TAC Vérif (com.ingroupe.verify.anticovid)

About

Android and iOS application developed by IN Groupe (Imprimerie Nationale) allowing users to check the validity of French Covid-19 vaccination and test 2D-DOC QRCodes.

Application code and UI heavily copied from IN Verify (com.ingroupe.mobile.instant)

Build parameters

• ENDPOINT_URL / url_ws:

    https://portail.tacv.myservices-ingroupe.com
  

• KC_PUBLICKEY / public_key: Keycloak public key for PING realm: https://auth.messervices.ingroupe.com/auth/realms/PING

    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwIuUARi7SBc6lbWaXtacxh8EVvVhstPtMDLt+ygg9qluzEcR1uArXAQpH2fuFO6I1dK3JCIvObyaLgDwUd2je2UUJepcXCXHQPxz5FjtjCFQIwPboGNjNjjZkx7zp83/RoglpmHUMxYwilZBeGTpO3eE6CcIRtb33VNV926MGJ76vJgM1PVRwIT1LRBYJV6+zjZ71wECSIsAmN8wjIm6yxJcLTy+nE2x4HGV1Bd78rdNg13BlrgjaimJ9cTVW3t24jtjIevZCEG0MW3GtqpZRKpxn30SBAyd7ogwXnIjKzCP2VbgR5XGN8WcWdfVg70HyQTtBWl2VLPSjAZhUJjSqQIDAQAB
  

• PERSISTENT_TOKEN / token_lite:

    eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJqUG0zZ1BzUlZaMWRRUmhHOG1HMGhFN3Jlb2ZXTTNINzJCV1RtajdJcFd3In0.eyJleHAiOjE2ODUxODU5MDYsImlhdCI6MTYyMjExMzkwNiwianRpIjoiOTdjODgyM2EtNjlhZS00NzA4LWE4N2UtNzYxM2NhNGU3ODU5IiwiaXNzIjoiaHR0cHM6Ly9hdXRoLm1lc3NlcnZpY2VzLmluZ3JvdXBlLmNvbS9hdXRoL3JlYWxtcy9QSU5HIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImVhMWY1NWVlLTUxMGMtNGMxNi05MWQ4LTE1MjI4OGJhZDViYSIsInR5cCI6IkJlYXJlciIsImF6cCI6InRhY3YtY2xpZW50LWxpdGUiLCJzZXNzaW9uX3N0YXRlIjoiNjk5ODExY2YtODFlZS00ZmNkLTk4NDctY2FkMGJmYjZhOTdiIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJST0xFX1ZFUklGWV9DT05UUk9MXzJERE9DX0wxIiwiUk9MRV9WRVJJRllfQ09OVFJPTF8yRERPQ19CMiIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6ImVtYWlsIHByb2ZpbGUgb2ZmbGluZV9hY2Nlc3MiLCJzaXJlbiI6IjAwMDAwMDAwMCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGFjdi1tb2JpbGUtbGl0ZSIsImdpdmVuX25hbWUiOiIiLCJmYW1pbHlfbmFtZSI6IiJ9.mpfrIP8ayElTm7yoVayCF11oYrDQEnauk9hbbVBw8idAiE6OsMlWNloZtUbbnwrJZsMX3_NoEyzkiB3HNbxyhPWp7eRZ7qhn8XjZVgg6sVytXqcVZo9R5-Q9JftMKv7JelsY3PsaOo5x-pYOX30ancPRjd78TeenorGopsVN_LLRLQpenfgjjgwx-srZnLa-TFYTcbSvXozfJT7uk5CHyz_MIFLM7pl9Zdt66yTGBkLIyOLFsV5vPeH5SYvgRNDYdxZy4XMo6Gyfz0lAI9Xfcjs20NBoOQMV4JREH4Z-IcJJXeszC9QeA1-tRmxujqIRuyvBal7msLy7Zimd2q7i3Q
  

• SCANDIT_LICENSE_KEY:

