App IDEA per Android che consente la lettura dati documento ICAO
License: BSD 3-Clause "New" or "Revised" License
Android app - CIE "IDEA Identity Easy Access"
La versione più recente dell'applicazione "IDEA Identity Easy Access" può essere scaricata dal Google Play store a questo indirizzo.
The app is signed with SHA1withRSA. SHA1 hash algorithm is known to have collision issues.
[
[
Version: V3
Subject: CN=Ipzs S.p.A, O=Istituto Poligrafico e Zecca Dello Stato S.p.A, L=Roma, ST=Italia, C=00138
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key:
Validity: [From: Wed Mar 30 12:48:27 UTC 2016,
To: Sun Mar 24 12:48:27 UTC 2041]
Issuer: CN=Ipzs S.p.A, O=Istituto Poligrafico e Zecca Dello Stato S.p.A, L=Roma, ST=Italia, C=00138
SerialNumber: [ 56fbcb1b]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 11 BF A4 72 7D F2 27 25 3D 7A A1 71 AB 8D AE 26 ...r..'%=z.q...&
0010: B2 7F A6 6C 21 25 87 2C D4 51 68 99 83 AC 45 FC ...l!%.,.Qh...E.
0020: 88 FC A9 69 FB 6E D8 DE C2 65 36 64 F4 D5 97 38 ...i.n...e6d...8
0030: AD 13 4A 01 62 3F 32 AF 59 00 33 DF E1 F5 49 6D ..J.b?2.Y.3...Im
0040: D5 22 70 9D E9 FD 12 86 4D 97 AD 31 FE FF 76 16 ."p.....M..1..v.
0050: 0D 1A A6 0C 5D 84 A1 07 1B A7 13 3C 27 65 24 9B ....]......<'e$.
0060: 85 BB 06 87 F5 34 41 94 73 42 F4 54 83 38 A7 3F .....4A.sB.T.8.?
0070: 0E EF 5A E4 30 DA D9 31 ED 3B 0F F3 A9 59 00 A6 ..Z.0..1.;...Y..
]
Current key info extracted from CERT.RSA:
$ openssl pkcs7 -inform DER -in CERT.RSA -noout -print_certs -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1459342107 (0x56fbcb1b)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=00138, ST=Italia, L=Roma, O=Istituto Poligrafico e Zecca Dello Stato S.p.A, CN=Ipzs S.p.A
Validity
Not Before: Mar 30 12:48:27 2016 GMT
Not After : Mar 24 12:48:27 2041 GMT
Subject: C=00138, ST=Italia, L=Roma, O=Istituto Poligrafico e Zecca Dello Stato S.p.A, CN=Ipzs S.p.A
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:aa:ce:2f:27:03:af:79:28:49:4c:1f:d5:6f:40:
ea:7a:41:79:d6:f3:37:3c:a5:1b:29:c7:5b:5d:12:
dc:c7:0d:2f:e8:4d:a2:3a:69:e0:55:25:41:e6:63:
23:e8:bc:7b:b6:bc:51:f0:7d:cc:9d:54:76:cb:aa:
50:03:b4:95:58:13:31:82:04:e3:48:e0:49:9b:b2:
ea:ff:7e:8f:5c:6d:bb:b3:df:65:bc:95:aa:43:dd:
39:72:ff:54:72:7c:27:15:b9:6b:b4:c5:1d:52:c8:
0a:d0:d7:b9:42:b9:b2:4f:9a:03:8d:25:00:55:03:
4b:16:8e:ff:bd:3a:20:02:15
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
11:bf:a4:72:7d:f2:27:25:3d:7a:a1:71:ab:8d:ae:26:b2:7f:
a6:6c:21:25:87:2c:d4:51:68:99:83:ac:45:fc:88:fc:a9:69:
fb:6e:d8:de:c2:65:36:64:f4:d5:97:38:ad:13:4a:01:62:3f:
32:af:59:00:33:df:e1:f5:49:6d:d5:22:70:9d:e9:fd:12:86:
4d:97:ad:31:fe:ff:76:16:0d:1a:a6:0c:5d:84:a1:07:1b:a7:
13:3c:27:65:24:9b:85:bb:06:87:f5:34:41:94:73:42:f4:54:
83:38:a7:3f:0e:ef:5a:e4:30:da:d9:31:ed:3b:0f:f3:a9:59:
00:a6
It is time to update to a stronger signing key for this Android app! The old default RSA 1024-bit key is weak and officially deprecated.
