diia-open-source / android-diia Goto Github PK

License: European Union Public License 1.2

Kotlin 99.67% Java 0.33%

android-diia's Introduction

Diia

This repository provides an overview over the flagship product Diia developed by the Ministry of Digital Transformation of Ukraine.

Diia is an app with access to citizen’s digital documents and government services.

The application was created so that Ukrainians could interact with the state in a few clicks, without spending their time on queues and paperwork - Diia open source application will help countries, companies and communities build a foundation for long-term relationships. At the heart of these relations are openness, efficiency and humanity.

We're pleased to share the Diia project with you.

Useful Links

Topic	Link	Description
Ministry of Digital Transformation of Ukraine	https://thedigital.gov.ua/	The Official homepage of the Ministry of Digital Transformation of Ukraine
Diia App	https://diia.gov.ua/	The Official website for the Diia application

Getting Started

Build Process

To build you are required to have the dependency Android Studio installed. You can then follow these instructions:

Clone or download this repository
Open the project in Android Studio and run it from there or build an APK directly through Gradle: ./gradlew :opensource:assembleGplayDebug NOTE: Android SDK should be added to PATH environment variable for this to work.

Deploy to Device/Emulator: ./gradlew :opensource:installGplayDebug NOTE: You can also replace the "Debug" with "Release" to get an optimized release binary.

Before building Huawei specific app generate and place agconnect-services.json file in opensource module.

For build Huawei specific APK file use next command: ./gradlew :opensource:assembleHuaweiDebug

To deploy to device/emulator for Huawei use this: ./gradlew :opensource:installHuaweiDebug

How to test

To get mock user for testing please refer to the TESTING.md file for details.

How to contribute

The Diia project welcomes contributions into this solution; please refer to the CONTRIBUTING.md file for details

Licensing

Licensed under the EUPL (the "License"); you may not use this file except in compliance with the License. Re-use is permitted, although not encouraged, under the EUPL, with the exception of source files that contain a different license.

You may obtain a copy of the License at https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12.

Questions regarding the Diia project, the License and any re-use should be directed to [email protected].

android-diia's People

Contributors

Stargazers

Watchers

android-diia's Issues

Enable gradle dependency verification

Having safe, supply chain attack protected builds is as important as having stable reproducible builds.
As per #10 @dector's comment on supply chain attacks, it's important to verify external dependencies with care.
Fortunately, gradle provides a mechanism for this exact scenario called dependency verification.

Addressing this will have a nice side effect of weeding out redundant/obsolete dependencies, making build faster, smaller & safer

