I will say right away that my goal was not to deceive the system or escape from quarantine. I honestly spent my 2 weeks at home. Okay, I went to the nearest store a couple of times for a beer. The goal was to see what this system knows about us and how true some of the statements of its authors are. At first I started collecting preliminary information. I found out something like the following:
- The application is written based on the garbage truck tracker program. What I did not find sane confirmation, and digging into the internals of the program also did not confirm anything of the kind.
- The beta version was not protected in any way, it was decompiled and uploaded to github. However, it was removed from the github at the request of the copyright holder.
- The beta version transmitted pictures to a server in Estonia to use the face recognition service.
- Then I read the statement of the head of DIT Eduard Lysenko, who said the following: “The head of DIT of Moscow categorically denied the information that the application transmits photos to a third-party server:“ In fact, nothing is transferred anywhere, ”he said. - Firstly, no photos are transferred in principle. Secondly, the biometric code that appears, it goes exclusively to the DIT servers. " Here I was already wondering how these pictures are not transmitted in principle. Are they converted into a biometric code right on your smartphone?
- The new version of the program is heavily obfuscated and now it is almost impossible to analyze it.
Then I collected rumors from friends and acquaintances:
- In fact, not one photo is transmitted, but a series of photos. This is done so that it is impossible to take a picture of your paper photo. Or even the video is being transmitted.
- , .
I honestly put the "live" application on the iPhone and did not plan to go into it at all. I didn't have an iPhone on which I could put a jailbreak, but I had a rooted Android. I started with him. By the way, on rooted Android, the application does not start. Obfuscating Java code looks funny. All variables and function names have been renamed. But, going through the chain, we find ourselves on a completely readable piece of code. Approximately how to walk through a disassembler listing, only at the end of the surprise. I would have spent at least a couple of days digging through this code, but suddenly I came up with a simpler solution. But what if ... they trust the OS to check SSL certificates? At work, I sometimes have to reverse the protocols of Apple, Google, Whatsapp and many others. In almost all systems, root certificates are stitched inside the program, which makes it very difficult to analyze traffic.
I put mitmproxy on MacBook, a very handy traffic analyzer with a minimum of settings. I download their root certificate, add a profile to the iPhone - and that's it! We see all the traffic of the program at a glance.
Application registration
You need to install and register the application within 24 hours from the beginning of quarantine. On this occasion, an SMS comes in. Previously, it was pointless to do this, just the phone was not found in the database. This is how the registration request looks like:
<b>2020-09-12 17:48:03 POST https://sm-a-a90ae4b5a.mos.ru/api/covid/device/password HTTP/2.0
← 200 application/json 82b 156ms
{
"deviceId": "2FFA9DB6-4900-4973-B1AE-BA5874BEXXXX",
"phone": "7925xxxyyzz"
}</b>In response, we always get “200 OK” and nothing more. If the phone is in the database, you will receive an SMS with a code that must be entered into the application. If there is no phone in the database, nothing will come. The deviceId contains the UDID of the iPhone. Everything is tied to this identifier. If the iPhone breaks and we pick up a new one from the backup, the application will not work. And there will be a fine, with which it is not clear how to deal. Hereinafter, private data will be completely or partially replaced by “XXYYZZ”.
Coordinate transmission
Then I plucked up the courage and connected a "live" phone through mitmproxy. Every 5-10 minutes, as well as when the application starts, the following request is made:
2020-09-12 17:56:32 POST https://sm-a-a90ae4b5a.mos.ru/api/covid/device/60B1A8A1-2AD9-447C-BB25-91YYYYY19C6E/message
HTTP/2.0
← 200 application/json 83b 84ms
[
{
"accuracy": 65,
"battery_level": 68,
"charge": false,
"datetime": "2020-09-12T14:56:32Z",
"device_model": "iPhone 11 Pro",
"indoorNavigation": {
"bluetoothDevices": [],
"wifiDevices": [
{
"name": "wifi-XXX",
"rssi": 0
}
]
},
"install_datetime": "2020-09-08T07:57:11Z",
"lat": 55.XXZZZ732239728,
"locationDatetime": "2020-09-12T14:56:31Z",
"locationStatus": {
"gps": true,
"isPermissionGranted": true,
"network": true,
"passive": true
},
"lon": 37.YYZZZ270607305,
"os_version": "iOS 13.7.0",
"version_ext": "1.7 (127)"
}
]Here we again see deviceId, it is different, I made the first request from the iPad.
