cwa-wishlist
cwa-wishlist copied to clipboard
corona-warn-app
Check in with NFC
Motivation
QR codes can be somewhat of a hassle to scan. Sometimes the process works well, but sometimes the camera doesn’t focus and one needs multiple seconds for a scan. Of course, this is counterproductive at an entrance where guests need to move quickly, like in public transport. In this example, there would need to be multiple codes spread throughout the vehicle so that each passanger could check in from their seat.
Additionally, placing the phone ~15 cm in front of a QR code is a somewhat odd physical motion, especially if the code is placed in an inconvenient location (or printed so big that you need to step away from it).
Suggested improvement
Many smartphones nowadays come with NFC chips. The venue could provide a check-in NFC beacon that guests could scan with their NFC-capable mobile devices, in addition to the print-out QR codes.
To help spread this convenient technology, CWA could offer cheap NFC beacon stickers to venues which would then encode their check-in data into the beacon using their mobile, NFC-capable devices (more data-saving compared to encoding the data in the factory).
Internal Tracking ID: EXPOSUREAPP-5922
Using an NFC tag sounds great! I like the idea! Should the NFC tag be used in conjunction with the QR-Codes?
@jucktnich Good question, Apples Developer Addendum doesn't talk about it at all 🤷🏻♂️ So this would probably have to be clarified with Apple & Google.
Edit:
Besides of this, great suggestion @fynngodau!
@KST1810 Both options should be provided by the venue.
@jucktnich @Ein-Tim If nothing speaks against it I don’t see why not.
The luca app has now the problem that the venues are posting there Qr-Codes via social media, etc. This makes it possible that everyone can check in from everywhere to an event. This problematic is described in https://github.com/corona-warn-app/cwa-documentation/blob/master/event_registration.md#targeting-specific-venues for the upcoming CWA feature.
The use of NFC chips would reduce and IHMO nearly mitigate the risk of this attack, since you need physical access to NFC chips to use them. Yes it is possible to copy NFC chips, but it isn't as easy as posting a picture of a QR-Code on social media.
@Ein-Tim That's a great thought. However, my personal smartphone is one of those not equipped with an NFC reader, which is a use case that has to be considered. Hence, I advocate for the availability of both options.
See #476 - I simply tried it. Extracted the URL from teh QR code, wrote it to a standard NFC 216 tag and it Just Works(tm). I used the NFC Tools app on my iPhone to write the NDEF and write-protect the tag to avoid someone rewriting the tag.
iPhone 11 with iOS 14.4.2
Did you tried to read the tag without the nfc app installed? I think it won't work without the app right (for iOS)?
Yes, I tried. The NFC App is not needed. The CWA registers an URL handler and iOS doesn't really care where the URL comes from, be it from the camera or the NFC subsystem. For background NFC tag reading you need an iPhone XS or newer. See https://developer.apple.com/documentation/corenfc/adding_support_for_background_tag_reading
Ok, seems to work without nfc app. I heard about, that you need to have an app installed, which only has to say "I'm an nfc app", to enable the system nfc reader (I think cause of legal reasons)
I can only comment on iOS/iPhone. There it Just Works :) When your iphone is at least XS or newer. With older iPhones you need to add support in the app. Which I think would be confusing for the CWA, as it adds more complexity for a feature that is rather niche. I mainly wanted to see if it works and it does. So it's a little hack for those that like it, nothing more, I guess.
@jwildeboer Thanks for the demo! We will forward the information to the internal ticket.
Corona-Warn-App Open Source Team
Some more technical stuff: I simply used the normal NDEF for URLs, nothing special. It was just one of those "Will it work? Let's try!" moments. ATM the NFC tag is open, so anyone with an NFC app could overwrite the NDEF with a nefarious URL. That's why I don't think it's a "good" thing to do. You can enable write protect on the NFC tag, if you know how but that goes beyond "normal" user knowledge IMHO. So please treat this as a FYI, not as a feature request. There are a lot of risks here.
For this to work on Android, it seems we need to add an NFC deeplink intent to the app manifest. Could this be done? Even if it isn't an official feature, it would make app behaviour consistent between Android and iOS.
See https://stackoverflow.com/questions/41360527/deep-link-into-app-specific-activity-by-nfc-tag
NFC is mentioned in several places in the EU document Guidelines on the use of Digital Covid Certificates in traveller and online booking scenarios.
According to https://github.com/corona-warn-app/cwa-documentation/issues/780#issuecomment-998553495 currently only Chapter 3 is implemented in CWA i.e. the booking verification process, not NFC.
- PR https://github.com/corona-warn-app/cwa-app-android/pull/4719#issuecomment-1091651019 has been declined now.