HaMagen was developed in a joint effort by developers from the Ministry of Health, commercial companies, and volunteers from various organizations and the developer community in Israel.
Once every set period of time (currently once an hour), the app downloads a file with an anonymous list of locations from the Ministry of Health's cloud (including dates and times) in which verified Coronavirus patients have visited (patients who were examined by the Ministry of Health and underwent epidemiological investigation by the various tools at the Ministry's disposal) as well as proximity data of verified Coronavirus patient on whose cellular devices this app was installed, and check these locations and proximity data against the locations and proximity data (including dates and times) that were stored on your device.
Information about locations and proximity data, including times, is cross-referenced within your device, and not on the cloud. Your locations are not sent to the Ministry of Health unless you have authorized the Ministry of Health to receive this information for purposes of help in identifying people who have been exposed and who must enter home isolation as soon as possible. Should the app determine that there is some probability that you were in the same place and the same time as a verified patient, you will receive a notification from the app with the details of the place and time of exposure to a verified patient and, you will be required to approve the details of this notification. Should the app identify an overlap by the proximity data to a verified patient, you will receive information instructing you to enter isolation. Should the app identify several instances of overlap with location data or proximity data with a verified patient, you will receive a notification with the latest date in which you came in contact with the verified patient.
Upon receiving the notification from the app, it is recommended that you take precautions and verify this information at the Ministry of Health's website where these lists are published, as well as maps with the locations where verified patients stayed. If you have any doubts regarding the precision of the information provided by the app, you may consult the Ministry of Health's hotline at *5400, regarding points of exposure.
The file is generated in the Ministry of Health's epidemiological system. It contains only verified information that was received from laboratories and epidemiological investigations and is monitored by the Ministry of Health. Before sending, the file is digitally signed with the Ministry of Health's digital signature. Upon receiving the file, the digital signature is examined by the app, to verify that the file was received from the Ministry of Health in an orderly manner, in order to prevent the breach of malware into the app.
We are aware of the existence of attack and breach attempts, and we are doing our best to protect the app so that it can protect you.
The app's source code is managed and published on GitHub: https://github.com/MohGovIL/hamagen-react-native
The Ministry of Health takes extra precautions to protect your privacy and confidentiality. Accordingly, the app was tested by several cyber and information security agencies, including staff from Israel National Cyber Directorate, specialists from the commercial sector, and leading information security and cyber experts from the civil cyber and information security community in Israel. Security checks included architectural checks, code reviews, and PT (breach checks). Adjustments were made according to the recommendations received, and we are currently convinced that the app is sufficiently secure for use, adequately protected from attacks and malfunction, and capable of providing user services in accordance with its purposes.
The Ministry of Health regularly monitors data security and privacy protection software and updates it accordingly.
Although we spared no effort, professional experience, and controls, there is no such thing as a completely secure system. Therefore, we are committed to informing the user public of information security incidents that affect them, so that they can take necessary precautions.