APRICOT Design

1. Registration

1.1 Generate OTP

App sends phone num, app_id, device_id. Server creates and associates a random OTP token with the given details. Server sends this token to the given phone num via sms.

1.2 Verify OTP

App sends otp, phone num, app_id, device_id. Server verifies otp and logs in the user if the given otp is correct. The server generates for the user an access token, user id and pseudo ids (see pseudo id generation below). This generated info is returned to the app as the api response.

1.3 Pseudo id generation

• Generation of NUM_PSEUDO_IDS (Default 1000) pseudo-ids per user
• At time of user account creation, generate NUM_PSEUDO_IDS random pseudo-ids (all 160 bit), send it to app at time of successful login
• First 128 bits are set to the pattern: 8888-8888-8888-8888-8888-8888-8888-8888 (32 hexadecimal 8s)
• Server stores pseudo id -> user mapping in database.

2. Data collection

2.1 Beacon Specification

Suppose beacon length is 160 bits. Just one of random pseudo-ids received from server is used. Phone sets beacon randomly: changes every BEACON_CHANGE_INTERVAL (Default 5 mins)

2.2 Beacon Detection and Storage

• App scans every BEACON_DETECT_INTERVAL (Default 1 min)
• Stores list of beacons seen (160 bit values)
• If CONTACT_TIMESTAMP_OPTION (Default yes) enabled then 32-bit TimeStamp = real app-side timestamp
• Else the 32-bit TimeStamp = all zeros
• Store in file; new file everyday; can delete files older than CONTACT_HISTORY_MAX (Default 30) days
• Storage estimate: Say 20 beacons found every minute, file size per day = (160+32) x 20 x 60 x 24 = 691,200 bytes per day

3. Upload contact trace

• App specifies its own clock time at the time of upload, to adjust for timing diff between server and app
• Login token expected
• Aside from this, this API is just a file upload (POST)
• The app may call the API multiple times, once for each file

4. View contact trace

• This needs authority login on the server (accounts will be created manually by admin)
• Input: phone number (will be of patient who tested +ve, but server code does not need to know that)
• Get real user-id from pseudo-user-id (using database index lookup)
• The list will include timestamp too (will be 0 if CONTACT_TIMESTAMP_OPTION (Default yes) disabled)

Apricot Open Source Implementation

Android code: https://gitlab.com/mayankkussh/apricot

iOS code: https://gitlab.com/hshahrukh/contact-tracing-ios

Server code: https://gitlab.com/mhjn_shweta/contact_tracing