Note: We should keep in mind that if we use a SHA256 algorithm, the app does not work with some older Android devices (mostly pre Android 4.3). This means that builds made with the new cert management system currently create APK files that may not install on some Android 4.0-4.2 devices (some devices will install, some will fail, depends on the manufacturer).
Quoting this report on Android apps' signing keys:
There is security vs compatibility trade off a few might be interested in. Pre-4.3, Android did not support any signature algorithms except SHA1. With Android >= 4.3, SHA256 support was fixed, and SHA384, SHA512, and ECDSA were added (source). There are still android 2.3.3 (android-10) devices being sold, so anyone interested in backwards compatibility will have to heed this.
Also, the larger the keysize and hashsize used, the longer it takes to install and update the application. So extremely large values might be unsuitable for slower hardware. The following probably doesn’t buy you a tremendous amount of additional security but cranks the paranoia to 11. It does so at the cost of compatibility and performance.
Gen with:
keytool -genkey -v -keystore test.keystore -alias testkey -keyalg RSA -keysize 4096 -sigalg SHA512withRSA -dname "cn=Test,ou=Test,c=CA" -validity 10000
Sign with:
jarsigner -verbose -sigalg SHA512withRSA -digestalg SHA512 -keystore test.keystore test.apk testkey
We can probably rely on what's written here:
keytool -genkey -v -keystore test.keystore -alias testkey -keyalg RSA -keysize 4096 -sigalg SHA1withRSA -dname "cn=Test,ou=Test,c=CA" -validity 10000
do not specify passwords on the command line (i.e. do not use -keypass or -storepass)
-keysize 2048 is the minimum, but -keysize 4096 is better
-keysize 8192 is overkill and might not work on older Android versions
**SHA256withRSA and other better hashes supported on Android 4.3 and above only!**
SHA1withDSA should work, but we haven't tested it
Further references:
Io aggiungere la firma FEA tramite IDEA, altrimenti l'utilità dell'app è relativa, con la firma FEA invece mi sembra molto più utile.
The repository is missing assets, resources files, the manifest, etc., which are needed to develop and compile the application.
I didn't fire up Android Studio yet, but I don't see anything in MainActivity.java that can load the UI layout, even if the resource files were there. That makes me think the code is from an earlier version.
In questa recensione si dice:
Fate inserire le date nel formato DD/MM/YYYY altrimenti risulta impossibile scorrere il calendario pagina per pagina per inserire una data di nascita di 40/50 anni fa o la scadenza di un documento nei prossimi 10 anni!!
In questa recensione si suggerisce:
Grossa pecca è che campo del numero di carta è troppo stretto. La mia finisce con J e sul telefono sembra una I
According to its manifest, the app requires android.permission.RECORD_AUDIO. Such permission allows the application to access the audio record path.
URI: android.permission.RECORD_AUDIO
Risk: MODERATE-HIGH
Protection level: DANGEROUS
Official Description
Allows an application to record audio
I'm not entirely familiar with the app's features, but unless we require it for legitimate uses such as note taking or voice search, I'd drop this requirement in the next releases.
@andemaria can you please clarify it?
"Avvicina il dispositivo al documento per la lettura del chip" -> lo modificherei con "Avvicina il dispositivo al documento per la lettura del chip. Un suono ti dirà quando inizia la lettura del chip. mantieni il dispositivio vicino al documento fino a lettura completata."
O qualcosa di simile.
Se non si capisce dove è questo punto, posso mandare foto.
Questo repository contiene i sorgenti della app IDEA Identity Easy Access sviluppata e resa disponibile in open source dall'Istituto Poligrafico e Zecca dello Stato.
Questa app per Android consente di leggere il chip dei documenti di identità conformi alla normativa ICAO 9303 tra cui la CIE.
Link utili:
In questa recensione viene segnalato che non si riesce a leggere il passaporto. Non ho avuto modo di verificare personalmente. Qualcuno può aiutarci a testare e risolvere?
Dopo aver installato l'app, se voglio fare una scansione della CIE, l'app va in crash fino a che manualmente non le dò il permesso di accesso alla fotocamera. Visto che non tutti sono in grado di capire questo e poi attivare l'accesso alla fotocamera, propongo di mettere la richiesta di default in installazione oppure di mettere un popup che chieda l'accesso alla fotocamera nel momento in cui uno vuole fare la scansione.
Questa app supporta già la verifica di autenticità delle carte prevista dal manuale del chip?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.