mohgovil / ramzor Goto Github PK

From AndroidManifest:

android:requestLegacyExternalStorage="true">

change the setting to false! in order to use scoped storage that limit not needed access of the app to user data, which is less secure!
also the below change is needed (the addition of android:maxSdkVersion="28" to WRITE_EXTERNAL_STORAGE permission)

<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"
                 android:maxSdkVersion="28" />

see: https://developer.android.com/training/data-storage/shared/media#request-permissions

The minSdkVersion is 24, so the app won't work on android version < 7.
There are complains about it:
https://twitter.com/aradboaz/status/1364886993596014593
https://twitter.com/AviSchneor/status/1363520399871508481
That the app won't work on older devices, what the reason minSdkVersion is 24?
See related issue in hamagen: MohGovIL/hamagen-react-native#280
Also can you publish the source-code so we can see the real reason?

https://corona.health.gov.il/en/ramzor-model returns 404 status

why should you consider it?

1. it has a bad resolution and aspect ratio
2. it's super long... ~10 / 15m seconds. I'm not sure whether you're using that time to load remote data, but this is not the way to go...
3. 2001 is over.. let's keep it that way. we do not use "audio clips", "midi sounds" or "intro animations".

the app itself is gorgeous and well designed, it a shame that such a horrendous animation is ruining its overall UI experience

As of Oct 3, new "green passes" issued contain a signature that is no longer verifiable with the public key provided here.
Prior to Oct 3, verification with the ECDSA key worked fine

The official guides all say that the app can scan and verify vaccination QR codes.

However, I could not find this functionality anywhere. I assumed I need to sign up as a business first, but as mentioned in the reply, I had to choose my location.

The app should be less confusing in that regard.

Also, you'd probably want to change the wording of the post-scan screen to strongly require the user to verify the ID of the green pass holder, and warn that the green pass by itself is not enough.

broken

Found this in twitter tweet with picture & more information (issuing of green pass in app return "<NO_DATA>" under "סטטוס התו הירוק"):
https://twitter.com/zpeled/status/1500854510381588484/photo/1

it's possible to obtain the APK for ramzor app only from GooglePlay which limit it to devices that have PlayStore app preinstalled, some ROMs (for example: https://grapheneos.org/) & devices don't contain this app, some won't use alternatives like AuroraStore, please add direct download option for universal-APK (contain all supported arch, arm/x86..), so users can install the app from official place (to avoid using sites such as apkpure.com etc..)
see related issue in Hamgaen app:
MohGovIL/hamagen-react-native#72
Hamagen added APK & IPA file for each release on github in assets to download:
https://github.com/MohGovIL/hamagen-react-native/releases

There seems to be no published test vectors for the specification described in this repository.

This means community developers are limited in their ability to test their implementations against the spec, and must resolve to testing on their own data which includes PII. Such private data naturally cannot be published publicly, for example in the case of unit tests.

It would be greatly beneficial to publish at least some test vectors for the most common payloads types that might be encountered in real-life scenarios.

.

Visiting:
https://corona.health.gov.il/en/ramzor-model#footer

At the bottom near Download "Ramzor" App have 2 images for downloading the app from Google Play and App Store, but clicking the images will open the download page for hamagen app instead.
here the related html code:

                    <div class="d-md-flex col-md-8 align-items-center">
                        <p class="app-text">Download &quot;Ramzor&quot; App</p>

                            <div class="d-inline-block app-image">
                                <a href="https://play.google.com/store/apps/details?id=com.hamagen" target="_blank" aria-label="Open in new window">
                                    <img src="/media/pemkaxwk/artboard-1-copy-2-3x.png?anchor=center&amp;mode=crop&amp;width=153&amp;height=46&amp;rnd=132482654581670000" alt="Download the HaMagen app from Google Play" class="img-fluid" />
                                </a>
                            </div>

                            <div class="d-inline-block app-image">
                                <a href="https://itunes.apple.com/us/app/id1503224314?ls=1&amp;mt=8" target="_blank" aria-label="Open in new window">
                                    <img src="/media/uhjkty0b/download-on-the-app-store-badge-us-uk-rgb-blk-092917-copy-2-3x.png?anchor=center&amp;mode=crop&amp;width=153&amp;height=46&amp;rnd=132482654487830000" alt="Download the HaMagen app from App Store" class="img-fluid" />
                                </a>
                            </div>

                    </div>

1. Disable AppDome obfuscation

The Android APK contain libloader.so files in:
./lib/arm64-v8a & ./lib/armeabi-v7a folders.

running strings on libloader.so file return:

clang version 8.0.0 (tags/RELEASE_390/final) ([email protected]:appdome/obfuscating-compiler.git 7bea07162c30f6878668d473b5d5fd2bb18fc253)

