AppsInCare’s security challenges
AppsInCare's flagship product, Communicare, is an Android-powered tablet relied upon by vulnerable people. Primarily it shows them when a carer is due to visit, and provides information on that carer including a clear photograph. It also contains secure messaging capabilities.
The vulnerability of its users presents particular challenges from a security perspective. If user privacy were to be compromised in any way, for example through data leakage, it could have particularly severe consequences for those affected. And reliability is enormously important too, because customers depend on the system for reassurance. If an attack were to result in service interruptions, it would cause genuine distress.
“One of the most important things that Communicare provides is a photo of the carer who is about to visit. For those with cognitive impairment such as dementia, that is essential for their knowing whether it’s safe to open the door to a caller.”
The system also allows office staff to send important messages to clients, which could be highly personal in nature. It is therefore clear that interception or spoofing of that data would represent a serious threat.
It was important to AppsInCare that the tablet provided to the user could only be used to run the Communicare app, and that it could only boot into Communicare when powered on.
The need for DAST and SAST
Communicare’s developers quickly recognised the need for careful security testing and recommended Conseal Security to AppsInCare’s management.
To director Melanie Cohen, the need was twofold. “Primarily we needed to make sure that we were doing everything in our power to protect our customers, for whom a breach could be life-changing. We also, of course, needed to protect our own business’ reputation against such losses”.
It was clear that Conseal’s specialism in mobile applications was a close fit for her security testing needs, as the system comprises an Android app for its users, a web app for administration and a Firebase-powered back end.
Some of Communicare’s security challenges could be audited using more standard penetration testing and Dynamic Application Security Testing (DAST) techniques. But many could not, and so code auditing (SAST) was needed too. Again, this fitted perfectly with Conseal’s code-first approach to security, and the fact that it boasts fully qualified app developers in-house.
Testing as part of the development pipeline
The first full security audit of Communicare was performed by Conseal on a near-complete product. Despite the short timescales involved, Conseal was able to deliver results in good time.
Since then Conseal’s audit has become a standard milestone towards product release. Each time a product change is made, Conseal inspects the code differences and tests only what is needed as a result. This keeps the audit both time-efficient and cost-effective.
Where newly discovered vulnerabilities become known, Conseal recommends any new tests that should be performed. And once a year, Conseal re-tests the entire product to guard against unexpected changes.
Conseal’s CTO Tom Colvin says “we continue to enjoy a good working relationship with AppsInCare and have been able to scale our testing as their product and business has grown. In common with all our customers, we try to integrate ourselves as closely as possible with the development pipeline, which in this case involves prodigious use of Trello, Jira and Bitbucket. This gives us a good line of communication with the team which allows for a quick turnaround.”
The results
Regular testing has given Melanie the confidence that Communicare can enhance her customers’ experience of care without any security related downsides. She says, “a significant value of the Communicare product is in providing reassurance and safety to our customers. We therefore needed complete confidence that nothing in the product was going to undermine those values, and I’m pleased to say that Conseal’s efforts provide that peace-of-mind in a very effective package. Their reports are always clear and provide easily-actionable points, and our development team is able to address them without any difficulty”.
Since engaging Conseal, AppsInCare has experienced no known data breaches and no known tablet hacks.