Cwa-documentation: Suggestion: Use push notification services instead of periodic test result download

Even though no specific test results are included in the notifications, the message itself signals that the user has taken a SARS-CoV-2 test.

A possible solution is to send additional random notifications.

1. How many notifications do we expect per day? 100,000?
2. How much data does a notification actually carry? A byte?

Simply send out two random and empty notifications for every serious one, with the recipients randomly chosen across all users.
Some notifications will be positive, some will be negative and twice that many will be empty.
The app can check for an empty notification and just drop it in the same way messengers drop notifications about messages from muted contacts.

This puts some load on the backend servers, but with 50M devices and only a single byte of payload, we're talking about some mega bytes per day, which is definitely negligible.

Hi,

we had those exact considerations as well. The issue here is, that we would have to involve servers of a third party.

The issue with those push services is that the connection is not truly end-to-end encrypted: Quote from the Security Architecture (to be found on the page you linked before): “Only APNs can decode and read the contents of a device token” - and to my understanding that means, that the APNs (owned by a third party!) could read the content of our message as well - on servers of which we don’t know the location (i.e. possibly on servers outside the EU/Germany).

Hi,

its true, the notification payload would be send over apple/google server. At least for the Apple services I can think of two solutions:

1. (easy) you can use silent push notifications. These only include the information that new content (the test result) is available on the server. The OS then wakes the app, which can download the content. This is used by a lot of apps.

Pushing Background Updates to Your App

If your app’s server-based content changes infrequently or at irregular intervals, you can use background notifications to notify your app when new content becomes available. A background notification is a remote notification that doesn’t display an alert, play a sound, or badge your app’s icon. It wakes your app in the background and gives it time to initiate downloads from your server and update its content.

1. (harder) you can do your own end-to-end encryption with UNNotificationServiceExtension. This is used by secure messangers (like Threema) so that Apple can’t read the content of the notification.

UNNotificationServiceExtension

A Notification Service app extension doesn't present any UI of its own. Instead, it is launched on demand when a notification of the appropriate type is delivered to the user’s device. You use this extension to modify the notification’s content or download content related to the extension. For example, you could use the extension to decrypt an encrypted data block or to download images associated with the notification.

Kind Regards,
Daniel

Thank you for the input. That's exactly the point we reached as well. However, there is the following challenge:

(a) If only those who have taken a test sign up for remote notifications, we (and the manufacturers) would have a list of the users who have taken a test. We don't want that.
(b) If all users are automatically signed up for remote (silent) push, we'd have to have a list of all installed app on our servers. We don't want to have that either.

Using remote push would also speak against the concept of a self-dismantling system, i.e. if nobody has used it for a certain time (let's say two weeks), we'd have empty databases.

That's why we finally decided on local push notifications. I will close the issue for now.

Thank you for your answer.

I really think you made the wrong decision. The whole reason for this app is to speed up the process of informing people of their exposure to the virus.

By avoiding to have a database of pushtokens, you probably delay the process in average by 6+ hours. In bad cases 24+hours.

I would object, as we cannot just leave data protection and privacy behind, just because it makes things easier to implement.

I don't understand your estimation of a 6-24 hours delay. Can you please elaborate on that?

It's not about what's easier to implement. It's probably much harder to implement push notifications. I also don't see how a push token is privacy sensibel data.

On iOS an app can register for background refreshes. Then the OS will wake up the app when it seems to be a good time. For example if the device is charging and connected to wifi. This might be every day at 5 am. It is not possible to let the task be scheduled for example every hour. Apart from that, some users disable background tasks for apps entirely in the iOS settings to save battery.

Updating Your App with Background App Refresh

The system waits until network and power conditions are good, so you should be able to retrieve adequate amounts of data quickly.

I uploaded a demo app https://github.com/danielburkard/BackgroundTest if you run it on your device and wait, it will show a list of dates when the background task was triggered.

If the Lab knows that the test is positive a 9 am. The device of the user might run the background task the next day at 5 am. She might see the notification after she wakes up and uploads the Ids. So a whole day is wasted where she could already self-isolate as well as her peers who had contact with her. With push notifications she would get the notification right away at 9 am.

I implemented background fetches like this in iOS apps before and I could see in logs, when the devices did download the data.

Kind Regards,
Daniel

Hi Daniel,

thank you for creating a sample app. However, together with the com.example.apple-samplecode.ExposureNotificationSampleApp.exposure-notification entitlement comes also the benefit of "more background time to ensure that the app can test and report results promptly" (see here).

We'll check how often an app with the entitlement is called from the background.