Is your feature request related to a problem? Please describe it.
Implement root detection for android.

Describe the solution you'd like
Detect whether a phone is root or not.

Issue content

Sarebbe opportuno rinforzare la funzione aumentando il numero di caratteri, inserendo ad esempio le lettere minuscole e qualche carattere speciale, inoltre sarebbe opportuno inserire un algoritmo di Salt a protezione dell'hash.

Issue content

I have forked the project and used a dependency security scanner to check if there are some security problems related to the library used by the project.

This is the result:

Security scan

I suggest you to check all the dependencies of the project, because many of potential security problems may be solved with a minor update

all the best
matteo baccan

Describe the bug
There are missing/placeholder/not working parts that will need to be changed before releasing:

• TOS are missing (placeholder)
• Privacy Policy is missing (placeholder)
• FAQ cannot be opened (connection error message)

Describe the bug

In the EN, ES, FR, DE versions of the app, the Legal docs links redirect to the Italian TOU and PN.

perché la generazione del codice OTP avviene ogni volta che si apre la schermata di "caricamento dati" e non avviene mediante temporizzazione?
si potrebbe forzare un device ad avere lo stesso OTP di un altro mediante una riapertura automatica della scheda.

The app interface doesn't support English language.

I think this feature is important considering the presence of non-italian speakers in the country like seasonal workers and immigrants.

Issue content

Immuni supports RTL then layouts should use start and end instead left and right according to https://developer.android.com/about/versions/android-4.2.html#RTL

Describe the bug

When onboarding after the Choose City step when user is asked for Exposure notification clicking on "Consenti" show the exception toast and the app can't go on and nothing's showing on screen.

Expected behaviour
The app should show a dialog to ask for something

Screenshots

Smartphone (please complete the following information):

• Device: Samsung A-50
• OS: Android 10
• Version 1.0

Additional context
The error seems to be generated by an exception in startExposureNotification method inside OnBoardingViewModel. Putting a breakpoint at line 155 when launching the coroutine, an exception is risen with this message:

ApiException: 17: API: Nearby.EXPOSURE_NOTIFICATION_API is not available on this device. Connection failed with: ConnectionResult{statusCode=UNKNOWN_ERROR_CODE(39507), resolution=null, message=null} atcom.google.android.gms.common.internal.ApiExceptionUtil.fromStatus(com.google.android.gms:play-services-base@@17.2.1:4) atcom.google.android.gms.common.api.internal.ApiExceptionMapper.getException(com.google.android.gms:play-services-base@@17.2.1:2)

Maybe is a device problem but I wasn't notified of anything at all.

nel file HomeListAdapter.kt vi è la classe HomeListAdapter che presenta il clickListener, sarebbe meglio che questa fosse dichiarata privata

Describe the bug
Incorrect Warning is triggered when users become positive. Text refers to having been in contact with a positive user when the users are actually positive themselves.

Smartphone (please complete the following information):

• Device: Huawei P30
• OS: Android 10
• Version (42)

Untitled.mp4.zip

Describe the bug

DE, ES, FR localizations not yet available in the app.

To Reproduce

1. Change device language settings to German/French/Spanish
2. Open the app
   --> The app language is English.

Build: 54

Describe the bug

Toast with "Notifiche di esposizione non attivate" next to App Wizard

To Reproduce

1. Open App
2. Select Region
3. Select City
4. Click Consenti
5. Toast with "Notifiche di esposizione non attivate" next to App Wizard
6. Wizard restart if i close and reopen app.

Expected behaviour

App starting(?)

Screenshots

Smartphone (please complete the following information):

• Device: Huawei Mate 20 Lite
• OS: Android 10
• Version [e.g. 1.0.0] 1.0

Describe the bug

If the user gives consent to receive Immuni notifications but Exposure Notifications are turned off, no push notification is received to alert that the service is inactive. The user can see that the service is inactive only by opening the app.

To Reproduce

1. Give consent to receive Immuni notifications
2. Go to Settings > Google > COVID-19 exposure notifications
3. Tap to Turn off exposure notifications and Confirm
4. Open the app and observe that the Service is inactive
   --> No push notification is sent to alert the user.

