Cwa-app-ios: Playbook usage still allows to guess user actions

Avoid duplicates

• [x] Bug is not mentioned in the FAQ
• [x] Bug is not already reported in another issue

Describe the bug

The playbook implementation cited above always sends three requests for a single real request. There are two situations, where actions of the user are detectable:

When the user scans a QR code, the App requests a registration token and checks for the test result.
When the user decides to submit his/her keys, then the App requests a TAN and submits the keys to the submission service.
In both cases one can observe 2 playbook calls resulting in 6 requests at the same time, while in other cases (e.g. background check for test result) there is only 1 playbook call (3 requests).

Expected behaviour

The app works as expected, this is not a functional issue.

Steps to reproduce the issue

There is nothing special to do, just use a release candidate with the plausible deniability feature enabled. However, in order to get evidence about the number of requests you need to use Wireshark or any other technique to monitor network traffic.

Technical details

• iOS Version: 13.6
• Device: iPhone 7
• App version: 1.3.0 (5)

Possible Fix

A possible solution would be to have playbook requests with two real requests inside, e.g. for QR code scan do two real requests to the verification server (get registration token, check test result) and one fake request to submission service.

Additional context

Internal Tracking ID: EXPOSUREAPP-2314