display
Mecklenburg Western Pomerania is already using it, Berlin too, Brandenburg, Baden-Württemberg, Hesse, Lower Saxony and Thuringia are planning the introduction: The Corona contact tracking app Luca from the Berlin start-up Culture4life has celebrated some sales successes in recent weeks.
The federal states are all relying on the app for their opening concepts, which is intended to enable the health authorities to follow up contacts in the event of infections quickly and securely without paper forms at events, in restaurants and in shops.
The app had received a lot of media attention because it was advertised by cultural workers, including the German rapper Smudo, bourgeois Michael Schmidt.
Smudo co-financed the project and started promoting it.
display
But at the same time, the makers of the app have come under increasing criticism from various sides in the past few weeks: So far, it has not been disclosed how exactly the Luca app processes user data securely, wrote Anke Domscheit-Berg, member of the Bundestag (Die Linke). on twitter.
Security experts warned against the implementation of the encryption of user data in the app.
How exactly the user data is processed by the server has not yet been disclosed.
The conference of independent data protectionists from the federal and state governments clearly criticized the underlying concept of the app in a statement: The data of all users would be stored in encrypted form, but centrally on a server of the operator.
Mockery and ridicule from the developers
display
All health authorities would also have "the same keys for decrypting the contact details" in hand.
"This harbors the avoidable risk that spying on or misuse of these keys could lead to unauthorized access to a large number of the data centrally managed by the system," warn the data protection officers.
"A successful attack on the systems of Culture4life GmbH can therefore endanger the security of the entire system."
On Tuesday, after Culture4life was able to book the deals with the federal states for itself in the past few weeks, the creators disclosed the source code of the app for review - and promptly earned scorn and ridicule.
As programmers discovered, the Luca makers had made use of open source program modules, but in doing so, without further ado, removed the necessary license and copyright notices on the third-party code from their program - an absolute faux pas among developers.
Various experts publicly pointed out the violation of copyrights.
The hacker group "Zerforschung" revealed in an initial analysis that Luca may have violated license conditions by unceremoniously publishing the copied code with its own, significantly more restrictive license.
display
Only after clear criticism did Philipp Berger, CTO of the software developer Nexenio, who is behind Luca and Culture4life, hasten to apologize.
At the same time, the Luca makers subsequently adjusted the license for their program code on Wednesday morning and switched to a common GPLv3 license.
If the creators had continued to violate the license terms of the third-party code they used, the Luca app would have threatened to be kicked out of Apple's app store, among other things.
No answer from the chief technology officer
Luca had also anchored requirements in his terms of use that did not fit the open source idea at all - among other things, the makers forbade any form of weak point analysis, and source code analysis should also be prohibited.
Anyone who wants to ensure that their own app meets the self-asserted high security standards does not prohibit such analyzes, on the contrary: it is more common in the industry to invite experts to open tests and to reward any weaknesses found.
It is still questionable how secure the app is designed on the server side - because so far the Luca programmers have still not published any server code.
This must first be "prepared", says CTO Berger on the Gitlab site.
Berger did not answer, despite criticism from other developers, why the code could not simply be published immediately, as demanded by the data protection officers of the federal and state governments.
Schwesig and rapper Smudo explain how the Luca app is used
Mecklenburg-Western Pomerania was the first federal state to acquire a license for the Luca app, which is backed by rapper Smudo, among others.
Prime Minister Schwesig and Smudo explain here exactly how contact tracing should work.
Source: WORLD