The Luca app should make restaurant and event visits possible again. Data protection activists were not very enthusiastic. Now the minds behind Luca have reacted: the system should be open source by the end of March.

The Fantastischen Vier have already done a lot of cool things. They are considered the forefathers of the German hip hop, their albums have meanwhile achieved classic status and everyone actually likes the Swabians. Fun fact: The Fantas started as a programming duo. At the moment, hip-hoppers are mainly talking about their involvement in an app. Her name is Luca. At least since Smudo introduced it on the ARD talk show “Anne Will”, it has been seen as a valuable addition to the Corona warning app. It has been criticized since its introduction. A common point: They are not helping with contact tracing efficiently enough. Due to mechanisms that guarantee the comprehensive protection of the personal data of the users, it is not possible for the app to recognize so-called infection clusters – encounters in which many people become infected at once. We were talking about the subsequent implementation of the functionality for the Corona warning app months ago, but that has not happened so far.

Now it looks like it as if private providers should fill the gap. The Luca app is the clear favorite. In addition to Culture4life GmbH der Fantas, there is also a Berlin startup called Nexenio, a spin-off of the Hasso Plattner Institute. Their product could now be used nationwide by the health authorities. It was not until Thursday that the North Rhine-Westphalian Prime Minister Armin Laschet (CDU) announced that the federal and state governments wanted to decide in favor of the nationwide use of another app in the second week of March. Mecklenburg-Western Pomerania announced on Saturday that it had acquired a license for Luca. If Vice Chancellor Olaf Scholz has his way, the nationwide Luca mission is a done deal.

With an app against the chaos of notes

Luca was designed, just like other, comparable approaches, to digitize the process of data entry when visiting a restaurant, bar or event. Moving away from the scramble of paper and towards a digital solution that protects users from data misuse by organizers, restaurateurs or third parties, and prevents the transfer of incorrect data – this does not seem to work very well yet, with a little programming knowledge, verification should be easy to circumvent – and to relieve the health department. The app works via QR codes, which visitors can use to check in and out when attending an event. In the event of infection, users share their visit history. The health department can decrypt the data and quickly and easily inform all contact persons.

According to the website completely safe

According to the website, this is completely safe, the data is stored on ISO-27001-certified servers within Germany and no one except the health authorities should have access to stored personal data or have the visit history. The decision to share this data with the health department is entirely up to the users of the Luca app.

Read also: Be open source Thanks – Experts found a vulnerability in the server of the Corona-Warn-App

Luca is not yet open source – and should be now

In view of the fact that the nationwide deployment of Lucas is to be voted on, data protection officials have criticized several points. One of them: The Luca app and the entire backend, unlike the Corona warning app, are not yet open source. This means that the source code is not visible to anyone. That should change now. The official account tweeted on Wednesday evening that plans to open-source the app were already planned for the end of March. Among other things, the dialogue with experts and critics led to the decision.

We received many inquiries, constructive exchanges and criticism. We will publish the source code of the #lucaApp by the end of March. Thanks to everyone who exchanged constructively with us on this. https://t.co/FmDNST1XF1

— luca App (@_lucaApp) March 10, 2021

On Tuesday, Patrick Hennig, CEO of Nexenio GmbH, made a rather vague statement to t3n on the subject of open source: “So far we have financed the system completely ourselves and are currently involved in some patent proceedings. ”However, he certainly sees the possibility“ that we can make the app open source ”. “An open source project needs community management, that also costs resources,” which is why the decision was initially made against publication as an open source project, he said. After all, the security concept was published on Monday.

The concept can be found on GitHub and on the Luca website. The GitHub repository is open source and, according to the authors, should be regarded as a “work in progress”. The document was published on GitHub in order to open up to the community for cooperation, says Hennig. According to experts, however, there is no correct cryptographic concept there. “The security concept is so high that the community can hardly do anything with it,” said Manuel Atug, IT security expert at HiSolutions. There was no concrete, detailed information on the cryptographic procedures and algorithms used. For example, the handling of so-called cryptographic keys is not adequately described. This is also called key management. According to Atug, for example, there is no information about the generation and duration of use of the keys, their length, or how and when they would be archived, replaced, destroyed and exchanged in an emergency.

An extract from the security concept of the Luca app. According to experts, it is not meaningful. (Screenshot: github1s / t3n)

General key for the health authorities

In addition to the demand for a whitepaper and the disclosure of the source code, data protectionists demand that only data that is mandatory for the operation of the service should be collected are necessary. Access to personal data may only be given to the health authorities in the event of an infection. There must not be a master key for access to all data. According to the Luca security concept, however, the health authorities have such a master key.

In the event of a positive Covid-19 test, the Luca app sends according to its own Details of all relevant check-ins of the user, together with the IDs of the locations visited by this user and a timestamp to the Luca server. The Luca app prompts all operators and organizers to upload the check-in records of all Luca users who were at the venue at the same time as the infected person to the Luca server. The health department can then decrypt these encrypted data records and contact all contact persons.

These keys are apparently generated in the front end of the application, which is sent to the employees of Luca affiliated health department is available. These access it via the browser. The problem: A browser is like a sandbox, designed to load and execute content dynamically from a server. To put it simply, this is how the Internet works. Of course, there are numerous mechanisms that ensure that this is as safe as possible for users; However, a web browser is still not the best place to be for generating cryptographic keys for a number of reasons. “It’s not safe,” says Atug. “All in all, it looks like the Luca app went into production at a stage where it could only have been released as an alpha version. The fact that such an inexplicable security concept was presented afterwards doesn’t make it any better. Secure-by-Design was obviously not the approach taken here. ”

It cannot really be judged yet. Ultimately, the assessment of Luca stands or falls with the imminent publication of the source code. A non-open-source app could theoretically be reverse-engineered in its current state and found to be good and safe. That could change again with the next update, say members of Zerforschung, a collective that deals with the reverse engineering of apps.

The publication of the source code is therefore an important step.

Not barrier-free

Another major drawback of the app is the lack of accessibility so far. An iPhone user complains that he would not make it past the start page of the app using the voice-over functionality. “We are on the subject of accessibility”, says the Nexenio CEO.

Central storage of the data

The central storage of all data is also problematic. According to the concept, these are stored on ISO-27001-certified servers within Germany, decentrally – a catchphrase that, for example, the State Commissioner for Freedom of Information and Data Protection of Baden-Württemberg, Stefan Brink, underpins his recommendation of the app – is not.

Other politicians have spoken out against a nationwide deployment of Luca. She found the euphoria of some colleagues completely incomprehensible in view of the central storage of personal data, the complete lack of transparency of the entire system and the prospect of a master key for the health authorities, wrote Anke Domelscht-Berg, member of the Bundestag for Die Linke, in a thread on Twitter on Tuesday.

It is conceivable that the look into the code, which is likely to be possible from the end of March, will also dispel all other concerns. Until then, something may have happened with the Corona warning app with regard to a cluster detection function. Their contact diary function was only improved with an update published on Wednesday.

Most read