DP-3T/dp3t-sdk-android

Network traffic analysis attack is possible as sendFakeInfectedRequest is never referenced in code

secursive opened this issue · 1 comments

In order to confuse network traffic analysis attack, it is necessary by design to send dummy request of same size and periodicity as real requests for potential infection. A method has been defined to do that: sendFakeInfectedRequest, but this method is never actually referenced in code.

public static void sendFakeInfectedRequest(Context context, Date onset, ExposeeAuthMethod exposeeAuthMethod)

This is correct. The including client needs to make sure to call this method, which is done for example in the swiss case here https://github.com/DP-3T/dp3t-app-android-ch/blob/develop/app/src/main/java/ch/admin/bag/dp3t/networking/FakeWorker.java#L86 along with the fake request to the health authority to get an authorization token for a positive test result.