    AVZw+TifGjghLUEhqw/9cSIJ0uLrRopdL20rStN3H596YNrgQHrdWvVXF2bSY1ANJ0dnHIJgFFXdRJcko1W3RxhEDd3lfqKsmBK9tF1HFfpqWWZAHkL6HCBnmiYpTlxrCm2f9/MpZ1+lK9UlNBrEKmcKpP++C7H3JTjird3n0YmCvr0hIBXMtiaf60LzXE3vLAWHkcO1nmIM36HB4dwX3kRImr3ekwClxHGYjQPT9i3wsBnDEGGdfy86u9SvQL43Lzm7jvUtZvYpnwjn3pHUpp4OrvSdlhev0A6FvFJ0/y9gVIrVOLI+k9eLcgyjwb7IHlj602CuBaSGXkhGv0JT739D/Vn55wRx610Q1zZ599JCqTFJ8Fw3CWeh/7uHOYHmwZNty5e86ywiyVXxODlilo+6OKi7VZayk1w13WMISeH5c2J1tFyQWJ4acUY+xyUHEqD/6vxzH/nlns7aDXHXh/do8hm5Dxy8DM3Ec9ufx+dkU8x4ESt90VQChrSAyp0snFrhWy8Be43yT0+x1vg8SbYIv/u85sD1V+JZUAN+BUAloYF2PY+DcB8ypTTSaNFRSV++brLLc+z89kAJRzNujxShW6aojGvwuB1FZlUSZCbYMsK+f5xLb+boaX0MioLEudlJTzqLAzS1t0ZPd/vvemHksLZJoM74vrKJZMAmTdqlnKcd/6rnKPDI578tEaRXTNExUR5nZgqKrCqRWZD4Jb5itmIjkijwKy/G5htz2DEGNgZcJInpiEFKiZdOLgAMcHUGNfEEWsiOXpLwf2mlNVQQKfob3raDF0FopuvolBMkQTSZLgTnnP808Tykt0Yd1QIDb0SW
  

Transport Operator mode

Screenshots

Activation

Transport Operator mode can be activated by scanning a QRCode document with the application, which once decoded contains a JWT, with the following minimal payload:

{
  "exp": 9999999999,
  "realm_access": {
     "roles": [
        "ROLE_TACV_CONTROL_OT"
     ]
  },
  "siren": "1234567890"
}

Signature algorithm: RS256

The hard part is signing the JWT with the appropriate private key, but there are plenty of other ways to get past all of this security theater.

Analytics

Every ~4h the application sends analytics to a central server:

POST /api/client/configuration/synchronisation

[
    "2021-08-08T15:22:17.856|true|||TACV_2DDOC_ANDROID_LITE|000000000||||2D-DOC_L1||",
    "2021-08-08T15:23:32.532|true|||TACV_DCC_ANDROID_LITE|000000000||||DCC_VACCINATION||"
]

Format: [DATE_TIME_SCAN]|[IS_VALID_SCAN]|[SCANNED_DOCUMENT_FLAGS]||[SCAN_MODE]|[USER_SIREN]||||[SCANNED_DOCUMENT_TYPE]|[EXCEPTION_MESSAGE]|

