Giters

ukhsa-collaboration / COVID-19-app-iOS-BETA

Source code of the Beta of the NHS COVID-19 iOS app

Home Page:https://covid19.nhs.uk/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Documentation update - registration process

adubois opened this issue · comments

commented

Describe the bug
The README.md could be enriched with a description of the registration process. If someone could help and submit a pull request, with the changes suggestion after verification of what I say...

To Reproduce
How it works only provide very high level description.

Expected behaviour
Add a section at the end maybe...

Additional information

Registration process

  • Send registration request (to Google FCM Firebase Cloud Messaging) (in Sonar/Registration/ConcreteRegistrationService.register() via notificationCenter.addObserver(forName: PushTokenReceivedNotification, ...))
    • receive FCM pushToken and call requestRegistration(pushToken)
    • send confirmRegistration/secondRegistration request (to NHS?/api/devices) with activationCode, FCM pushToken, partialPostCode (provided by user) via ResgistrationService::requestRegistration (moreover networking/RequestFactory::registrationRequest(pushToken) enrich the request with deviceModel and OSVersion before submission)
    • on response, define registration as:
      • id from response.id (provided by server)
      • secretKey from response.secretKey (provided by server), our Key?
      • broadcastRotationKey from response.serverPublicKey (after convertion by Bluetooth/BroadcastIdBroadcastRotationKeyConverter::fromData)
      • Stored in KeyChain in 2 part:
        • partialRegistration = id+secretKey (via SecureRegistrationStorage.set)
        • broadcastRotationKey (via SecureBroadcastRotationKeyStorage.save)
commented

Releasing these details would allow someone to spoof the system. More insight, if you want to go further, can be found at https://www.ncsc.gov.uk/files/NHS-app-security-paper%20V0.1.pdf

commented

This issue can be closed and used as reference to find in the code the implementation of what is documented. Documentation has been provided in the NHSx COVID19-app-Documentation-BETA repository. In particular in App and System Architecture slide 11. The objective of this issue was not to perform any analysis on privacy issues or mis-use of the application by NHS or other parties but to provide a basis and documentation for discussion on these matters.