What does a hacker think about the Corona App? We checked with Adrian Janotta. After the hacker first made a career in darknet, he now helps others to improve their IT security with his company Janotta Partner Consulting.
Picture and text by Adrian Janotta
I say that in 20 years this will no longer be a Corona App, but an App that informs you what you can and cannot do.
Why, you ask yourself? I will answer that in this article!
We tend to use technology to apply inappropriate measures to many other facts and circumstances. Of course nobody wants that today, but was it not the same with data retention and other technological measures? At least there is money to be made from this idea: A lot of money, actually
A look at Switzerland
In Switzerland, an app based on DP-3T was already introduced on 11 May. The Swiss are a bit faster, better and above all more targeted. DP-3T is a standard that enables decentralized management of data protection. Its aim is to simplify and accelerate the process of identifying people who have been in contact with an infected person. In this way, a technological basis is created which is intended to slow down the spread of the SARS-CoV-2 virus. The system aims to minimise data protection and security risks for individuals and communities and to ensure the highest level of data protection.
Quality instead of quantity?
From a technical point of view, a decentralisation of data for the purpose of security and quality is always to be favoured. So when it comes to corona tracking, Switzerland focuses on quality rather than quantity. Is that possibly a motto in Switzerland? It seems to be the case with all the products I know from Switzerland.
What should the Corona App do?
The main task of the App should be to establish an interface between the App and the Corona test results. Users should be able to report if they have tested positive for the virus. The reports should be anonymous and at the same time secure to prevent misuse and to maintain the highest level of data protection.
But I wonder: How reliable will this information be, especially without a previous legal regulation? While I don’t think that an additional and further task is planned for the app at this time, there are enough skeptics who sense the danger of monitoring individuals.
So how do you create trust in the Corona App?
Secure software development is the first keyword in this context. But how safe is safe? The problem here is that the procedure so far is as follows: First something is developed, which is then checked for security holes via pentests. In a year, however, I believe there will be new security holes in the app. So the whole procedure does not seem to be very secure so far. Why not use secure software development with respect for clean code, I ask myself?
Clean Code, what is it?
Clean code, is a challenge for every programmer or developer to develop program code clean, that is, to develop clean code. With a clean code, security gaps can be avoided already during the development. Clean code – this is an elementary component of secure software development. Why does this principle not establish itself, you ask yourself? The answer is simply that it is very expensive to design software that is secure from the ground up. So – for reasons of cost efficiency – security tests are carried out retrospectively. What for? The smartphone that citizens use is not secure anyway, so why should it be a single APP, is the thinking behind it?
Crypto key for more security?
Apple and Google should provide a crypto key that can be exchanged and changes every 10 to 20 minutes. This is really innovative. It should be possible to trace encounters without the individual being traceable.
A German problem: Rigid structures instead of innovations
In Germany, unfortunately, there is a lack of innovative ideas so far, because we often don’t have any real innovators at work, but rigid and outdated structures that don’t get you anywhere. Certainly serious – but unfortunately not particularly innovative.
Why develop your own Corona App when Google and Apple already produce one?
This is where the German government could work together with the software manufacturers in a targeted manner, in my opinion. The way it’s run now, tax money is quickly wasted, which burdens the taxpayers. And later everyone gets upset again about the tax waste. Capitalism dominates the health system.
What should the Corona App do?
The ideal benefit should be that the chains of infection can be traced more easily. Affected persons could be notified immediately if they should react and thus work against the spread of the pandemic. However, there are many factors on which success depends. It is unclear, for example, how many users will install the app and whether it will work technically reliably. The app could be used to track you, globally, i.e. beyond the actual purpose of the app. But I maintain that this is a completely exaggerated hysteria. But of course only the future can provide the proof.
Would I install the app?
I dislike the fact that this semi-finished technology is to be brought to market in record time. My friend, Dr. Aleksandra Sowa, who works in the field of data protection, agrees. Aleksandra founded and managed the Horst Görtz Institute for Information Security together with the German cryptologist Hans Dobbertin. And she believes, like me, that secure software cannot be developed overnight. More and more detailed considerations are needed before an introduction. For example, to create incentives for the users. How could that be done?
Game and reward for the success of the app
I personally advocate a points system. This means that if a user uses the app, he should be rewarded with one point. With a certain number of points, this user could get a recognition. For example stickers or another small thank you, maybe a letter, a voucher or something similar. This could make the app a success and strengthen the sense of community. People love to play – in every situation.