Відносно велика кількість помилок у текстах українською мовою

Перегляд змін у пр форкнутої репи

Посилання на чинний правопис

os debug build won't launch

00:21:52.516 WM-WorkerFactory         E  Could not instantiate ua.gov.diia.core.util.work.DoApplicationSettingsProvisionWork (Ask Studio Bot)
                                         java.lang.NoSuchMethodException: ua.gov.diia.core.util.work.DoApplicationSettingsProvisionWork.<init> [class android.content.Context, class androidx.work.WorkerParameters]
                                         	at java.lang.Class.getConstructor0(Class.java:3325)
                                         	at java.lang.Class.getDeclaredConstructor(Class.java:3063)
                                         	at androidx.work.WorkerFactory.createWorkerWithDefaultFallback(WorkerFactory.java:95)
                                         	at androidx.work.impl.WorkerWrapper.runWorker(WorkerWrapper.java:245)
                                         	at androidx.work.impl.WorkerWrapper.run(WorkerWrapper.java:137)
                                         	at androidx.work.impl.utils.SerialExecutor$Task.run(SerialExecutor.java:91)
                                         	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
                                         	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
                                         	at java.lang.Thread.run(Thread.java:1012)
00:21:52.516 WM-WorkerWrapper         E  Could not create Worker ua.gov.diia.core.util.work.DoApplicationSettingsProvisionWork
00:21:52.544 WM-WorkerFactory         E  Could not instantiate ua.gov.diia.core.util.work.CheckAppVersionUpdatedWork (Ask Studio Bot)
                                         java.lang.NoSuchMethodException: ua.gov.diia.core.util.work.CheckAppVersionUpdatedWork.<init> [class android.content.Context, class androidx.work.WorkerParameters]
                                         	at java.lang.Class.getConstructor0(Class.java:3325)
                                         	at java.lang.Class.getDeclaredConstructor(Class.java:3063)
                                         	at androidx.work.WorkerFactory.createWorkerWithDefaultFallback(WorkerFactory.java:95)
                                         	at androidx.work.impl.WorkerWrapper.runWorker(WorkerWrapper.java:245)
                                         	at androidx.work.impl.WorkerWrapper.run(WorkerWrapper.java:137)
                                         	at androidx.work.impl.utils.SerialExecutor$Task.run(SerialExecutor.java:91)
                                         	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
                                         	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
                                         	at java.lang.Thread.run(Thread.java:1012)
00:21:52.544 WM-WorkerWrapper         E  Could not create Worker ua.gov.diia.core.util.work.CheckAppVersionUpdatedWork
00:21:53.302 WM-WorkerFactory         E  Could not instantiate ua.gov.diia.notifications.work.SendPushTokenWork (Ask Studio Bot)
                                         java.lang.NoSuchMethodException: ua.gov.diia.notifications.work.SendPushTokenWork.<init> [class android.content.Context, class androidx.work.WorkerParameters]
                                         	at java.lang.Class.getConstructor0(Class.java:3325)
                                         	at java.lang.Class.getDeclaredConstructor(Class.java:3063)
                                         	at androidx.work.WorkerFactory.createWorkerWithDefaultFallback(WorkerFactory.java:95)
                                         	at androidx.work.impl.WorkerWrapper.runWorker(WorkerWrapper.java:245)
                                         	at androidx.work.impl.WorkerWrapper.run(WorkerWrapper.java:137)
                                         	at androidx.work.impl.utils.SerialExecutor$Task.run(SerialExecutor.java:91)
                                         	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
                                         	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
                                         	at java.lang.Thread.run(Thread.java:1012)
00:21:53.303 WM-WorkerWrapper         E  Could not create Worker ua.gov.diia.notifications.work.SendPushTokenWork

Deprecated nginx version

android-diia/ui_base/src/main/java/ua/gov/diia/ui_base/components/organism/carousel/HalvedCardCarouselOrg.kt

Line 63 in 017081e

imageURL = "https://business.diia.gov.ua/uploads/4/22881-main.jpg",

The version of nginx on the website https://business.diia.gov.ua/uploads/ is 1.18.0, which reached the end of its security support on April 20, 2021.

UPD: nginx version is hidden but the issue must be still present though

gmail email in support address?

android-diia\notifications\src\main\res\layout"

        tools:text="Для подробиць зателефонуйте  за номер \n+38 (000) 00 00 000 або напишіть на почту \[email protected]. Детальна інструкція \nsupport.diia.gov.ua" />

I am not sure if this address is really in use, but a bit strange to use gmail mailbox for government application.
Also phone number is incorrect

Remove usage of GlobalScope

The usage of GlobalScope - DiiaAndroidNotificationManager
Why not use global scope

Rethrow CancellationException in try-catch blocks for coroutines

Here is a code from repository LoginVM

The CancellationException should be re-thrown in a catch block when we use try-catch in coroutines.

Why?

Kotlin doc
Medium article
Florina Muntenescu's article - Cancellation in coroutines

Useless @Analytics?

What is the purpose of this annotation? I couldn't find any explanation

Gradle build files are not up-to-date with best practices

First of all, gradle.kts is a staple of supporting build files for a few years at this point, other stuff includes:

duplication of build file configuration due to lacking convention plugins
gradle.properties values that specify default values
TOML version catalog is a great way to centralise dependencies without the need for custom gradle scripts

Why are you storing Kotlin files at Java sources?

you can create separate Kotlin source

Add best practices for improving security

This is not critical, but it can be improved and made safer.
I see that the pin code is used exclusively as a feature in UI, but developer still trying to store PIN code in encrypted using https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences.