Expected behaviour

A push notification should be sent to alert that the service is inactive.

Describe the bug

Onboarding/Pin advice and Onboarding/Malicious screens need to be updated with the latest approved copy.

Build: 54

Describe the bug
When the countdown to tap on the Verify button is over the Error message does not disappear

To Reproduce

1. Go to Upload Data
2. Tap on Check
3. Observe the Error message appearing saying that the code hasn't been approved yet
4. Wait for the countdown to finish
   --> Observe thee error message sticking on screen

Expected behaviour
The error message disappears when the countdown is over

Screenshots

ntext about the problem here.-->

glide annotation processor is duplicated

I need to send my phone to assistence, and i will use a temporary phone for at least one month, using a temporary phone.

What will happen when i will use again main main phone?

Can be the data tracked by my temporary phone "added" to my main phone?

What if i will notify Covid by my main phone? Will contacts with my temporary phone alerted?

Many thanks

It is really ugly to see app locked in portrait in 2020... with livedata, viewmodels and SavedStateViewModel!

There Is an uml diagram avaiable of the app?

To Reproduce

1. Go to Impostazioni > Immuni > Turn off Mostra notifiche
2. Opne the app > tap Riattiva Immuni > Consenti
   --> There is a typo in the second string of the Enable Notifications screen.

See screenshot below.

Issue content

getColor() is deprecated, you should use ContextCompat.getColor() instead.

Describe the bug

Two notifications are sent simultaneously when a contact at risk is detected (both OS and app notifications).

To Reproduce

1. Expose device A to another (B) that has turned positive
2. Wait until A detects the contagion risk and gets alerted
   --> Device A receives two notifications simultaneously to alert the user of the risk.

Note that Immuni notification is sticky and the user need to tap on it to dismiss it, while the OS notification is dismissable without opening the app.

If I disable exposure notifications on Android settings, I keep seeing the screen that Immuni service is active on the home page (only if I don't close the app via task manager).

To Reproduce

1. Open the immune app, verify that it is active and leave the app in background
2. Go to Android settings, Google, Exposure notifications to covid-19 and disable the exposure notifications
3. Open the Immuni app again

Expected behaviour
I expect that having disabled the exposure log, Immuni should say that the service is not active, but instead I keep seeing that the service is active. If I close and reopen the app from the task manager, the problem is solved.

Screenshots

Smartphone:

• Device: Samsung A40
• OS: Android 10

Additional context
Same problem on iOS simulator

Describe the bug

On Samsung Galaxy S10, there is a cut off string in the pop-up message in the High Exposure suggestion screen.

To Reproduce

1. On a device with High Exposure alert tap on Scopri subito cosa fare
2. Tap on Ho contattato il medico
   --> Observe the cut off in the pop-up message.

Screenshots

• Device: Samsung Galaxy S10
• OS: Android 10
• Build: 54

Just build the project then installed on device. Can't pass the onboardig screen, in the step Attiva le notifiche di esposizione COVID-19. Touching Consenti doesn't go further but displays a toast message with "Notifiche di espozicione non attiva".
What I understood is that I need to activate some settings but can't figure it out. GPS and Bluetooth are enabled.

come affermato del dalle specifiche della libreria, importando questa libreria lo sviluppatore potrebbe accedere alla posizione con una bassa granularità

"Unless noted, all Location API methods require the Manifest.permission.ACCESS_COARSE_LOCATION or Manifest.permission.ACCESS_FINE_LOCATION permissions. If your application only has the coarse permission then it will not have access to fine location providers. Other providers will still return location results, but the exact location will be obfuscated to a coarse level of accuracy.
Requires the PackageManager#FEATURE_LOCATION feature which can be detected using PackageManager.hasSystemFeature(String)."

https://developer.android.com/reference/android/location/LocationManager

Issue content

Se i dati sono identificati da un codice alfanumerico che dovrebbe garantire l'anonimato, se, nel momento in cui "carico i dati" sul server centrale (dove?) e "devo" comunicare il mio codice all'operatore sanitario (che ovviamente mi sta identificando), come fa l'applicazione a garantire l'anonimato?
Chi è questo "operatore sanitario" a cui sto comunicando i dati? Cosa fa l'"operatore sanitario" quando "conferma il codice" che ho comunicato?

