Cwa-documentation: Corporate smart phones and paranoid company network security rules

My feeling is that the issue is not with this application, but with the overall device management here. Any app that is transmitting data can be compromised by having employers manage devices.

My recommendation would be not to use personal apps on that device (if it's a company-owned device), or to choose not to enroll the device in company device management if one is concerned ("bring your own device"-scenario).

Personally, I don't think of that as an issue with the user's privacy: Their personal smartphones can be shut down before storing them, so no false alarm will be triggered while they are laying next to each other. I don't find the specific message, but it was already discussed before that an employer would know that you are infected anyways when you would have to go into quarantine, so there isn't a real privacy issue there IMHO. Moreover, no data would be sent to the smartphone than the current parameters and settings, which contain no personal information.

If I got your question wrong, please feel free to correct me ^^

Well, first I think there is a privacy issue, as it is even for your employer not allowed to track its employees. So at least this app should think about the risks of company smart phones. Also we might think about network security settings and what a network security guy might have to configure to enable a secure communication with the backends. Alternatively we could allow corporate Corona tracing backends or proxies within the networks of bigger companies.

Secondly, is a bit related to the use case when I switch to a new phone, but want every Corona data to be transfered to the new device. But here we have two device collecting data. As far as I understood the protocol this is not the problem. I can have multiple seperated identities just as I could have multiple smart phones collecting the same data just to learn something about the quality of the Bluetooth connection tracking.

But when I understood the protocol right, all notifications are based on polling from exactly one device. What we might need is a way to receive the notifications on a 2nd device, so that I still receive notification from my company smart phone on Friday night, even when I will not be back in the company till Monday.

To my mind, there is no other way to implement such a synchronization system without compromising user anonymity. Therefore, I don't think that will be possible for the SAP devs to implement such a feature. You could argue that you will most probably be notified as soon as there is a spread of Covid-19 in your company (e.g. the DPD location near Heinsberg as a real-world scenario) and that this system is efficient enough.

However, I think that the "switching phones" scenario makes a lot of sense! Maybe a user story could be added where an infected user can get multiple TANs for all of their devices (which could also include their company phones).

To clarify - I do not mean to say the data privacy issue is non-existant, I mean to say that there is a vulnerability in the overall concept of managed devices that we simply cannot circumvent in the app itself. When your device is managed, it is the same as rooting or otherwise compromising the phone by giving a third part control over essential aspects, such as trust configuration, which may be abused or not. The catch is that neither the developer nor the user can work around this when the app is forced to use the technology within which it is running. The operating system provides your communication stack, but at the same time a third party may control that part. It is as if you were saying: If we turn off everything we know that secures and ensures data privacy, how can we ensure it? Technically, we can't.

The best option to control this is by educating the users: Be careful of who you invite to your protected space (in this case, your phone), and in case of doubt make sure not to expose confidential data (such as stored in the app) in potentially compromised environments. This is why I said: Probably the best way to deal with this is to educate users that if, and I pronounce if, they are worried about data exposure due to device management, the only way to be sure is not to install the app on a managed device.

Now - the secondary device issue belongs in a different ticket to keep this discussion here focused and on point. I would propose to continue discussing in #82, which happens to have been raised very recently.

I think you could pin the certificate to prevent somebody from using a manually installed CA. But this would be hard to convey to the user. Maybe a warning that the traffic can be read by the network operator would be okay.

I believe the warning is a very good idea. Now that you mention that, I have seen my managed device do that at some point in the past.

I am only superficially familiar with cert pinning, to be frank. Wouldn't this basically mean that if a man in the middle, in this case trusted due to the installed CA, attempts to intercept the traffic, the app just stops working? I somehow was thinking that the expectation is for the app to continue functioning in compromised environments, but a warning sure doesn't hurt.

An app user is an employee of a paranoid company.

Crazy question:

Why should the CEO of Deutsche Telekom and the CEO of SAP _NOT_ install the Corona Tracking App on their business phones?

If they have any doubts - any - then why should 50 mio German Citizen do that?

@egandro

Why should the CEO of Deutsche Telekom and the CEO of SAP _NOT_ install the Corona Tracking App on their business phones?

If they have any doubts - any - then why should 50 mio German Citizen do that?

Who says they have any doubts or who claims they won't install the app on their phone?

This issue just asks about people who use their phone in general inside of their company network. This has nothing to do with Telekom or SAP.

@miffels

I am only superficially familiar with cert pinning, to be frank. Wouldn't this basically mean that if a man in the middle, in this case trusted due to the installed CA, attempts to intercept the traffic, the app just stops working? I somehow was thinking that the expectation is for the app to continue functioning in compromised environments, but a warning sure doesn't hurt.

Yeah, I think certificate pinning is mostly concerned with detecting a man in the middle attack and most apps prevent all traffic then as this usually makes sense the most. But in this case I would also prefer to just show a warning and I think this is technically possible.

An app user is an employee of a paranoid company.

Crazy question:

Why should the CEO of Deutsche Telekom and the CEO of SAP _NOT_ install the Corona Tracking App on their business phones?

If they have any doubts - any - then why should 50 mio German Citizen do that?

@egandro could you please focus on the technical aspects and refrain from such off-topic speculations? We really appreciate the technical on-topic discussions about such scenarios and would like to keep them open as long as possible.

This issue just asks about people who use their phone in general inside of their company network. This has nothing to do with Telekom or SAP.

This was already covered in a few threads. There are Companies who have special SIM Cards for a corporate APN and might require additional HTTPS / SSL Certificates to allow access a proxy server.

There are firewalls who - in general can decrypt any traffic.

@egandro could you please focus on the technical aspects and refrain from such off-topic speculations?

I just asked a question - weather - or not "paranoid company network security rules" as claimed in #86 might exist at SAP or Telekom CEOs.

If yes - any technical doubts - needs to be fixed for acceptance reasons! Gouvernement Policies or Government security policies might be even more strict!

There is another attack vector mentioned here: #53

The use of App itself might me no problem - however an attacker might mimic the tracing / communication just in order to learn the Bluetooth MAC from a targets phone. This can be easily done by a fake ID or by a small device e.g. using the ESP32.

Later in this scenario the MAC can be used to identify and trace a targets phone. The phone itself would become a trigger for any event (!).

The MAC changes regularly in most modern phones, in fact the Apple/Google API uses such a change as a trigger to change the rolling proximity identifier.

The MAC changes regularly in most modern phones, in fact the Apple/Google API uses such a change as a trigger to change the rolling proximity identifier.

Or is actually static string in a write protected file as on some android phones...

Unfortunately, we now really deviated too far from the original topic and therefore have to close and lock the issue.

Since we are really interested in potential attack vectors, it would be great if you could check again with the architecture documentation and create new issues with concrete attack vectors stating which personal data is at risk in such scenarios!