Security is one of SANDBOXX’s number one priority.  We are vigilant in hardening all software components to protect our users from attacks and threats. SANDBOXX’S security infrastructure is built with many risks in mind, including those made by human error.

In a world where mobile apps, social media and the military community converge, the gravity of proper security design is paramount. The rise of cyber threats and ignorant use of technology are merely natural extensions of human nature. Luckily we, the Red White and Blue, have THE BEST security engineers and security architects in the world. These men and women work for our government and public/private organizations such as Amazon, Google, Endgame and the United States Cyber Command. They expend immense resources keeping our nation and the rest of the world safe on a massively global scale. Sandboxx is one of these organizations.

Before we get into details, a little acronym’ing for those new to these terms. For you seasoned SECs’ers, scroll down to Sandboxx’s Security below.

PII

As defined by Title 44 of the United States Code: “Personally identifiable information is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.”

Example: Your name and credit card on the restaurant’s receipt from Tuesday’s lunch.

friend request.jpgOPSEC: Operations Security

As defined by Defense Technical Information Center: Operations Security is a term originating in U.S. military jargon, as a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.”

Example: Your route to Tuesday’s lunch.

PERSECPersonal Security

Focuses on protecting information such as PII.
Example: Refraining from publishing a selfie with your location on Twitter.

INFOSEC: Information Security

As defined by Title 44 of the United States Code: – Information Security, sometimes shortened to InfoSec, is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It is a general term that can be used regardless of the form the data may take.”

Example: Tuesday’s lunch crowd, typically…

Most non-technical folks think PII and security vulnerabilities/failures live within remote mountain server locations or involve hackers at your local coffee shop out to steal your credit card information. As much as a good conspiracy captures our minds, the majority of problems are actually caused by ourselves.11x17 OPSEC officer.jpg

As a nation, we have come a long way with technology and education to mitigate these risks. Nonetheless, humans are prone to making mistakes and operate under faulty assumptions about information, the platforms we use, and how data is stored and used. We must think ahead about how our actions and information may affect us in the future. Practice prudent, safe SECs!

Sandboxx’s Security Priorities:

The following are our top priorities:

M1 – Weak server side controls

M2 – Insecure data storage

M3 – Insufficient transport layer protection

M4 – Unintended data leakage

M5 – Poor authorization and authentication

M6 – Broken cryptography

M7 – Client side injection

M8 – Security decisions via untrusted inputs

M9 – Improper session handling

M10 – Lack of binary protections

mobile-apps-policies2
SANDBOXX Security

In-App Security 

Device is lost/stolen?

  • Data at-rest is encrypted and obfuscated using military grade encryption algorithms

Packet Sniffing

  • Device connects to the cloud using TLS (Data link connection)

Man In The Middle Attacks

  • Packets are not attributable – Instead of user’s email, we use a long user id (GUID)

Identity Theft

  • All data integration with other services happens on the backend
  • All payment information is stored on third party gateway (Stripe/PayPal – PII and PCI compliant)

In-App Privacy

Private By Default

  • All user data, posts, likes and comments are private by default

Self-Policing

  • User can view another user’s profile only after they connect, which requires a two way handshake

Data Masking

  • User addresses are masked to protect them from location specific information

Location Agnostic

  • All geotags are removed from pictures posted on the app

Content Moderation

  • Inappropriate content can be reported which will be removed from the system after verification

PCI Compliance

  • Stripe/PayPal have been audited by a PCI-certified auditor, and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available.

API/Database

Data is securely uploaded/downloaded to our servers via SSL endpoints using the HTTPS protocol.

Only object owners have access to data resources.

We use Server Side Encryption (SSE) to encrypt data stored-at-rest. Our server provides the encryption technology for both SSE and SSE-C.

Our servers are SSAE-16 cloud security certified.

Our servers have built in protection agains Query Injection, Cross Site Scripting and Cross Site Request Forgery.

 


SANDBOXX is a mobile app focused on connecting our military community.
Army | Navy | Marines | Air Force | Coast Guard

About the Author SANDBOXX

SANDBOXX is a mobile app focused on connecting our military community. Army | Navy | Marines | Air Force | Coast Guard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s