App Security and Privacy Information

App Architecture Overview

  • Frontend: Built using the Ionic Framework for cross-platform mobile app support (iOS and Android).
  • Backend: Developed with PHP (Laravel framework) for robust and scalable server-side operations.
  • Database: Data is stored in MySQL 5.7, ensuring reliable and efficient data management.
  • Server: Hosted on an Nginx web server, optimised for performance and security.
  • User Resources: Stored in AWS S3 

Security Measures

  1. Data Encryption:
    • All data exchanged between the app and the server is encrypted using HTTPS (TLS 1.2/1.3), ensuring secure communication and protection against man-in-the-middle (MITM) attacks.
    • Sensitive data, such as passwords, is hashed using bcrypt before storage in the database.
  2. Authentication and Authorization:
    • User authentication is implemented with Laravel Sanctum to securely manage API tokens for session-based and token-based authentication.
    • Role-based access controls (RBAC) are applied to restrict access to sensitive operations and data.
  3. Database Security:
    • SQL injection prevention is enforced by using Laravel’s query builder and Eloquent ORM, which automatically parameterises queries.
    • Regular database backups are performed, and backups are encrypted to prevent unauthorised access.
  4. Input Validation:
    • All user inputs are validated on both the client and server side to prevent injection attacks, XSS (Cross-Site Scripting), and other vulnerabilities.
  5. Secure Hosting Environment:
    • The Nginx server is configured with best practices, including disabling unnecessary HTTP methods, implementing rate limiting, and ensuring only necessary ports are open.
    • The server uses firewalls and intrusion detection/prevention systems (IDS/IPS) for enhanced security.
  6. Regular Security Updates:
    • All components, including Laravel, Ionic, and MySQL, are regularly updated to the latest stable versions to mitigate known vulnerabilities.
  7. Session Management:
    • Sessions are managed securely with features like session expiration, idle session timeouts, and automatic logout on inactivity.
    • CSRF (Cross-Site Request Forgery) protection is enabled for all sensitive operations.

Privacy Measures

At a minimum we work maintain SOC2 Compliance

  1. Data Minimization:
    • Only necessary user data is collected, and no sensitive information is collected without explicit user consent.
  2. Data Access:
    • User data is accessible only to authorised users and processes. Backend data retrieval is strictly tied to authenticated requests.
  3. Logging and Monitoring:
    • Logs are stored securely and only contain non-sensitive metadata to help identify and resolve issues without exposing personal information.
    • Real-time monitoring and alerts are implemented to detect unusual activities or potential breaches.

Proactive Measures

Disaster Recovery Plan: A comprehensive disaster recovery plan WILL BE in place to handle potential incidents like data breaches or server failures.

Penetration Testing: The app undergoes periodic penetration testing to identify and mitigate vulnerabilities.

Secure Development Practices: Adherence to OWASP standards ensures secure coding practices.