Vaccinated, recovered and tracked by Google: The Corona apps for Android are based on Google services. This means an unnecessary compromise of privacy. Alternatives from the Free Software Foundation show that there is another way.
Enlarge
Many Covid apps build on Google. This has privacy implications.
© DesignRage / Shutterstock.com
The European Commission had SAP and T-Systems develop the Corona warning app for a lot of money, as well as an app for the EU vaccination card in August 2021. The apps are open source under the Apache license (exemplary!) and the source code is on Github. But both rely on the tracking service from Google or Apple in their Android variants – depending on the version. This is not only questionable in terms of data protection law with regard to this sensitive data, but also a technical indictment. Because both apps would have been possible without the transmission of the data to Google, as free alternatives from the Free Software Foundation Europe (FSFE) show.
Improper, headless procedure?
Since time was of the essence and the rapid development or integration of alternatives such as the Micro G framework (see box: “Micro G”) would not have been possible and would have been too expensive, data protection concerns went overboard for the time being. This is not speculation, but clearly formulated as a requirement for apps of this type by the philosopher Julian Nida-Rümelin, Deputy Chairman of the German Ethics Council ( see press release ). However, the debate goes down as to who gets this data: Alphabet and Apple. The latest actions by companies under the Alphabet holding company, such as YouTube, raise considerable doubts as to whether Google of all people can be the guarantor of fair handling of the collected data. This should not be conducive to the acceptance of these apps, which in the case of the Covpass app are a help in everyday life that is not entirely uncomplicated. This is all the more distressing as things could have gone very differently. The spin-offs of the free Corona apps, i.e. the Corona-Warn-App and the Covpass-App for Android, are already a reality and avoid the Google Play services as well as the transmission of personal data and revealing metadata to the Google servers.
FSFE: What these apps do differently
Enlarge
Corona tracing app without Google: This FSFE Android app was developed after the Micro-G framework included the “Exposure Notification” in its range of functions.
This is not about the purpose and effectiveness of corona tracking apps. Without question, storing certificates after Covid19 tests and digital vaccination records is a useful thing. Using the source code from SAP and T-Systems on Github, FSFE has developed alternatives to the Android apps without Google services. This is made possible by replacing proprietary Google libraries on which these apps are built. Instead of the Google Play services, the FSFE apps provide the Micro-G framework, which maps the API for push services and location determination or only uses protective mechanisms that prevent Google from identifying the device and user. For the corona tracing app, the developer of the alternative framework has mapped the so-called “Exposure Notification” in Micro G, which compares it to other nearby smartphones via Bluetooth. This was then the trigger for the FSFE to develop its own forks of the apps. Because the installation of Micro G on smartphones with a manufacturer-specific Android or a custom ROM is associated with difficulties and tinkering that normal smartphone users cannot reasonably be expected to do. The alternative apps from the FSFE therefore include parts of Micro G itself, are therefore a bit larger and, according to our tests, also drain the battery of an Android device significantly faster – but they work without Google services.
Installation of the apps in Android
Enlarge
Alternative Covpass app: Again, FSFE has completely removed all proprietary Google services and libraries that aren’t necessary for the app to work anyway.
The FSFE apps are not represented in the regular Google Play app store, but are in the F-Droid app directory, which specializes in completely free software for Android. F-Droid is a moderated app store that keeps malware out. F-Droid achieves this by constantly recompiling all new apps from their open, viewable source code. However, it is not necessary to also install the F-Droid store on an Android device. The FSFE’s Corona-Warn-App and the Covpass-App are also available as APKs for download. These apps require Android 6.0 or higher, so not a particularly recent version.
By default, installation of APK files is not allowed in Android systems for security reasons.
Before this works, the “Unknown sources” or “Install unknown apps” option must be activated under Android under “Settings -› Applications”. The apps themselves are similar to the original Corona apps from SAP and T-Systems, but will have to query fewer authorizations after the first start.
Micro G: Alternative to Google Play
In order for the Corona-Warn-App to work, it needs location services, which are provided in regular Android versions via Google Play Services.
Map and navigation apps as well as push services of all kinds, which send notifications from app servers to smartphones in a targeted manner, also work via these background services and APIs. While Android is also open source, the Google Play Services libraries are not: Users and developers do not have full control over these background services on Android devices, and cannot easily turn them off or uninstall them. At the same time, they allow the big service providers like Google to collect metadata from Android devices. Even if an app should encrypt the content of messages and data packages, Google can draw conclusions about the communication behavior by analyzing the metadata and of course also permanently locate the devices. Other providers such as Apple do essentially nothing else. Data protectionists, open source advocates, but also increasingly ordinary users are no longer comfortable with the matter.
The currently strongest alternative to these services is the mentioned Micro-G framework. On the one hand, it works as an intermediate layer that accesses the Google Firebase with an obfuscation of the actual users and their devices. At the same time, it reinvents some compatible APIs for Android apps without a Google server in the backend, such as unified NLP for location determination via WiFi plus GPS. The API for maps and navigation also works without Google and instead uses the now usable Open Street Map. At the same time, Micro G lets various tracking and advertising APIs come to nothing: These are available on a smartphone, but are not connected to Google. Micro G has been funded by the Federal Ministry of Education and Research since 2019.
See also:
These Covid vaccination certificates expire on 1.2. – you need to know that
Corona warning app incredibly expensive: how much it costs the taxpayer