Documentation update - registration process
adubois opened this issue · comments
Describe the bug
The README.md could be enriched with a description of the registration process. If someone could help and submit a pull request, with the changes suggestion after verification of what I say...
To Reproduce
How it works only provide very high level description.
Expected behaviour
Add a section at the end maybe...
Additional information
Registration process
- Send registration request (to Google FCM Firebase Cloud Messaging) (in Sonar/Registration/ConcreteRegistrationService.register() via notificationCenter.addObserver(forName: PushTokenReceivedNotification, ...))
- receive FCM pushToken and call requestRegistration(pushToken)
- send confirmRegistration/secondRegistration request (to NHS?/api/devices) with activationCode, FCM pushToken, partialPostCode (provided by user) via ResgistrationService::requestRegistration (moreover networking/RequestFactory::registrationRequest(pushToken) enrich the request with deviceModel and OSVersion before submission)
- on response, define registration as:
- id from response.id (provided by server)
- secretKey from response.secretKey (provided by server), our Key?
- broadcastRotationKey from response.serverPublicKey (after convertion by Bluetooth/BroadcastIdBroadcastRotationKeyConverter::fromData)
- Stored in KeyChain in 2 part:
- partialRegistration = id+secretKey (via SecureRegistrationStorage.set)
- broadcastRotationKey (via SecureBroadcastRotationKeyStorage.save)
Releasing these details would allow someone to spoof the system. More insight, if you want to go further, can be found at https://www.ncsc.gov.uk/files/NHS-app-security-paper%20V0.1.pdf
This issue can be closed and used as reference to find in the code the implementation of what is documented. Documentation has been provided in the NHSx COVID19-app-Documentation-BETA repository. In particular in App and System Architecture slide 11. The objective of this issue was not to perform any analysis on privacy issues or mis-use of the application by NHS or other parties but to provide a basis and documentation for discussion on these matters.