mohgovil / ramzor Goto Github PK
View Code? Open in Web Editor NEWHome Page: https://corona.health.gov.il/en/ramzor-model
License: Creative Commons Zero v1.0 Universal
Home Page: https://corona.health.gov.il/en/ramzor-model
License: Creative Commons Zero v1.0 Universal
From AndroidManifest:
android:requestLegacyExternalStorage="true">
change the setting to false! in order to use scoped storage that limit not needed access of the app to user data, which is less secure!
also the below change is needed (the addition of android:maxSdkVersion="28"
to WRITE_EXTERNAL_STORAGE permission)
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"
android:maxSdkVersion="28" />
see: https://developer.android.com/training/data-storage/shared/media#request-permissions
The minSdkVersion is 24, so the app won't work on android version < 7.
There are complains about it:
https://twitter.com/aradboaz/status/1364886993596014593
https://twitter.com/AviSchneor/status/1363520399871508481
That the app won't work on older devices, what the reason minSdkVersion is 24?
See related issue in hamagen: MohGovIL/hamagen-react-native#280
Also can you publish the source-code so we can see the real reason?
https://corona.health.gov.il/en/ramzor-model returns 404 status
why should you consider it?
the app itself is gorgeous and well designed, it a shame that such a horrendous animation is ruining its overall UI experience
As of Oct 3, new "green passes" issued contain a signature that is no longer verifiable with the public key provided here.
Prior to Oct 3, verification with the ECDSA key worked fine
The official guides all say that the app can scan and verify vaccination QR codes.
However, I could not find this functionality anywhere. I assumed I need to sign up as a business first, but as mentioned in the reply, I had to choose my location.
The app should be less confusing in that regard.
Also, you'd probably want to change the wording of the post-scan screen to strongly require the user to verify the ID of the green pass holder, and warn that the green pass by itself is not enough.
Found this in twitter tweet with picture & more information (issuing of green pass in app return "<NO_DATA>" under "סטטוס התו הירוק"):
https://twitter.com/zpeled/status/1500854510381588484/photo/1
it's possible to obtain the APK for ramzor app only from GooglePlay which limit it to devices that have PlayStore app preinstalled, some ROMs (for example: https://grapheneos.org/) & devices don't contain this app, some won't use alternatives like AuroraStore, please add direct download option for universal-APK (contain all supported arch, arm/x86..), so users can install the app from official place (to avoid using sites such as apkpure.com etc..)
see related issue in Hamgaen app:
MohGovIL/hamagen-react-native#72
Hamagen added APK & IPA file for each release on github in assets to download:
https://github.com/MohGovIL/hamagen-react-native/releases
There seems to be no published test vectors for the specification described in this repository.
This means community developers are limited in their ability to test their implementations against the spec, and must resolve to testing on their own data which includes PII. Such private data naturally cannot be published publicly, for example in the case of unit tests.
It would be greatly beneficial to publish at least some test vectors for the most common payloads types that might be encountered in real-life scenarios.
.
Visiting:
https://corona.health.gov.il/en/ramzor-model#footer
At the bottom near Download "Ramzor" App have 2 images for downloading the app from Google Play and App Store, but clicking the images will open the download page for hamagen app instead.
here the related html code:
<div class="d-md-flex col-md-8 align-items-center">
<p class="app-text">Download "Ramzor" App</p>
<div class="d-inline-block app-image">
<a href="https://play.google.com/store/apps/details?id=com.hamagen" target="_blank" aria-label="Open in new window">
<img src="/media/pemkaxwk/artboard-1-copy-2-3x.png?anchor=center&mode=crop&width=153&height=46&rnd=132482654581670000" alt="Download the HaMagen app from Google Play" class="img-fluid" />
</a>
</div>
<div class="d-inline-block app-image">
<a href="https://itunes.apple.com/us/app/id1503224314?ls=1&mt=8" target="_blank" aria-label="Open in new window">
<img src="/media/uhjkty0b/download-on-the-app-store-badge-us-uk-rgb-blk-092917-copy-2-3x.png?anchor=center&mode=crop&width=153&height=46&rnd=132482654487830000" alt="Download the HaMagen app from App Store" class="img-fluid" />
</a>
</div>
</div>
The Android APK contain libloader.so
files in:
./lib/arm64-v8a
& ./lib/armeabi-v7a
folders.
