The long-awaited publication of the Radar Covid app code was not a success. The administration has achieved the remarkable milestone of releasing the Spanish public mobile application software with a record of faster and more extensive downloads: it has 3.7 million. But the gesture does not seem that it will fulfill the hopes of more than 200 Spanish academics who signed a manifesto in favor of transparency in the development of public software. The good intention has been, for now, halfway.
The debate is not yet on whether the app is safe or if it hides errors or traps in the code that should not be there. One of the big goals of releasing the code is to allow you to answer those questions. “This is an exercise in transparency so that the operation of the application can be audited openly and directly by the public,” says Carme Artigas, Secretary of State for Digitalization and Artificial Intelligence, in charge of the app. The content is available on GitHub.
But before it could be analyzed in depth, shortly after the code was released, the developer community began to debate a couple of central issues. The first was, how do we know that the published code is the one in the app that we carry on our mobile? This would be easy to check if the mobile app could be decompiled without a problem, but the code is obfuscated . Code obfuscation is a common practice: it serves to hide details that prevent copying. But in the case of an app whose code will be free, it makes little sense to use this technique.
Even so, among the shadows of that code, you can see that there are lines and files that do not match what is published on GitHub, which is the usual repository where developers publish and comment on open source. “Any Android developer can decompile the application that is available in the Play Store and verify that there are certain differences,” says computer scientist Raúl Martínez or @RME. “It’s probably nothing serious and it’s just that they have retired old methods. This does not mean that I doubt its efficacy or its safety, it is simply not a good practice ”, he adds.
But if the code of the two versions is different, how to know how it works on our phones? “It generates mistrust because we continue the same as yesterday,” says David Barragán, co-founder and software developer at Kaleidos Open Source. “We have an app on our mobile for which we do not know the code, and we have a published code that is not valid because it does not match the app’s. What other things can it hide if they are not the same? ” He explains.
The case becomes more mysterious when, when asked by EL PAÍS, the Secretary of State for Digitization and Artificial Intelligence denies that the two versions are different, “The obfuscated version is the same as the one on GitHub,” say official sources. What could be the reason for this mismatch? “In my opinion the development team has been cleaning up the code to upload it but without giving time to upload that new version to the Play Store. Likewise, the secretary of state is not up to date, ”explains Martínez @RME.
In the next update, which will be approximately September 15 (according to official sources), the code for the Android version of Radar Covid will be de-confused. Then it will be fully possible to compare both versions and perhaps see what has happened. If anything, it’s a request that a developer has already made on GitHub.
The second big problem is the lack of context in the code . Only the latest version has been released, no more. “The most important thing is that we lack the history. It is an essential part. We do not know when it started, how it has been built, on what bases or what decisions have been taken, ”says Jorge J. Ramos, independent developer. “This information is basic for programmers. If you enter the repositories of the Italian or German apps, the historical ones have been in place since May ”, he adds.
This lack of documentation that occurs throughout the process is “very laborious to do,” according to Ramos. “If they haven’t taken it out, does that mean they don’t have it?” It is not known. It is only known that the Indra programmer who uploaded the code to GitHub publicly lamented on Twitter this Wednesday night the lack of understanding from the community regarding the criticism that the code was receiving. Furthermore, he said, because “the context is not known.”
One of the proofs that the code publication process has been done in a hurry is that there were private keys or remnants of the La Gomera pilot code that should not be there. Meanwhile, the issues (questions, doubts, problems) raised on GitHub by a good handful of programmers do not stop growing. Detailed analysis of each function of the code is yet to come.
The release of the code has been a constant focus of criticism from much of the technology community. Last Saturday, more than a hundred academics signed a letter in which they demanded from the Executive the minimum necessary for open source to be truly successful. In his opinion, knowing the schedule is essential, but insufficient. Transparency must be absolute.
“The opening of the code must be accompanied by complete documentation and information, so that the scientific community and civil society have the scrutiny capacity necessary to identify points to improve and contribute to developing and deploying Covid Radar according to the highest standards. standards ”, stated the signatories.
So far, the contagion tracking app has been implemented in 13 communities – Galicia, the Basque Country, Catalonia and Castilla-La Mancha are still to be added – 70% of the entire territory. This does not imply that it works because several regions are still in full development of pilot tests . “Open code also allows the internal workings of the application to be publicly displayed so that citizens can have full confidence that security and privacy have been the central principles that underpin the creation of this tool”, highlights the Secretary of State.
“The latest available version of the application becomes available to the community under the Mozilla Public License 2.0, the same one used by the DP-3T project, the protocol that was used during the development of Radar Covid. Furthermore, successive updates will be published as the new versions of the application become available ”, they affirm from the Secretary of State.