CVE-2020-35693
Hi, I'd just like to point out a recent CVE (CVE-2020-35693) that may affect TousAntiCovid (Android version). It is a firmware bug (or 'feature', depending on who you ask) affecting Samsung mobile devices running Android 7.1.1 or earlier, allowing anyone to pair with a vulnerable device if the device is advertising a connectable GATT service (just like TousAntiCovid does).
https://github.com/alwentiu/contact-tracing-research/blob/main/samsung.pdf
I am not sure if it's possible to mitigate this issue from within the app, but thought I should post it here so at least users will be aware of this potential issue. Since this affects only old Samsung devices, hopefully it will not have a significant impact (but note that I'm not knowledgeable of the market share of those devices in France).
A bit of context of this bug: I discovered this while examining the Australian contact tracing app COVIDSafe (that's also affected). Only recently I thought of checking other related apps and discovered that TousAntiCovid suffered the same issue. For some reason I previously thought TousAntiCovid (or StopCovid) did not use a connectable advertisement (as it seems that the payload is embedded in the advertisement data -- why do you still need to make the advertisement connectable?). Samsung has said they have no plan to fix this bug.