HaMagen was developed in a joint effort by developers from the Ministry of Health, commercial companies, and volunteers from various organizations and the developer community in Israel.
Once every set period of time (currently once an hour), the application downloads a file with an anonymous list of locations in which diagnosed COVID-19 patients have visited (patients who were examined by the Ministry of Health and underwent epidemiological investigation by the various tools at the Ministry's disposal) from the Ministry of Health's cloud (including dates and times) and then the application will cross-reference these locations against your locations (including dates and times) that are stored in your device.
Information about locations and times is cross-referenced within your device, and not on the cloud. Your locations are not sent to the Ministry of Health, unless you have authorized the Ministry of Health to receive this information for purposes of help in identifying people who have been exposed and who must enter home isolation as soon as possible. Should the application discover that there is a possibility that you have been at the same place and at the same time as a diagnosed patient, you will receive a notification from the application with the details of the location and times where you have been exposed to a patient.
Upon receiving the notification from the application, it is recommended that you take precautions and verify this information at the Ministry of Health's website where these lists are published, as well as maps with the locations where verified patients stayed. If you have any doubts regarding the precision of the information provided by the application, you may consult the Ministry of Health's hotline at *5400, or the hotline of your HMO, regarding points of exposure.
The file is generated in the Ministry of Health's epidemiological system. It contains only verified information that was received from laboratories and epidemiological investigations and is monitored by the Ministry of Health. Prior to sending, the file is digitally signed with the Ministry of Health's digital signature. Upon receiving the file, the digital signature is examined by the application, to verify that the file was received from the Ministry of Health in an orderly manner, in order to prevent the breach of malware into the application.
We are aware of the existence of attack and breach attempts, and we are doing our best to protect the application so that it can protect you.
We plan to publish the application's source code on GitHub soon and manage it as open code (except for several commercial libraries that we use).
The application was tested by several cyber and information security agencies, including staff from Israel National Cyber Directorate, specialists from the commercial sector, and leading information security and cyber experts from the civil cyber and information security community in Israel. Security checks included architectural checks, code reviews, and PT (breach checks). Adjustments were made according to the recommendations received, and we are currently convinced that the application is sufficiently secure for use, adequately protected from attacks and malfunction, and capable of providing user services in accordance with its purposes.
Although we spared no effort, professional experience, and controls, there is no such thing as a completely secure system. Therefore, we are committed to informing the user public of information security incidents that affect them, so that they can take necessary precautions.