher level abstractions rather than system frameworks.

~~~
mikewhy
The library in question did use that function, but without something set up at
the endpoint, it's not very useful:

> A remote host is considered reachable when a data packet, sent by an
> application into the network stack, can leave the local device. Reachability
> does not guarantee that the data packet will actually be received by the
> host.

[https://developer.apple.com/documentation/systemconfiguratio...](https://developer.apple.com/documentation/systemconfiguration/scnetworkreachability-g7d)

More details in this issue: [https://github.com/react-native-community/react-
native-netin...](https://github.com/react-native-community/react-native-
netinfo/issues/307)

------
ramshorns
It'd be nice to see COVID Alert in F-Droid, or somewhere else that doesn't
require nonfree dependencies.

~~~
jeffrallen
If the app is not signed and distributed by Google or Apple, it cannot use the
Google/Apple Exposure Notification protocol.

------
sgarrity
Nice fix and nice write-up of the fix. A Canadian herough.

------
canada_dry
+1 @scoates.

Next up, can you please help fix the broken "Alert Ready" Emergency Alert
System!!

------
alexashka
In short, it used to ping a google url to decide if the internet is working
and now, it pings a different url?

This is cute, given that Apple "may collect a variety of information,
including your name, mailing address, phone number, email address, contact
preferences, device identifiers, IP address, location information, credit card
information" [0] any time you "download a software update" or "connect to our
services".

Where is my fix to opt out of this garbage? When they say "connect to our
services", do they mean automatic checks for os updates that all their
products do without an option to opt out?

This concern over privacy on the level of individuals 'fixing' things is utter
lunacy. You've fixed one of a thousand cuts your privacy is killed with,
congratulations :)

[0] [https://www.apple.com/legal/privacy/en-
ww/](https://www.apple.com/legal/privacy/en-ww/)

------
kozmonaut
OP is a fine man, thanks for your duty to making this app better

------
thefounder
Nice to see it uses Go on the back-end

~~~
AS37
How can you tell?

~~~
scoates
The PR I submitted to the backend (that was not needed after a bit of
discussion) was Go.

[https://github.com/cds-snc/covid-alert-
server/pull/241](https://github.com/cds-snc/covid-alert-server/pull/241)

(I don't know Go (-: )

------
kozmonaut
OP is a fine man, thanks for doing your duty to Canada!

------
ourcat
Re: the 'disturbing' Google chatter/endpoint, a 204 HTTP status reponse is
also the expected code for a pre-flight OPTIONS request to support CORS.

~~~
scoates
The disturbing part is the domain name not the status code.

~~~
ourcat
Naturally. I'm just saying that I would have thought it had something to do
with that first, before the captive portal clue.

I assume React Native doesn't require CORS, like the web version does?

