DesFsfDeveloper Posted February 14, 2019 Posted February 14, 2019 Data Protection and the next generation Tapestry Android app The next generation Tapestry Android app, which is now available in beta, has different implications for data protection from the old Android app. This note explains those differences. They relate to: Caching of data on the device Push notifications Adding observations when offline Local copies of data Copies of pictures or videos taken within the app This is unchanged. Behaviour is slightly different to the ‘classic’ Tapestry app, all photos and videos created inside the app are deleted once the observation is submitted. To store a local copy of the media will require you to open the observation and select the save icon on the picture or video, this will then save a copy to your devices public gallery. All images browsed within the app but not saved are stored securely in the apps private store. The encryption of this area is dependant on the device manufacturer and Android version. It is likely that devices using Android versions greater than 5.0 will have encrypted storage enabled by default. Login details The default is unchanged. As with the ‘classic’ Tapestry app, once you’ve logged in once, the app stores a special ‘key’ that allows you to login using just a PIN for up to ten days. Temporary copies of downloaded data This has changed. The ‘classic’ Tapestry app would always download fresh copies of all the data it needed, every time it needed it. It would only store small amounts of that data locally. This meant that the classic app required a very strong internet connection at all times, which was difficult for many of our customers. The next generation app is designed to work with much less reliable internet connections. To do that, it stores copies of data it has already downloaded locally, and only checks it against the server intermittently. The data is encrypted (with the limitations detailed above) and, unless your device has been ‘rooted’, inaccessible outside of the app. Therefore if the device is stolen, the data remains safe and should be inaccessible. The app deletes any downloaded data that hasn’t been used in 4 days (for staff) or 10 days (for relatives), in which case it will re-download it from the server. If you would like the app to store less (or more) data than that, then please contact us and we will change the setting for your school. It also means that changes to data on the server may not appear immediately in the app, though it will check for changes each time a user logs in, so long as it can get an internet connection, or if you choose to manually trigger a refresh. Temporary copies of uploading data This has changed slightly. The ‘classic’ Tapestry app would store copies of data relating to a new observation while you were creating the observation and while it was uploading. Once the upload was complete the data was deleted. The next generation Tapestry app does the same. However, the next generation Tapestry app has two new features which may, in certain circumstances, increase the number of new observations that are temporarily held, or hold them for longer: Users can save draft / unfinished observations for up to 10 days (staff) or 30 days (relatives). Users can queue up uploads — they don’t have to wait for an observation to finish uploading before they can leave the app or do other things in the app). Push Notifications This is optional and did not exist in the 'classic' app. You can enable ‘push’ notifications for your setting using the Tapestry Control Panel. Once you do, the end user will also need to enable push notifications in the ‘You’ section of the Tapestry app on their specific device before they will start working. If they are enabled, then the notification message will need to go via Google's servers. The message may also, depending on how the user has set up their device, appear on the lock screen of their device for anyone to see. Because of this, the default is for the push notifications to say that 'Tapestry has 1 notification' without describing what the notification is. To include a description of what the notification is about, the setting will need to go to the Tapestry Control Panel and change the option for ‘Include names in push notifications’ AND the end user will need to enable it when they enable notifications on their device in the 'You' section of the Tapestry app. Adding observations when offline This is optional and did not exist in the 'classic' app. You can enable ‘Logging into the Tapestry app with no internet connection’ for your setting. Once you do, the end user will also need to enable offline logins in the ‘You’ section of the Tapestry app on their specific device before the feature will start working. This allows new observations to be added without an internet connection, and then the observations uploaded once the device is back online. It can also make the app feel faster, particularly at login, if the internet connection is slow or intermittent. Once the user has logged in, they will be able to see their data that has been stored locally on the device while the device is offline. When the device goes online it will check that the user is still allowed to login and that their login details are correct. If they are not, they will be logged out. If you enable this, then it has two implications: Even after you make a user inactive, they will still be able to log into the app and view whatever observations are stored locally on the device until the device next goes online with the app open. They will not be able to get new observations, or upload anything. An attacker with access to the device will have a few more opportunities to guess a user’s PIN before being locked out. This is a particular issue if your PIN codes are easy to guess or shared. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.