• DATE_TIME_SCAN: string (Example: 2021-08-08T15:22:17.856)
• IS_VALID_SCAN: boolean - Indicates if the application considers the scanned document valid or not
• SCANNED_DOCUMENT_FLAGS: string - Can be empty string or any of the following values:
  • Blacklist: Indicates that the scanned document’s hash has been blacklisted
  • Doublon: Indicates that the scanned document was already scanned recently
  • BlacklistDoublon: Indicates that the scanned document’s hash has been blacklisted and already scanned recently
• SCAN_MODE: string
  • TACV_2DDOC_ANDROID_OT: French 2D-Doc transport operator (extended) mode
  • TACV_2DDOC_ANDROID_LITE: French 2D-Doc lite mode
  • TACV_DCC_ANDROID_LITE: European DGC lite mode
  • TACV_DCC_ANDROID_OT: European DGC transport operator (extended) mode
• USER_SIREN: string - French SIREN of the company using the application (only applicable if using transport operator mode, if not the value 000000000 is used)
• SCANNED_DOCUMENT_TYPE: string
  • 2D-DOC_B2: French 2D-Doc test certificate
  • 2D-DOC_L1: French 2D-Doc vaccination certificate
  • DCC_TEST: European DGC test certificate (starts with HC1:)
  • DCC_VACCINATION: European DGC vaccination certificate (starts with HC1:)
  • DCC_RECOVERY: European DGC recovery certificate (starts with HC1:)
  • DCC_EXEMPTION: French DGC vaccination exemption certificate (starts with EX1:)
• EXCEPTION_MESSAGE: string - Exception message (only provided if an exception was encountered during scan)

Links

• Android App
• iOS App
• Android App Source - Gitlab INRIA
• iOS App Source - Gitlab INRIA
• OpenAPI Definition (View in Swagger UI)

APKs

3.3.2

• base.apk
  Size: 57479598
  SHA256: 1037ae1c8abc6502a268a5d6f18bc4df5f1a13e6172fe57dca9c273c777f676f

3.3.0

• base.apk
  Size: 57809240
  SHA256: cdbab4e3eb690e755eebbb657b03a46ee89581caa58821e8076fab93940119b7

3.2.9

• base.apk
  Size: 57807336
  SHA256: b7717b58abb581a0a1d9a81877d7f309fd59ca0e2336628adaff3236f1a1ae9a

3.2.8

• base.apk
  Size: 66595293
  SHA256: afdfe43a509e9eeecdfd0545ad0101898436b777bafd184f9d99278a674eca39

3.2.6

• base.apk
  Size: 66595707
  SHA256: 056f492fa81bc91ce80e305fe76a736c1febef89c6d33f18a2393575cbd3ac61

3.2.5

• base.apk
  Size: 66595435
  SHA256: 768f7b992fe60670384818a37a4439119b1a3f940af3240c19ee784e2cef686c

3.2.2

• base.apk
  Size: 80193245
  SHA256: 31e2c9cb74bd9a30f87acf82b279c1a0b67652f3d9a2b423e255d5349007eaa1

3.2.0

• base.apk
  Size: 80193228
  SHA256: 27d8c370c12831c7d3bda51fc15055c13714e7352c4395ae975f9bf08416acd5

3.0.0

• base.apk
  Size: 77043947
  SHA256: a95579c52b4a40f0d5b3a7cae50da5bc45b6635233769ed35cfa9b2f8ac499e5

2.6.0

• base.apk
  Size: 67042689
  SHA256: 8569c39ede5b02f3dee12f762ca758713daf9f450492efaa53d0a9508cbe5e82

2.5.0

• base.apk
  Size: 67039070
  SHA256: e401d317d4d6253d6dd7f2bf546cecaed81bbff4cc6598f49758ec24a88737f3

2.4.2

• base.apk
  Size: 67175338
  SHA256: f269696bd9b7aa9088496dd2f7bc3dea2589580327ec69d1af8e65fa55eb2967

2.4.0

• base.apk
  Size: 67144698
  SHA256: 9af3e5f950e27e52192a9697f7f7ece7f64509746b7f9e856047cef5b1227d65

2.3.2

• base.apk
  Size: 67332198
  SHA256: 5a8503a1e26add599b127432f2f405df9e2732dfa298475198f92b7b79529968

2.3.1

• base.apk
  Size: 67426871
  SHA256: ad87ea13f00bd981da8bb437993ebbebc128045f8e3c0775195289cf422ad7ef

2.3.0

• base.apk
  Size: 67173974
  SHA256: 4508ba34c25e0eeb38382f96b2641714a39feabade3a77cdb503945dc026347f

2.2.2

• base.apk
  Size: 67081341
  SHA256: 076fb0a1efd45447dc1e10ea30de8e862f3079b2b62e003c2247950b9e59f529

