Dataflow in mobile app using Nettskjema and TSD
This document descibes how mobile apps can collect data using the infrastructure of Nettskjema with secure storage in TSD and how we can make sure that data sent fra the mobile app is secure.
Back-end for mobile apps
All mobile apps we develop will submit the data to a form in Nettskjema running on https://nettskjema.uio.no. In mobile apps running on iOS there will be submitted a JSON-file that contain the data the app has collected. This can include pictures, sound files, GPS data etc. We assume Android and Windows Mobile have the same functionality.
This file wil be uploaded over https in to a form on https://nettskjema.uio.no where it will be PGP encrypted in memory and transmitted secure to TSD. The data will never be stored on any disks outside TSD.
Collecting data using external devices
We have only tested how we can collect data with external devices with iPhone yet.
Apple have a framework for medical research called Research kit. See more at https://developer.apple.com/researchkit/
Research Kit has a standard set of functionality that ca be used when you make a mobile app for collecting data for medical research. This include surveys, information about privacy, graphical design and a set of functionality to make it easier to create a mobile app. Reseach kit also have a framework to read and write medical data to iHealth where data from external devices will be stored.
iHealth is an app on every iphone where you can store a defined set of medical information about yourself. This can be weight, walking distance, blood type etc. When you connect ta device to you iPhone via bluetooth that collect data that can be stored in iHealth; this data have to be stored there. For example: If you connect you iPhone to a sphygmomanometer to measure your blood pressure, the sphygmomanometer will have a app the control the device, read the data and store it in iHelath. We can read this data fra our mobile app using an API called Health Kit. Data stored in iHealth will not be stored in the Apple Cloud, and the user is in full control of which mobile apps that can read and write from iHealth.
We consider the security in iHelath as good, and we are able to read and write to iHealth with our mobile apps.
Sending push notifications back to the mobile device
With every submission, there will be delivered a device ID with the JSON. This is a unique identifyer of the device (Iphone/iPad). Using this ID Apple will be able to send notifications to the device. We do not send the message to Apple, only the ID of the device and the URL to where they can collect the message.
Our solution of safe massaging will be to set up an application in TSD that can communicate messages and deviceIDs with Nettskjema. Nettskjema will notify Apple, Apple will send a push message to the device and the device will collect the message from Nettskjema. Nettskjema can verify that the device have the correct device ID, and delete the massage after delivering it.
We assume Android and Windows mobile have the same kind of solution to notify devices using their OS.
Using standard framework we are able to create mobile app for collecting data and transfer and store the data secure based on our infrastructure for secure data collection with Nettskjema and TSD.