Australian COVIDSafe App Source Code

[EEVblog]

Here is the decompiled source code for the Australian COVIDSafe Android App
It's supposed to be readable in Android Studio but I have not tried it myself as that's not my thing.

https://github.com/EEVblog/COVIDSafe-1.0.11

[NivagSwerdna]

also https://github.com/ghuntley/COVIDSafe_1.0.11.apk

It's written in Kotlin so it must be good. (I'm a secret Kotlin admirer)

[SiliconWizard]

Ouch. Of Kotlin, I just know the name... Just took a quick look, but what's all this metadata stuff (which looks like it's not text) and where's the source code?
*confused*

[NivagSwerdna]

Looks like my wife would be able to check up on all the BLE devices I've been spending time with.

[EEVblog]

A breakdown:
https://twitter.com/matthewrdev/status/1254336105203200000

[Wilksey]

Hmm,
The code is here: https://github.com/EEVblog/COVIDSafe-1.0.11/tree/master/smali/au/gov/health/covidsafe
But it isn't "code", it's I guess you could call it bytecode or IL code sort of.

The trouble is nothing decompiled ever recompiles properly, all a APK file is, is a ZIP file, so the way I reverse engineer is to rename the APK to ZIP, extract the .DEX files, run DEX2JAR to reproduce the .jar file then run it through jd-gui (java decompiler).

[NivagSwerdna]

Hmm

try https://github.com/ghuntley/COVIDSafe_1.0.11.apk; decompiled in 2 flavours.

[SiliconWizard]

Yeah, so they didn't actually release any source code.

Apparently, they didn't obfuscate the compiled stuff, so yeah you can decompile it and get something readable. No clue how readable that really is though.

But I'm wondering why they didn't release the source code if they wanted to be really transparent.

[NivagSwerdna]

"You’ve have successfully uploaded our information to COVIDSafe`s highly secure server. State and Territory health officials will notify other COVIDSafe users that have recorded instances of close contact with you. Your identity will remain anonymous to other users."

If I am interpreting the app correctly it stores contacts locally and only uploads on user action and then it only uploads contacts you have had with other BLE identified users.  I guess they are then traced and encouraged to upload... and then the network of contacts expands.

Sounds pretty tame.  If I had written it I would upload all contacts automatically and build a network of what people were up to. 

[Syntax Error]

Just wondering who ends up on the apps...

"Lau/gov/health/covidsafe/streetpass/BlacklistEntry"

...and why?

[EEVblog]

Sounds pretty tame.

It is, because everyone complained about it they had to prune it back to nothing.
The iPhone app doesn't even work unless you have the program in focus and the screen on all the time. Totally useless.

[ShortCircuitMEL]

The trouble is nothing decompiled ever recompiles properly, all a APK file is, is a ZIP file, so the way I reverse engineer is to rename the APK to ZIP, extract the .DEX files, run DEX2JAR to reproduce the .jar file then run it through jd-gui (java decompiler).

Give a try to Decompiler.com. It decompiles .APK files as a whole, but also supports .DEX and .JAR decompilation.

[SiliconWizard]

I'm not sure about Australia, but looks like in most "western" countries, those apps ended up total flops anyway.

[Nominal Animal]

Surprisingly, the sources for the Finnish Koronavilkku is online: backend, Android, and iOS.

[AntiProtonBoy]

Curious, what was the purpose of decompiling the COVIDSafe app, when sources are officially available to download (see below)?

https://github.com/AU-COVIDSafe

Are there any surprises in the binary distributions that is missing from the official sources?