Corona-Warn-App Open Source Project
Help us improve the Corona-Warn-App
The Corona-Warn-App is an app that helps trace infection chains of SARS-CoV-2 (which can cause COVID-19) in Germany. The app is based on technologies with a decentralized approach and notifies users if they have been exposed to SARS-CoV-2. Transparency is key to both protect the app's end-users and to encourage adoption.
How does the app work?
Collect nearby identifiers
The Exposure Notification framework (by Apple and Google) on a mobile device is broadcasting a Rolling Proximity Identifier (something to be remembered by), while also regularly scanning for identifiers of other phones using Bluetooth Low Energy technology and storing the identifiers locally. The identifiers are only valid for 10-20 minutes and are derived cryptographically from temporary keys which change every 24h.
Communicate test result of user with symptoms (optional)
If the lab in question supports the electronic process, tested users can use the QR code they received during the test to retrieve their results.
Distribute list of keys of SARS-CoV-2 confirmed users
In case of a positive test result, users are asked to voluntarily upload their temporary keys of up to the last 14 days to the server. To prevent misuse, the Corona-Warn-App backend first verifies the positive test result. If confirmed, the server adds the user’s keys to the SARS-CoV-2 confirmed list, which is regularly broadcasted to all apps.
Check for exposure to SARS-CoV-2 confirmed users
After a mobile device has downloaded the list of all available keys of users that have tested positive, the Exposure Notification framework derives the corresponding identifiers and checks locally if any of these match the locally collected Rolling Proximity Identifiers. In case of exposure, the risk is assessed and the user receives corresponding instructions.Learn more in scoping document
Stay up to date!
The Corona-Warn-App blog is coming soon
Data privacy and security
Open source approach
Only through transparency can we earn the trust of the end-users and increase app adoption.
Power of the community
The power of the community increases security and data privacy protection by detecting issues early and helping to solve them.
Data Privacy and Safety
Data Privacy document
Details will be outlined in a Data Privacy document (coming soon).
Only personal data needed for the following two objectives will be processed:
1. Assess personal risk of infection
2. Learn COVID-19 test results faster.
Part of design
It is part of the design process to ensure for each step that the app processes a minimum of required personal data that is handled with maximum protection.
Open and transparent
No security through obscurity: we follow an open and transparent approach.
Secure Software Development Lifecycle
Security assurance of application development through Secure Software Development Lifecycle, which includes among other things threat modeling and end-to-end risk assessment, security planning, security testing and penetration testing.
Hosting conform to BSI C5, SOC 2 and SOC1/ISAE 3402.
Early May 2020, the German government requested SAP and Deutsche Telekom subsidiary T-Systems to deliver the official Corona-Warn-App for Germany, based on open source and a decentralized approach. The following partners are supporting the development of the app together with the involvement of the global open source community.