running strings
on libloader.so
file return:
clang version 8.0.0 (tags/RELEASE_390/final) ([email protected]:appdome/obfuscating-compiler.git 7bea07162c30f6878668d473b5d5fd2bb18fc253)
Also running APKiD https://github.com/rednaga/APKiD on the APK file return:
[+] APKiD 2.1.2 :: from RedNaga :: rednaga.io
[*] /input/com.moh.alert.ramzor.apk!classes.dex
|-> anti_vm : Build.MANUFACTURER check, possible Build.SERIAL check
|-> compiler : dexlib 2.x
|-> protector : Appdome (dex)
[*] /input/com.moh.alert.ramzor.apk!classes2.dex
|-> compiler : dexlib 2.x
[*] /input/com.moh.alert.ramzor.apk!lib/arm64-v8a/libloader.so
|-> protector : Appdome
[*] /input/com.moh.alert.ramzor.apk!lib/armeabi-v7a/libloader.so
|-> protector : Appdome
Thus Appdome used to obfuscate "protect" app code which makes it's harder to understand what this file is doing
this can be done by setting minifyEnabled false
in build.gradle (if gradle used to build the app)
or by adding -dontobfuscate
to proguard-rules.pro
file, the obfuscation is what need to be disabled, both shrink &optimization can be enabled, more info: https://developer.android.com/studio/build/shrink-code
Fix: avoid all obfuscation/minification of the app & publish the source-code of the app as well! when the source-code is published enabling minifcation is OK when the build process is reproducible.
From AndroidManifest
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.ACCESS_BACKGROUND_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission android:name="android.permission.FOREGROUND_SERVICE"/>
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
<uses-permission android:name="android.permission.WAKE_LOCK"/>
<uses-permission android:name="android.permission.CAMERA"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="com.moh.alert.ramzor.deveventspermission"/>
From GooglePlay:
This app has access to:
Location
approximate location (network-based)
precise location (GPS and network-based)
Phone
read phone status and identity
Photos/Media/Files
read the contents of your USB storage
modify or delete the contents of your USB storage
Storage
read the contents of your USB storage
modify or delete the contents of your USB storage
Camera
take pictures and videos
Device ID & call information
read phone status and identity
Other
view network connections
full network access
run at startup
prevent device from sleeping
see for example explanation of other apps:
https://support.signal.org/hc/en-us/articles/360007062172-Signal-Permissions#android_permissions
https://support.mozilla.org/en-US/kb/how-firefox-android-use-permissions-it-requests
Please explain all used permissions in the android app, why they are needed & for what usage, remove unused or not necessary permissions.
You can read the related IsraelDefense article in hebrew:
https://www.israeldefense.co.il/node/48468
דעה | אפליקציית ״רמזור״ מבקשת הרשאות שאינן מידתיות למהות היישום
פלוני יכול לחשוב שאפליקציית ״רמזור״ שפרסם משרד הבריאות, היא אפליקציית ריגול בכסות ממשלתית.
The source code for Ramzor app on Android/iOS is not published/open-source, please publish the code in github, thus enabling developers and testers to look at the code and suggest improvements, find bugs, etc..
see related issue in hamgen repo MohGovIL/hamagen-react-native#289
which include source-code for hamagen app, the repo includes 215 issues & 74 PRs.
I opened 77 issues (20 was closed) in hamagen repo, some are security & privacy issues, and would like to check the source-code of the Ramzor app as well.
From UVCI Composition:
The Unique string calculated as MD-5 hash function based on data fields from MoH“CoVID-19 Vaccination Record”. The subject is organized into a single plaintext string as follows:
MD5=([PII Information][Valid until date])
UVCI = [01]/[IL]/MD5{[PII Information][Valid until date]}#[crc32]
MD5 algorithm is old and insecure:
collisions:
https://github.com/corkami/collisions
and also vulnerable to length extension attack.
why is it used in this context? and not other algorithm for hashing? what the requirements are for the hash used in this case? and why md5 was chosen?
See related issue at Hamagen repo:
MohGovIL/hamagen-react-native#281
This app currently require Android >= 7, see:
#13
People with devices that run older versions of android won't be able to use it, but many devices can upgrade the OS using Custom ROMs:
Official Roms:
LineageOS https://wiki.lineageos.org/devices/
Replicant https://www.replicant.us/supported-devices.php
/e/ EELO OS https://doc.e.foundation/devices/
CalyxOS https://calyxos.org/get/
More unofficial ROMS are available at xda-developers forum.
https://forum.xda-developers.com/all-forums-by-manufacturer
So it's possible to raise awareness such as to write about the issue in ramzor-website, minimum version requirements, and suggest people with older Android OS to replace it with Custom ROM (They can ask someone with the technical expertise to help them)
Moving from older OS to newer one also increase the security & privacy of the device, so it's recommended even if the device is supported but not using a modern android OS (which is >= 10)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.