Wednesday, April 26, 2017

Security Update (04/26)

Our first time users must read the privacy policy before they can use the app. They are required to answer some short questions in order to demonstrate knowledge of the data that we require for our user study and of the data that we exclude from communications with our server.

1. we only collect anonymous research IDs, only instructors can correlate attendance logs with actual student names
2. we do not continously collect information, students send us information only when they click one of two specific buttons
3. we never transmit images through the network; QR codes within the image are decoded and the payload of the QR code is sent instead of the image itself

We use transport layer security (TLS, footnote: this used to be done with a now-obsolete technology known as SSL) in order to preserve data confidentiality (prevent snooping) as our application communicates with our server. This means that anyone "listening in" on the user's network traffic would only see a stream of random data, which could only be decrypted by our server.

The Qt networking library (We use networking libraries in order to send and receive data from our server.) helps us achieve encrypted communication on the iOS and MacOS platforms and the mbedtls networking library does the same on Linux and Android. Ideally, we would've used the Qt networking library for all of our platforms, but incompatibilities between Qt and Android prevented us from doing so.

My debugging sessions led me to discover that Android would load the of OpenSSL networking library present on the Android device instead of the OpenSSL networking library that we packaged for the Android application. This means that Android would prefer to use the software located on the user's phone (these are wildly different networking libraries), as opposed to loading a version of software that would be compatible with the Qt networking library.

So mbedtls, a cross-platform TLS networking library, became our Android and Linux networking library. Due to difficulties with the iOS build system, we continued to use the Qt networking library on Apple devices.

- Hugo

No comments:

Post a Comment