Skip to content

Security with RapidFTR

Jump to bottom Edit New page
ashokkumar edited this page Feb 19, 2013 · 4 revisions

Here are some security bits which we've covered in the current web/android app. Some of these will change/evolve as we play different features(offline login, multi server support etc,.)

Hearing more about the security requirements from lead/partner agencies would help a lot to understand what we can/cannot implement.

Android App:

  • Encryption of database using sqlcipher. Android by default uses sqlite for storage and allows us to browse through the database. Sqlcipher is an adapter on top of sqlite which encrypts the database and no one would be able to decrypt the same.
  • The key used for encrypting the database would be generated by the web server(based on the imei of the mobile logging in into the system) and flown into the mobile. So, that means we are not even storing the logged in user's password any where in the android app. This complete approach is well documented here.
  • Images captured as part of child records are NOT stored in the database(for performance optimization). Instead, the images are encrypted from the same dbkey which we used for login(which is generated from the webapp) stored in a hidden folder inside the SD card(or the internal memory if SD card not available). Though user can view all the hidden folders and files it would not make any sense for the user as the images would not be usable(we'll NOT be able to render the images with any image rendering tool). One possible option for the user is, he can hard delete the images by browsing into the appropriate hidden location in SD card.
  • All communication from android to any connected server can be done either through HTTP or HTTPS. One possible issue with HTTPS is, if the certificate is self signed/if the certificate is not an authorized CA in the default android list it will not be able to communicate. Possible options to overcome the same(which would be a manual process) are documented here. We'll move this to the github wiki asap.
  • Followed all the general guidelines in generating the apk around obfuscating(remove unused references in the codebase), zipaligning(zip the entire apk to make it easier to share) and signing(this is yet to be done). Obfuscating/progaurding(making apk code unusable such that no one can decompile the code base) is not be useful for a project like RapidFTR where the codebase is completely opensource.
  • More information on Android security is documented here

Web App:

  • Supports https transport
  • General authentication and authorization(based on roles) is implemented
  • Supports backing up of data to a different server and this is helpful to recover the data at any point of time.
  • If we are looking at the data level security in the webapp, its not yet done and we need to get some real usecase to do the same. What I meant by data level security is, encrypting our couchdb so that no one can barge into the server and see the data. Encrypting/safety of db could be a possible requirement if we are doing he netbook installation where the database is open for any user who logs in into the netbook.
  • More information on Web security is documented here
Add a custom footer
Add a custom sidebar
Clone this wiki locally