-
Notifications
You must be signed in to change notification settings - Fork 0
Security Issues
Cocky's Way understands the importance of passwords and the role they play in safeguarding users' private information. To ensure that user's passwords stay secure, we will enforce minimum password security requirements to ensure that passwords can't be easily guessed. In addition to this, we will use hashing algorithms within our app to ensure that passwords don't ever travel across networks in a way that could be understood by attackers. Passwords will never be stored in plaintext. By following these security practices, Cocky’s Way ensures that users’ passwords and personal information remain protected at all times, minimizing the risks of unauthorized access and data breaches.
Cocky's Way understands that course schedule information is private information, and we take serious measures to ensure that it doesn't end up in the wrong hands. Utilizing account usernames and passwords (see above), we ensure that no user will be able to access schedule information that doesn't belong to them. In addition, personal identifiable information (such as names or emails) will never be stored in the same collection within Firestore. This ensures that even if someone were to gain access to a schedule, they would only see a unique identifier rather than a name. Lastly, schedule information from previous semesters will be deleted at the beginning of each new semester.
Cocky’s Way is designed to avoid collecting unnecessary information. We are not in the business of stealing or storing data that isn’t essential to the functionality of our app. This approach minimizes the need for any additional sensitive information. However, if we do collect other types of data, rest assured that all information will be securely stored in our Firestore collections, inaccessible to other users, and will never be stored alongside any personally identifiable information.
MITM attacks will be ineffective in extracting data from application transmissions due to the use of encryption algorithms for all communications.
Cocky's Way will implement recovery measures for those whose accounts are compromised. ?(Token, 2FA, email link)?
Firebase Cloudstore and Authentication are compliant with the following security standards:
ISO 27001 | ISO 27017 | ISO 27018 | SOC 1 | SOC 2 | SOC 3
All other services are compliant with SOC 1, 2, and 3 and ISO 27001 standards at a minimum. More information can be found at the following link: https://firebase.google.com/support/
Cocky's Way embraces open-source development practices that by their transparent nature prevent insider attacks. In the event that an insider attack occurred, it would be traceable to the individual who accessed/inserted/altered data.
This will be unlikely to present a significant problem for this app's security, as the development team is familiar with each other's official and unofficial contact information, patterns, voice, and other individual identifiers.
This is a vector of great concern. We are beginning our development career and are still learning the appropriate ways to implement new technologies, and as such, we are prone to making errors that more experienced developers would avoid or mitigate. This could potentially cause vulnerabilities in the code that we publish.
Phishing scams are unlikely to occur through Cocky's Way, as user emails would be difficult to access by those intending to cause harm.
Zero-day vulnerabilities an be mitigated by temporarily disabling the application. However, these vulnerabilities cannot be defended against until they are made public, which would require expedient patches/fixes in order to prevent any further damage.
Cocky's Way will lock accounts after a set amount of failed attempts.
Cross-site scripting (XSS) is unlikely to occur, as Cocky's Way exists through an app rather than through a browser.
SQL-Injections are not a concern, as Firestore is not an SQL database.
All info will be encrypted before transit.
Cockys-Way