You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
errhammr 383a8bf1d8
Adjust metadata for version 0.2.0-rc1
2 years ago
.idea Make the app look more authentic 2 years ago
app Adjust metadata for version 0.2.0-rc1 2 years ago
fastlane/metadata/android/en-US Adjust metadata for version 0.2.0-rc1 2 years ago
gradle/wrapper Initial commit 2 years ago
.gitignore Initial commit 2 years ago
LICENSE_DE.txt Initial commit 2 years ago
LICENSE_EN.txt Initial commit 2 years ago Add link to IzzyOnDroid F-Droid repo to README 2 years ago
build.gradle Initial commit 2 years ago Initial commit 2 years ago
gradlew Initial commit 2 years ago
gradlew.bat Initial commit 2 years ago
settings.gradle Initial commit 2 years ago

Lucia App

In Germany, the government is rolling out an app for QR code based contact tracing. The app claims to protect user data but actually it does not, at least at the time of writing.

The name of that app shall not be named here. It will be referred to in this document as the “real” app.

The Lucia app is capable of generating fake QR codes that users can use to check in at locations while not providing any personal data whatsoever.

You can get the app on F-Droid from the IzzyOnDroid repo.

Alternatively, go to Releases to download the App (APK).

A huge thank you to the awesome members of the FLOSS community who made the Lucia app available on F-Droid!

How it works

The “real” app has four different ways of checking in at a location:

  1. Letting a staff member at the location scan a QR code from your smartphone
  2. Scanning a QR code provided by the location using your smartphone
  3. Letting a staff member at the location scan a QR code from a special key tag

The Lucia app can help you check in using the first option. It generates and shows a QR code that can be scanned by a staff member at the location. This QR code will be considered valid by the check-in system. It does not, however, contain any personal data about you.

The “real” app puts an encrypted identifier into the QR code that tells the system who you are. This identifier is encrypted and cannot be decrypted by the check-in system. The check-in system will simply forward the encrypted identifier to a server where it will be stored. Some time later (days, maybe weeks) and only when an infected person has visited the location at the same time as you, the encrypted identifier will be decrypted.

The Lucia app makes use of the fact that encrypted data is indistinguishable from random data. So instead of an encrypted identifier it puts random data into the QR code. This does not interfere with the check-in process because the check-in system does not decrypt the identifier. So basically, the Lucia app allows you to enter any location that you would need the “real” app for.

It does not, however, let you perform a check-out procedure. That is not a problem because you will automatically get checked out after 24 hours. Also you will not be warned or contacted in the case of a possible infection.

Why though?

I’ve created the app mainly out of curiosity. I wanted to see if it was possible to create fake QR codes that let you complete the check-in procedure at locations. It turned out to be possible and so I created this app to make it accessible to every person using an Android smartphone (Version 4.4 “Kitkat” or newer).

Future plans

Currently I do not plan to develop this app any further. It does what it was made for. I expect the “real” app to advance and it is likely that the Lucia app will stop working some time in the future if the QR code format of the “real” app changes. I may or may not adjust the Lucia app to be compatible with any new or other features of the “real” app.

You can, however, fork this repository and tinker with the code. Try, learn and improve things. Feel free to create pull requests or maintain your own fork.


This app and it’s source code are published under the terms of the EUPL version 1.2 only. See LICENSE_EN.txt for an English version of the license.

Diese App und ihr Quellcode werden unter den Bedingungen der EUPL Version 1.2 veröffentlicht. Siehe LICENSE_DE.txt für eine deutsche Fassung der Lizenz.