The Best Beginning App

How we increased security across all devices

In the past few weeks, we had the chance to talk with many of you that have taken your time to test the TBB APP. First, we would like to thank every one of you for your feedback. One common concern was the security of your data. After all, keeping your client’s data safe is not only something you should feel personally responsible for, but some countries may require it by law.

This article will explain the technical details on how we secure your data in the TBB APP and why we chose to implement it in this way.

App Data Structure

First of all, it is important to understand how the data is structured in the cloud.

As you can see in the graphic above. The data inside the app does not belong to the app users, but the company created it during the registration step.

Each company can have multiple users and only one owner/administrator who manages all users.

To ensure that your client’s data is safe, we encrypt all data that (can) contain sensitive information. This includes, but is not limited to, all personal details of a client and their kids, all consultation data, and all clients’ test results.

This means that while the TBB APP team can see that you add data to the cloud, we cannot decrypt it and/or use it in any way.

Data Encryption

For the encryption, we decided to use TweetNaCl.js. It is a library of encryption tools that has been audited by Cure53, a German security research firm. The overall result is that no security issues were found. You can read the entire report here. One of its core features was implemented by Microsoft’s own cryptographic libraries, and it is attributed to a military level of data security.

In essence, the encryption works like this:

In the graphic above, you can see that the most sensitive information is the private key. With the private key, anyone can decrypt all your data. From a development point of view, the overall challenge was to share the private keys securely across multiple users and devices within a company. Our solution provides the flexibility for users to access the data even if they lose access to their device or password and still guarantees a high level of security.
We store the private key in three places for each user:

  • In the cloud:
    • Encrypted with the user’s password: The private key is stored encrypted in the cloud. We are using the same key for encryption and decryption in this case, which is the user’s password. To secure this further, we have a few requirements to each user’s password.
    • Encrypted with answers of security questions: During registration, all users are asked to enter at least three questions and their answers to their account. With these answers we encrypt the private key and store it in the cloud.
  • On the device: Whenever a user logs in to the app, the key is downloaded and stored locally fully encrypted.

Using this structure ensures that the private key is never stored without encryption in the cloud. Yet, the users can still recover it with one of the answers to their own security questions in case they lose their device or cannot remember their password.

Using Firebase Authentication & Firestore

We decided to use Firebase as our platform of choice for storing data and handling authentication. Firebase is a service by Google allowing developers to integrate data storage and authentication securely. In fact, Firebase Authentication and Firestore are certified by the following privacy and security standards:

  1. ISO 27001
  2. ISO 27017
  3. ISO 27018
  4. SOC 1
  5. SOC 2
  6. SOC 3
  7. GDPR & CCPA

If you are interested in finding out more about how Firebase manages security, follow this link.

Conclusion

 

We carefully selected the tools and services that allow the TBB APP to function as it currently does. In addition, we continue to improve the app’s features and structure to ensure all users’ safe and functional environment.

This article was written by Jan Rohweder, Co-Founder of TBB APP and Managing Director of Marketing Bear. His team at Marketing Bear is responsible for the app development and security.

Do you have further Questions?

Contact us and we will respond right away.

Do you have further Questions?

Contact us and we will respond right away.