dhis2-users team mailing list archive
-
dhis2-users team
-
Mailing list archive
-
Message #15252
Re: Android applications security risk
-
To:
Marta Vila <martavila@xxxxxxxxx>
-
From:
Edward Robinson <erobinson@xxxxxxxxxxxxxxxxxx>
-
Date:
Thu, 22 Feb 2018 14:57:37 +0000
-
Accept-language:
en-US
-
Authentication-results:
spf=none (sender IP is ) smtp.mailfrom=erobinson@xxxxxxxxxxxxxxxxxx;
-
Cc:
dhis2-users <dhis2-users@xxxxxxxxxxxxxxxxxxx>
-
In-reply-to:
<CANj=x4tpst5sEnRZOehuBZcHtwOTFac=JZrE61_o6gmnFSk7VA@mail.gmail.com>
-
Spamdiagnosticmetadata:
NSPM
-
Spamdiagnosticoutput:
1:99
-
Thread-index:
AdOnUjHtgKG6XO/mT8eozeJsycWzPACCojgAAA/7glAAZOCoAAAvUDYQ
-
Thread-topic:
[Dhis2-users] Android applications security risk
Thanks Marta, I appreciate the feedback and will look into those links.
Regards
Ed
-----Original Message-----
From: Marta Vila [mailto:martavila@xxxxxxxxx]
Sent: Wednesday, 21 February 2018 11:23 AM
To: Edward Robinson <erobinson@xxxxxxxxxxxxxxxxxx>
Cc: Ignacio Foche <nacho.foche@xxxxxxxxx>; dhis2-users <dhis2-users@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Dhis2-users] Android applications security risk
Hi Ed,
those request were actually pretty popular when we had the community feedback and they are being included in the new App. Unfortunately they will not be present in the current Apps.
These are a fre Jira issues about improving security that you might want to follow up:
- Do not delete data when user logs out
https://jira.dhis2.org/browse/ANDROAPP-582
- Lock app to prevent unauthorised access
https://jira.dhis2.org/browse/ANDROAPP-590
- Block after Multiple access Failure https://jira.dhis2.org/browse/ANDROAPP-616
- Access auditing https://jira.dhis2.org/browse/ANDROAPP-610
- Encrypt data base https://jira.dhis2.org/browse/ANDROAPP-588
Best,
Marta
On 19/02/2018, Edward Robinson <erobinson@xxxxxxxxxxxxxxxxxx> wrote:
> Thanks Ignacio, hopefully it will be implemented soon. I don’t think
> it’s unexpected in some communities for people using the app to be
> sharing their device with other friends / family if it’s a personal
> device. I’m not familiar with the technical side of the application,
> do you know if the data on the device is encrypted at rest?
> Regards
> Ed
>
> From: Ignacio Foche [mailto:nacho.foche@xxxxxxxxx]
> Sent: Monday, 19 February 2018 3:36 AM
> To: Edward Robinson <erobinson@xxxxxxxxxxxxxxxxxx>
> Cc: dhis2-users <dhis2-users@xxxxxxxxxxxxxxxxxxx>
> Subject: Re: [Dhis2-users] Android applications security risk
>
> Hi Ed,
>
> In the Current DHIS2 Apps there's no way to ask for the password in a
> per-session basis (nothing like a sign-out + sign-in without DB wipe).
> As far as I know, there are plans for this on the new app (at least
> we've already provided such a function in the new SDK) but regarding
> the new app roadmap I'm not the appropriate person to talk, so I leave
> Marta to complete my answer.
>
> In the meanwhile, I would suggest protecting your device with a PIN,
> so only the authorized person can unblock the device.
>
> I hope it helps.
>
> Best regards
>
> Le ven. 16 févr. 2018 à 19:18, Edward Robinson
> <erobinson@xxxxxxxxxxxxxxxxxx<mailto:erobinson@xxxxxxxxxxxxxxxxxx>> a
> écrit
> :
> Is there any way to sign out of the Android application? We’re
> wanting to use it to track highly sensitive patient level data in the
> field but can’t find a sign out option in the application. I’m
> concerned that if a field worker loses a phone this is a serious
> security risk. Am I missing something, or is there no way to sign out
> of the application without wiping the local data? Is this a feature still planned for future?
>
> Regards
> Ed
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-users
> Post to :
> dhis2-users@xxxxxxxxxxxxxxxxxxx<mailto:dhis2-users@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~dhis2-users
> More help : https://help.launchpad.net/ListHelp
> --
> Ignacio Foche Pérez
>
References