Honestly, this doesn't make sense if you assume the device won't be rooted (rooted == hacked/vulnerable device), you can just use base preferences https://developer.android.com/reference/android/content/SharedPreferences . Nothing outside can't read this.

Code: https://github.com/diia-open-source/android-diia/blob/main/diia_storage/src/main/java/ua/gov/diia/diia_storage/EncryptedAndroidKeyValueStore.kt#L35

Also, biometric authentication doesn't do anything useful.

Code: https://github.com/diia-open-source/android-diia/blob/main/biometric/src/main/java/ua/gov/diia/biometric/ui/BiometricAuthPrompt.kt#L16

If you assume device on which app is running may be hacked, you should add basic best security practices.

1. Hashing PIN with random salt

Current approach of using EncryptedSharedPreferences for storing PIN, while encrypted, does not fully leverage best practices in secure data stored. It's good practice to hash it with a random salt. First link from google: https://medium.com/@chris_42047/thoughts-on-storing-passwords-securely-in-android-aa3207aede21

For example:

fun randomSalt(): ByteArray {
    val bytes = ByteArray(256)
    SecureRandom.getInstanceStrong().nextBytes(bytes)
    return bytes
}
    
fun passcodeSecretKey(
    passcode: CharArray,
    iterationCount: Int = 1000,
    keyLength: Int = 256
): SecretKey {
    val salt = randomSalt()
    val factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSha256")
    val spec = PBEKeySpec(passcode, salt, iterationCount, keyLength)
    return factory.generateSecret(spec) ?: throw IllegalStateException("failed generate secretKey")
}

After PIN been set, you only need to save the salt and its hash in storage. Not necessarily, but can encrypt them too, like key wrapping. Also you can use other algorithms for this (Argon2 e.t.c.).

2. Encrypt sensitive data based on PIN or biometrics.

Current use of PIN solely as UI element is not a good.

Use this to encrypt API auth token or local database. If the user uses biometrics for authorization, use https://developer.android.com/reference/androidx/biometric/BiometricPrompt.CryptoObject .
It is also good to use second API auth token local encrypted by use PIN or biometric for sensitive actions (request certificates or sensitive information from API)

3. Some minor improvements

Using CharArray for PIN to improve memory handling and security. First link from google https://sentry.io/answers/char-vs-string-passwords/
Customizing KeyGenParameterSpec.Builder for MasterKey in EncryptedSharedPreferences, incorporating stronger encryption policies. For example: setDigests(KeyProperties.DIGEST_SHA512), setRandomizedEncryptionRequired(true) and maybe setIsStrongBoxBacked(true)

Realistic scenario for bypassing current PIN implementation involves gaining physical access to a device, rooting it, and using tools like Frida for skip PIN screen or read encrypted preferences.

Good links and examples:

Update okhttp library

com.squareup.okhttp3:okhttp 3.12.2 has a vulnerability CVE-2023-0833.
Issue
This vulnerability affects com.squareup.okhttp3:okhttp package versions through 4.9.1, 4.10.0-RC1, and 5.0.0-alpha.1 through 5.0.0-alpha.2.

How to build a release version without deploying?

I didn't manage to build a release version of the app without deploying. There was no issues with ./gradlew :opensource:assembleGplayDebug however. Tried ./gradlew :opensource:assembleGplayRelease, but it didn't produce an .apk. Any suggestions on how to make it work?

Add the app to F-Droid repository

Додайте застосунок у репозиторії F-Droid, щоб люди без Google сервісів з вільними прошивками мали змогу користуватися додатком

Дякую

Reuse config in gradle files

There is a huge amount of duplication in .gradle files which can be extracted to shared config files