The code behind the NHS Covid-19 App

Hands typing on a keyboard

We have Open Sourced the code behind the new NHS COVID-19 app.  In this technical blog post, Terence Eden, Head of Open Technology for NHSX, discusses the open source offer behind the beta version of the app.

Giving Feedback

We welcome technical feedback from developers and security researchers. Participation in the code development is via GitHub. We have a Code of Conduct for participants in order to create a safe and welcoming environment for all.

Bug reports and performance improvement suggestions can be made by opening an issue on GitHub.  We will review Pull Requests on a case-by-case basis.

If you think you have found a security vulnerability, we would appreciate responsible disclosure via our secure reporting platform - http://hackerone.com/nhscovid19app.

Open Source

All code is made available as Free and Open Source Software

It is released under the permissive MIT Licence - this allows you to copy and distribute the code for your own use. We are pleased to be working with several international health care systems and are grateful for their advice in developing this code.

We will also be open sourcing the backend code shortly.

Structure of the Code

There are three main repositories for this beta:

  1. Android app code

  2. iOS / Apple app code

  3. Design documentation and policies

Each repository has basic documentation. There are instructions for running the code but we cannot offer any support to 3rd party developers.

As is common, we have not included any of our private API keys. While you may be able to build the apps, you will not be able to connect to the backend. A self-built app will not be able to broadcast or receive contact tracing information.

Naming

While in Alpha, the app was known as "Sonar Co-Locate". The app has been released to the public as a Beta under the name "NHS COVID-19. The source code may still contain references to the old name.

Analytics and Tracking

The public version of the app does not use any third-party analytics. In order to improve the app, we need to collect information about what happens if it crashes. This will use the operating system's default error-reporting tools.

Our closed Beta will collect some volunteers' data for performance analytics and A/B testing. The libraries required for these analytics may still be present - but deactivated -  in the public version of the app.

Thanks

Finally, we would like to express our gratitude to all the developers, designers, privacy advocates, security researchers, and health experts around the world who generously gave their time and expertise. The power of open source comes from our ability to collaborate with talented people.

Make things open; it makes things better.