2.2.1

• base.apk
  Size: 66904586
  SHA256: cb98274810dc2307ce351e1c617de434be515cca69b8f0ef9b67c681eaabfc6e

2.2.0

• base.apk
  Size: 66900490
  SHA256: bfb716ae5f98580f2f44df3193391e2201d4a00a945472d65065aa501af979cc

2.0.0

• base.apk
  Size: 66630814
  SHA256: 457cdb59b8791cfa50b97664c11e539d92648517514e5d4c49c34da2fe898dc7

1.11.1

• base.apk
  Size: 56080325
  SHA256: 1a0b6d6cc053bfc79e5ec3054cf03761e8d0265f1ebb8016d1849d6b2db1f6ac

1.11.0

• base.apk
  Size: 56084413
  SHA256: 9b76596747d21ba76161cea942fbee80cb95956144d96454bd29de6513b65eb0

1.10.0

• base.apk
  Size: 56058435
  SHA256: eb432d4f1aedac05760be0033825df0625199f7d11f47fb9eb9c1fe8785277bd

1.9.1

• base.apk
  Size: 56461732
  SHA256: 6877e6eb4932360c376a97b4d591ba06836222a9d7194968d421cd559468b74f

1.9.0

• base.apk
  Size: 56527798
  SHA256: 7c0f25c263e608c19551e9343bbc119a9771d60e5a899dc73ba427f984556da2

1.8.2

• base.apk
  Size: 55915394
  SHA256: e248addfa1ab3dae12e44a64cc3997919b164c9ddcbbef60ec0c8b857fc5da09

1.8.0

• base.apk
  Size: 55914087
  SHA256: 7d4fb2d0263373e8a68d4a4d92e45930f98c3897859b7071efb10bdef20a219d

1.7.0

• base.apk
  Size: 56968006
  SHA256: 001b5fb9e90925558643bfae67a857b946d1873b201037ccff7a5f4b44b2b76b

1.6.2

• base.apk
  Size: 56864760
  SHA256: 90dd3d9ca2ca30bf8df76434b3a2d2bb3fa27c9971d224c305593412ce3310ac

1.6.1

• base.apk
  Size: 15024262
  SHA256: 4049f96b9ce85e0c28c7baf804652edaf5c5300b4c503e0f6f3ee4aa9419c0c1

1.6

• base.apk
  Size: 15525690
  SHA256: e0b6f78e50ec96eaa5be627dff83340a4f49a0100a851194361e5a644be03812

1.5.3

• base.apk
  Size: 15522074
  SHA256: ee0d5c160e09dc214be3d0f0df14feda705d8d21928150e5be97f182fece87ab

1.5.2

• base.apk
  Size: 15522497
  SHA256: 3c3affd6ce340a21a13811950cbd004fb1332db11c11f65895c40c6f401facfa

1.5.1

• base.apk
  Size: 15504362
  SHA256: 2e7c0972fdaa363585f9cde5b148c6eaa9708fd4c13fb1ceb33226af6d38c0ef

1.5

• base.apk
  Size: 15739034
  SHA256: 21853ab552b57d7b60f5cab29e2a7b753d7a69feedcbaee1ca004479c75ec77f

1.4.2

• base.apk
  Size: 12926199
  SHA256: 296b99313ef1eadc3b0f2ee47bf4ec995b30726b944aa74d005856b19a4b702a

1.4

• base.apk
  Size: 12962181
  SHA256: a0ae10d8c76942e17d2e39b3ec28941d84dd97adb5f056c7f10560e617041fa5

1.3

• base.apk
  Size: 13075592
  SHA256: 6229d63e14fbbd384e97bac55d0febde1f2aa46e1fdac81bc16125ef8d2e26cf

1.1

• base.apk
  Size: 4468724
  SHA256: 1d5c737fb735bea9b721ccd7534d15193cf81112d60bb506e26701c64b3666bd