Twitter | Search | |
Matthew Robbins
The app is now available in Australia 😷 However, it's a shame that they have decided not to release the source code for full transparency. Luckily, I'm a curious chap and also a professional mobile developer.
Reply Retweet Like More
Matthew Robbins Apr 26
Replying to @matthewrdev
So, I've downloaded and decompiled the Android app using the freely available, open source tools apktool and JadX. Here are my findings for those who are interested interested:
Reply Retweet Like
Matthew Robbins Apr 26
Replying to @matthewrdev
First things first, the app is not obsfucated (scrambled); this means we can decompile it to a level almost as good as having the original source code. They may not have released the source code but there is a clear intent of transparency displayed by not obsfucating it.
Reply Retweet Like
Matthew Robbins Apr 26
Replying to @matthewrdev
The Android app looks to be written in Kotlin and uses Android building blocks like activities, services, broadcast receivers, RoomDatabase, Retrofit etc Industry standard stuff.
Reply Retweet Like
Matthew Robbins Apr 26
Replying to @matthewrdev
Given the Android app is Kotlin, I expect iOS is written in Swift and uses the standard iOS APIs. iOS apps take much more work to reverse engineer so this is simply a guess on my part.
Reply Retweet Like
Matthew Robbins Apr 26
Replying to @matthewrdev
Data is stored locally in a SQLite database using the RoomDatabase API. This places collected data inside the apps internal storage, a secure part of your phone strictly private to .
Reply Retweet Like
Matthew Robbins Apr 26
Replying to @matthewrdev
This means data is secured using the operating systems security mechanisms and *is not* accessible by other applications. Unless you have a jail-broken device or have deliberately unlocked root permissions, the data collected by is secure.
Reply Retweet Like
Matthew Robbins Apr 26
Replying to @matthewrdev
The app broadcasts a unique BluetoohLE SSID that other phones with installed can use to detect it. Importantly, the app *does not* broadcast the device name so when another phone detects you, you are identified using a Bluetooth address and not a device name.
Reply Retweet Like
Matthew Robbins Apr 26
Replying to @matthewrdev
then uses a BluetoothLeScanner to watch for other devices that broadcast the apps known SSID. Basically, only picks up and records other phones that have given their permission to broadcast. This implementation is vanilla Android and is industry standard.
Reply Retweet Like
Matthew Robbins Apr 26
Replying to @matthewrdev
In terms of data transmission and remote storage, the app requires that the user manually uploads the data. The only place in the app that transmits the data is the UploadDataUseCase:
Reply Retweet Like
Matthew Robbins Apr 26
Replying to @matthewrdev
The data upload is authenticated by a One Time Pin request that is sent your mobile phone. This is important as all data upload is through user consent only.
Reply Retweet Like
Matthew Robbins Apr 26
Replying to @matthewrdev
Lastly, data is transmitted via HTTPS to an AWS instance secured with a public/private key pair. Web development and security is not my domain so I'll leave it to others to verify the locality of that endpoint.
Reply Retweet Like
Matthew Robbins Apr 26
Replying to @matthewrdev
It's also interesting to note that there is a cleanup task that automatically deletes all records after 21 days.
Reply Retweet Like
Matthew Robbins Apr 26
Replying to @matthewrdev
From what I can see, everything in the app is above board, very transparent and follows industry standard. I'd interested in hearing perspectives on the app from my tech friends. Please chime in if you are also having a dig around and find something of note 😊
Reply Retweet Like
Matthew Robbins Apr 26
Replying to @GeoffreyHuntley
Also, my good friend is doing a much more thorough tear down of the app. See here:
Reply Retweet Like
Matthew Robbins Apr 26
Replying to @VTeagueAus
Another important update, please take a look at 's investigation into . She is a security expert and is definitely more qualified than myself to comment on the apps privacy and security.
Reply Retweet Like
Matthew Robbins Apr 27
Replying to @matthewrdev
We are running a live panel discussing our findings of tomorrow night. Live from 6:30pm AEST on Wednesday 29th April. RSVP here:
Reply Retweet Like