We recently received several secruity questions from a prospect located in Canada. We thoguht they asked some great questions about security in AppTree version 5.5 and wanted to share them here:

QUESTION 1) Where is the cloud-hosted (or vendor-hosted) system located geographically? In Canada, the US, or elsewhere? If backups of the system and/or data are stored in at a different site, where is that site located? These questions are necessary as Nova Scotia has privacy legislation (PIIDPA) governing the transfer of personal information outside of Canada.

We use Heroku, a Salesforce app platform, to host our AppTree Cloud. Heroku is hosted on Amazon EC2. Currently, Heroku supports Amazon EC2 US and European regions meaning that the physical infrastructure used for the EC2 Elastic Compute cloud is located in the US or Europe.

More about Heroku: https://www.heroku.com/platform

More about Heroku data center regions: https://devcenter.heroku.com/articles/regions

We use Amazon S3 for file storage. S3 is also on Amazon EC2. EC2 started offering a Canadian region just a few months a go so we can now host our S3 bucket on any region including Canada.

More about EC2 regions here: https://aws.amazon.com/about-aws/global-infrastructure/

Our AppTree Cloud does not store customer data so therefore we do not backup customer data or store any customer data on media or cloud storage. When a mobile device requests data, the request for data goes through the AppTree Cloud on Heroku, to the AppTree Connector which is usually on the customer’s network, then the connector responds with the requested data which travels back through the AppTree Cloud on Heroku and then to the mobile device. So, encrypted data transmits through the AppTree Cloud but is not stored, logged or written to a filesystem and therefore never backed up.

Our AppTree Cloud does store configuration and meta data about our applications in clustered Postgres databases hosted at Heroku. We use Heroku tools to backup these repositories.

Our use of S3 is for short term cache only. We do not back up the data on S3 because it’s not primary storage and losing the data will have no effect on the app other than it has to re-cache the data. The type of data written to S3 is limited to cached lists and attachments. A few examples of this type of data are a list of work order status values or a photo of an asset that a user has taken using their mobile device. The S3 file storage access is by encrypted API key and data is transmitted to/from S3 via HTTPS/TLS 1.2. If customers have sensitive data they do not want to be written to our S3 bucket, they should make sure the list data is not marked as cached. Non-cahced lists bypass S3 and go directly from the AppTree Connector, through the AppTree Cloud and deposited on the mobile clients.

The best way to comply with privacy regulations would be to not include personal identifying information in the data being used in the mobile apps.

QUESTION 2) Can the mobile app be configured to support authentication using the institution's on-premise directory and/or single sign-on (SSO)? i.e. users would log in to the app using their NetID and password. Dalhousie uses Active Directory and supports ADFS, CAS, and Shibboleth as SSO mechanisms.

Yes, we have direct support for CAS, Shibboleth and LDAP. When configured for external authentication through CAS or Shibboleth, the user is redirected directly from their mobile device to Shibb/CAS and then back to mobile. The authentication route doesn’t pass through the AppTree Cloud.

QUESTION 3) Is the data encrypted:

a. In transit between the end user device (ie the mobile app) and the cloud-hosted system (e.g. HTTPS) (this is usually considered "must-have")

Yes, 100% of all transmissions are HTTPS/TLS 1.2 encrypted.

b. At rest within the cloud-hosted system (i.e. database encryption) (this is usually considered "nice-to-have")

We do not store data on our AppTree Cloud. We do store data on the mobile devices. The data on the mobile devices is encrypted at rest.

AppTree mobile clients use Realm Mobile Database.


QUESTION 4) A couple of questions specifically for AppTree, based on their architecture diagram:

a. Can the SDK/app server be hosted by the vendor instead of on-premise by the institution?

Yes, we can host the SDK. We use Toronto based hosting center Clarity for our Canadian customers.


However, for best performance and optimal security, we recommend deploying the AppTree Connector/SDK on the customer’s network.

b. Is data encrypted in transit between the cloud-hosted system and the institution's on-premise SDK/app server? E.g. HTTPS. (This would be a must-have)

Yes, 100% of all transmissions are HTTPS/TLS 1.2 encrypted.

When installing the AppTree Connector on the customer’s network, a ’secret’ key is generated. This secret has to be registered with the AppTree Cloud and then the connector will only communicate with the cloud. We ask our customers to block access to the AppTree Connector at the firewall to everything except the static IP addresses we provide for our AppTree Cloud. Between the firewall, the HTTPS in-transit encryption and the use of a secret API key, access to the AppTree Connector is kept secure.

c. Are there any other software requirements for the SDK/app server, aside from the web server software (i.e. Tomcat or WebLogic, and presumably a Java JRE and a database JDBC driver)? Any other third-party components that would require separate licensing?

No web server is required. Everything is self contained in the AppTree Connector, including the HTTPS server and the JDBC connection pool. The only thing we need on the server is Java JDK 8.

Our AppTree Connector is built using the Play Framework.