Also running APKiD https://github.com/rednaga/APKiD on the APK file return:

[+] APKiD 2.1.2 :: from RedNaga :: rednaga.io
[*] /input/com.moh.alert.ramzor.apk!classes.dex
 |-> anti_vm : Build.MANUFACTURER check, possible Build.SERIAL check
 |-> compiler : dexlib 2.x
 |-> protector : Appdome (dex)
[*] /input/com.moh.alert.ramzor.apk!classes2.dex
 |-> compiler : dexlib 2.x
[*] /input/com.moh.alert.ramzor.apk!lib/arm64-v8a/libloader.so
 |-> protector : Appdome
[*] /input/com.moh.alert.ramzor.apk!lib/armeabi-v7a/libloader.so
 |-> protector : Appdome

Thus Appdome used to obfuscate "protect" app code which makes it's harder to understand what this file is doing

2. Disable ProGuard/R8 Obfuscation

this can be done by setting minifyEnabled false in build.gradle (if gradle used to build the app)
or by adding -dontobfuscate to proguard-rules.pro file, the obfuscation is what need to be disabled, both shrink &optimization can be enabled, more info: https://developer.android.com/studio/build/shrink-code

Fix: avoid all obfuscation/minification of the app & publish the source-code of the app as well! when the source-code is published enabling minifcation is OK when the build process is reproducible.

From AndroidManifest

<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.ACCESS_BACKGROUND_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission android:name="android.permission.FOREGROUND_SERVICE"/>
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
<uses-permission android:name="android.permission.WAKE_LOCK"/>
<uses-permission android:name="android.permission.CAMERA"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="com.moh.alert.ramzor.deveventspermission"/>

From GooglePlay:

This app has access to:
Location

    approximate location (network-based)
    precise location (GPS and network-based)

Phone

    read phone status and identity

Photos/Media/Files

    read the contents of your USB storage
    modify or delete the contents of your USB storage

Storage

    read the contents of your USB storage
    modify or delete the contents of your USB storage

Camera

    take pictures and videos

Device ID & call information

    read phone status and identity

Other

    view network connections
    full network access
    run at startup
    prevent device from sleeping

see for example explanation of other apps:
https://support.signal.org/hc/en-us/articles/360007062172-Signal-Permissions#android_permissions
https://support.mozilla.org/en-US/kb/how-firefox-android-use-permissions-it-requests

Please explain all used permissions in the android app, why they are needed & for what usage, remove unused or not necessary permissions.

You can read the related IsraelDefense article in hebrew:
https://www.israeldefense.co.il/node/48468

דעה | אפליקציית ״רמזור״ מבקשת הרשאות שאינן מידתיות למהות היישום
פלוני יכול לחשוב שאפליקציית ״רמזור״ שפרסם משרד הבריאות, היא אפליקציית ריגול בכסות ממשלתית.

The source code for Ramzor app on Android/iOS is not published/open-source, please publish the code in github, thus enabling developers and testers to look at the code and suggest improvements, find bugs, etc..
see related issue in hamgen repo MohGovIL/hamagen-react-native#289
which include source-code for hamagen app, the repo includes 215 issues & 74 PRs.
I opened 77 issues (20 was closed) in hamagen repo, some are security & privacy issues, and would like to check the source-code of the Ramzor app as well.

From UVCI Composition:

The Unique string calculated as MD-5 hash function based on data fields from MoH“CoVID-19 Vaccination Record”. The subject is organized into a single plaintext string as follows:
MD5=([PII Information][Valid until date])
UVCI = [01]/[IL]/MD5{[PII Information][Valid until date]}#[crc32]

MD5 algorithm is old and insecure:
collisions:
https://github.com/corkami/collisions
and also vulnerable to length extension attack.

why is it used in this context? and not other algorithm for hashing? what the requirements are for the hash used in this case? and why md5 was chosen?

See related issue at Hamagen repo:
MohGovIL/hamagen-react-native#281

This app currently require Android >= 7, see:
#13

People with devices that run older versions of android won't be able to use it, but many devices can upgrade the OS using Custom ROMs:

Official Roms:

LineageOS https://wiki.lineageos.org/devices/
Replicant https://www.replicant.us/supported-devices.php
/e/ EELO OS https://doc.e.foundation/devices/
CalyxOS https://calyxos.org/get/

More unofficial ROMS are available at xda-developers forum.
https://forum.xda-developers.com/all-forums-by-manufacturer

So it's possible to raise awareness such as to write about the issue in ramzor-website, minimum version requirements, and suggest people with older Android OS to replace it with Custom ROM (They can ask someone with the technical expertise to help them)
Moving from older OS to newer one also increase the security & privacy of the device, so it's recommended even if the device is supported but not using a modern android OS (which is >= 10)