accuracy - the accuracy of determining the coordinates, I do not know in what units
battery_level - the battery charge level. I wonder why he is DIT?
charge - whether the phone is charging. It is also unclear why it is transmitted.
datetime - the current date and time. Perhaps it is used so that it is impossible to "twist" the time on the device.
device_model - phone model. Well, I'm not sorry if DIT finds out about this.
indoorNavigation is pretty interesting. Here is a list of known wifi networks by which you can determine the coordinate. However, the BSSID is not transmitted, which makes this information completely useless. Coordinates cannot be determined by the name of the network.
install_datetime - can be used to protect against emulating these requests. Although this information can be obtained if desired and is quite simple.
lat, lon - actually,
location_status coordinates - whether GPS is enabled and whether the program is allowed to use it in the background. If not, there will be a fine.
os_version - iOS version
version_ext - did not understand, perhaps the version of the application itself
Selfie transfer
The fun begins. Sniff the traffic at the moment of transferring the taken selfie. So where are our biometric hashes and videos? And here's what actually happens:
<b>2020-09-12 18:00:15 POST https://sm-a-a90ae4b5a.mos.ru/api/covid/device/60B1A8A1-2AD9-447C-BB25-91YYYYY9C6E/photo
HTTP/2.0
← 200 application/json 39b 301ms
Request Response Detail
:authority: sm-a-a90ae4b5a.mos.ru
content-type: multipart/form-data; boundary=alamofire.boundary.04b478f466f0605d
accept: */*
shard: 6
authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1OTk1NjYzMjl9.iq-noX2tu13tr4ut7sBWpgWl77sELkT
kXCdODK9yvL8
֞ostype: iOS
accept-language: en-RU;q=1.0, ru-RU;q=0.9, cs-RU;q=0.8
accept-encoding: br;q=1.0, gzip;q=0.9, deflate;q=0.8
versionext: 1.7 (127)
content-length: 378238
֘user-agent:
cookie: session-cookie=163402e73a984c296450ad1fdcb1815835321af39172a2bef8658e48071941dc73acdb9d1d976170d2ef9
70da45f5c87
Multipart form [m:auto]
҅Form data:
photo: ..JFIF..... . .. . Exif..MM.*.............................J...........R.(.......... i.........Z....... .....</b>
Well, everything is clear, right? This part is protected a little stronger, the request also contains the Bearer token, by which the authorization is organized. The moment I received the token I did not sniff, perhaps the token comes when requesting a selfie. Exactly one photo leaves. Where is your biometric hash, Mr. Lysenko?
Status request and quarantine release
In addition to sending coordinates, the application also regularly makes a status request. By the way, it is possible that when you request a status, a request to take a selfie comes. When the application stopped asking me for a selfie, I sniffed the status request for the sake of interest:
<b>2020-09-18 13:28:13 GET https://sm-a-a90ae4b5a.mos.ru/api/covid/device/60B1A8A1-2AD9-447C-BB25-91XXXXX19C6E/status
HTTP/2.0
← 200 application/json 317b 181ms
{
"code": 0,
"io": " .",
"last_android_version": "1.1.1",
"last_ios_version": "1.0",
"message": " ! -",
"quarantine": null,
"status": "active"
}</b>
The most interesting thing about the server response is “quarantine: null”. This means that the quarantine has ended. But the app doesn't tell you that. Moreover, in the message they still promise to request selfies. And the status is still active. And the coordinates ... well, of course the application continues to send the device coordinates to the DIT server! Therefore, uninstall the application immediately after quarantine ends.
What can be done
It is obvious from what has been written that you can write a script that will emulate the operation of the application and send all the necessary data. Writing is made difficult by the fact that it is easy to pick up a penalty during testing. First of all, you need to sniff the entire registration process to the end, including at the time of receiving an SMS with a code. Deal with Bearer authentication and other trivia. It is possible that they analyze EXIF recordings of photos. In which there is an exact time, as well as coordinates. Therefore, the solution would be to make many different photos in advance, and edit EXIF on the fly before sending.
Well, in conclusion, I want to say that in no case do I urge anyone to violate quarantine, especially with a positive test for coronavirus. This is just an analysis of the system and a small pebble in the garden of DIT, who like to make strange public statements. Do not be ill!