As discussed in
immuni-app/immuni-documentation#65 the app cannot be installed, used or kept up-to-date unless the user connects its phone to a Google account.

This is both a privacy risk (the same executable providing the Exposure Notification service is aware of user's identity), as well as a fair competition issue (the government should not oblige a citizen to subscribe a certain private service, even if free of charge, in order use a public service).

Describe the bug

The application currently points to endpoints that are not publicly accessible. The application works nonetheless, however it would be better to have working endpoints.

To Reproduce

1. Open the application
2. Observe that the configuration is not fetched

Expected behavior

The application should be able to reach remote endpoints

Smartphone (please complete the following information):

• Device: any
• OS: Android 6+
• Version 1

In the Network module, the comment of the method createServiceAPI() in the Network class has a wrong "instance" word.

/**
 * Creates an **instace** of [apiClass]
 * using the [Network] and [NetworkConfiguration] config.
 */
fun <T : Any> createServiceAPI(apiClass: KClass<T>): T {
    return NetworkRetrofit(context, config).retrofit.create(
        apiClass.java
    )
}

Issue content

Please consider disabling the Javascript engine inside the WebViewPopup class:

This exposes the app to XSS attacks and it's probably not really necessary (looks like you're using the WebView mostly to render TOS/PrivacyPolicy/FAQ pages) for the app to work properly.

Describe the bug

All blue buttons in the app should have a light shadow around them by design but it's missing.

To Reproduce

1. Go to Impostazioni > Caricamento dati
   --> The blue button Verifica is missing the light blue shadow expected by design.

Note that all blue buttons in the app are missing the shadow.
See a few examples in the screenshots attached.

Screenshots

Could you please elaborate on the following sentence?

At the current stage, the application points to backend services which are not publicly accessible and whose source code has not been released. Note that the application is designed to work without a backend, especially in the context of not having the Exposure Notification entitlements (see Installation.

I think it would be really appreciated by everyone knowing what's the purpose of every call, in particular POST ones! what are you sending? to whom? ecc.

All the best.
Matteo

The file PlayStoreActions.kt has a hardcoded HTTP connection to the Google Play Store. This can lead to MiTM attacks.

Code conciseness
Using androidx.Fragment, it's possible to clean up a bit each Fragment class by removing the onCreateView method with the layout inflation in favor of the alternate Fragment constructor that allows providing the default layout.

Androidx Fragment releases page

Example
Instead of writing

class MyFragment: Fragment() {

// ...

override fun onCreateView(inflater: LayoutInflater, container: ViewGroup?,
        savedInstanceState: Bundle?): View? {
        return inflater.inflate(R.layout.my_fragment, container, false)
    }
}

it's now possible to simplify it with:

class MyFragment: Fragment(R.layout.my_fragment) {
    // onCreateView no longer needed
}

Describe the bug

Two capitalization issues in the FAQ for consistency with the rest of the copy:
immuni >> Immuni
bluetooth >> Bluetooth

To Reproduce

1. Go to FAQ
   --> In one instance "immuni" and "bluetooth" are lowercase.

Describe the bug

There's a visual glitch on Android 10 on the "Scopri di più" section.
There's a grey bar at the top of the navigation bar.

To Reproduce

1. Open the app
2. Click on "Scopri di più"
3. Look at the gray bar

Expected behaviour

No gray bar.

Screenshots

Smartphone (please complete the following information):

• Device: Xiaomi Mi A3
• OS: Android 10
• Version 1.0.0

Additional context

Issue content

If I click on the two "links" a white page appears.

Describe the bug

During the on-boarding, the app asks a permission to enable the COVID-19 exposure notifications. Even though the locations services have already been activated, when the "Allow" button is clicked, the app shows "Exposure notifications not enabled".

