Skip to content

Security Issues

Chloe Brown edited this page Nov 4, 2024 · 11 revisions

Sensitive Information

Passwords

Cocky's Way understands the importance of passwords and the role they play in safeguarding users' private information. To ensure that user's passwords stay secure, we will enforce minimum password security requirements to ensure that passwords can't be easily guessed. In addition to this, we will use hashing algorithms within our app to ensure that passwords don't ever travel across networks in a way that could be understood by attackers. Passwords will never be stored in plaintext. By following these security practices, Cocky’s Way ensures that users’ passwords and personal information remain protected at all times, minimizing the risks of unauthorized access and data breaches.

Schedule Information

Cocky's Way understands that course schedule information is private information, and we take serious measures to ensure that it doesn't end up in the wrong hands. Utilizing account usernames and passwords (see above), we ensure that no user will be able to access schedule information that doesn't belong to them. In addition, personal identifiable information (such as names or emails) will never be stored in the same collection within Firestore. This ensures that even if someone were to gain access to a schedule, they would only see a unique identifier rather than a name. Lastly, schedule information from previous semesters will be deleted at the beginning of each new semester.

Other Possible Sensitive Information

Cocky’s Way is designed to avoid collecting unnecessary information. We are not in the business of stealing or storing data that isn’t essential to the functionality of our app. This approach minimizes the need for any additional sensitive information. However, if we do collect other types of data, rest assured that all information will be securely stored in our Firestore collections, inaccessible to other users, and will never be stored alongside any personally identifiable information.


Attack Vectors

Man in the Middle (MITM)

MITM attacks will be ineffective in extracting data from application transmissions due to the use of encryption algorithms for all communications.

Password Compromise

Cocky's Way will implement recovery measures for those whose accounts are compromised. ?(Token, 2FA, email link)?

Service Database Compromise

Firebase Cloudstore and Authentication are compliant with the following security standards:

ISO 27001 | ISO 27017 | ISO 27018 | SOC 1 | SOC 2 | SOC 3

All other services are compliant with SOC 1, 2, and 3 and ISO 27001 standards at a minimum. More information can be found at the following link: https://firebase.google.com/support/

Insider Threats

Cocky's Way embraces open-source development practices that by their transparent nature prevent insider attacks. In the event that an insider attack occurred, it would be traceable to the individual who accessed/inserted/altered data.

Social Engineering

This will be unlikely to present a significant problem for this app's security, as the development team is familiar with each other's official and unofficial contact information, patterns, voice, and other individual identifiers.

Misconfiguration

This is a vector of great concern. We are beginning our development career and are still learning the appropriate ways to implement new technologies, and as such, we are prone to making errors that more experienced developers would avoid or mitigate. This could potentially cause vulnerabilities in the code that we publish.

Phishing

Phishing scams are unlikely to occur through Cocky's Way, as user emails would be difficult to access by those intending to cause harm.

Zero-day

Zero-day vulnerabilities an be mitigated by temporarily disabling the application. However, these vulnerabilities cannot be defended against until they are made public, which would require expedient patches/fixes in order to prevent any further damage.

Brute Force

Cocky's Way will lock accounts after a set amount of failed attempts.

XSS

Cross-site scripting (XSS) is unlikely to occur, as Cocky's Way exists through an app rather than through a browser.

SQL-Injection

SQL-Injections are not a concern, as Firestore is not an SQL database.

Session Hijacking

All info will be encrypted before transit.

Clone this wiki locally