To Reproduce

Steps to reproduce the behavior:

1. Go to 'Enable COVID-19 exposure notifications'
2. Click on 'Allow'
3. See error as a Toast

Expected behavior

Although the instructions about the location services activation are not clear enough from the Toast message, I was expected to be redirected to the next page after allowing the exposure notifications.

Screenshots

Smartphone (please complete the following information):

• Device: [Pixel 2]
• OS: [Android 10]
• Build Number: [QSR1.190920.001]

Additional context

The Toast message also should be more clear in order to prompt the user to check the location services.

Describe the bug

In the Onboarding/Privacy screen, by tapping on Avanti, users are brought to the end of the screen where the two checkbox tiles are already marked in red, even though they were never visualized by the user.

To Reproduce

1. Go to the Onboarding/Privacy screen
2. Do not scroll down and tap on Avanti
   --> Users are directed to the end of the screen and the two checkbox tiles are already marked in red.

Expected behaviour

The two checkbox tiles should turn red after being visualized and then pressing Avanti.

Screenshots

Users should be able to build the app and reproduce the exact build published to the Play Store, in order to make sure the binary was generated by this repo's source code.

For inspiration, here's how Signal does it: https://github.com/signalapp/Signal-Android/blob/master/ReproducibleBuilds.md

Describe the bug

In the Suggestions/High Exposure screen there are several discrepancies with the latest copy.

Build: 54

Describe the bug

Bulleted lists and new paragraphs do not break like correctly.

To Reproduce

1. Go to Impostazioni > Domande frequenti
2. Tap on the first question
   --> Observe that each bullet point does not break line as expected.
   --> In longer answers, the paragraphs do not break line as expected.

Describe the bug

In the Default suggestions, one recommendation is missing at the bottom of the screen (Indosssa una mascherina).

To Reproduce

1. Complete the Onboarding
2. Click on Cosa puoi fare per proteggerti
3. Scroll down to the end of the screen
   --> One tile/recommendation is missing (Indosssa una mascherina).

Screenshots

Issue content

android.view.View#SYSTEM_UI_FLAG_LIGHT_NAVIGATION_BAR requires SDK >= 26 and the code it checks for SDK >= M (23) but app has already minSdkVersion = 23.

In files BottomSheetDialogDarkFragment.kt (line 29) and BottomSheetDialogLightFragment (line 84)

if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {

should be changed like this:

if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {

Describe the bug

When I arrive in the "Attiva le notifiche di esposizione COVID-19" section and I try to press the "Consenti" button I get this message "Notifiche di esposizione non attivate".
The bug seems to be here where the optInAndStartExposureTracing gets an exception :

//OnboardingViewModel.kt
fun startExposureNotification(activity: Activity) {
        viewModelScope.launch {
            try {
                exposureManager.optInAndStartExposureTracing(activity)
            } catch (e: Exception) {
                toast(
                    activity.applicationContext,
                    activity.getString(R.string.onboarding_exposure_api_not_activated)
                )
                e.printStackTrace()
            }
        }
    }

To Reproduce

1. Delete your app data or just uninstall your app
2. Reinstall the app

Expected behaviour
I aspect I should be able to finish the onboarding without incurring in an error.

Screenshots

Smartphone (please complete the following information):

• Device: Pixel 4
• OS: Android 10

Additional context

I'm referring to this comment
#32 (comment)

Google said that they will profile full documentation of how to reproduce Exposure Notifications APIs in systems that are Google Services lacking, so there is no competition.

Apparently, there is a way to develop the app even for AOSP users. I'm talking about users that, by choice, do not have google play service installed (so, for example, LineageOS without gapps)

Is it true?
Do you have any plans on doing it?

Thanks

Describe the bug

• In the Onboarding/Privacy screen the shadows around the checkbox tiles are not by design.
• In the Home screen the shadows around the Info tiles are not by design.

To Reproduce

1. Go to the Onboarding/Privacy screen
2. Scroll down
   --> Observe the shadows around the checkbox tiles.
3. Go to the Home screen
   --> Observe the shadows around the Info tiles.

Screenshots