Security Risk Assessment - Medisana/vitadock-api GitHub Wiki

As a third party developer you might be interested in the security measures to protect the data of the VitaDock Online User and the data transfer between your application and the VitaDock Online User. For VitaDock Online a public security risk assessment document (FMEA, Failure Mode and Effects Analysis) is available on request. It mainly discusses the state of the art “Open Authentication” protocol and its application for the VitaDock Online.

Besides a general risk assessment the FMEA also provides a number of recommendations for security on the Consumer side. When starting development of a Consumer, be advised to follow these guidelines. While we cannot check all client implementations we might revoke your application registration if there are serious failures providing the standards given in that section. We will provide you with an overview of best practices here shortly.

Further security measures are enacted on the side of VitaDock Online (e.g. hashing of passwords), which are not publicly available. The measures satisfy standards given by large hosting companies like the German “Deutsche Telekom”.

The figures below show an overview of the security assessment of different parts of VitaDock Online and its connected components. Figure 1 examines the possible threats to the server/client communication. Figure 2 examines possible problems of the user interface where the login data is entered. Figure 3 examines security threats directed at the mobile phone (or the desktop application) itself. Finally, Figure 4 examines threats to VitaDock Online itself.

  • The round blue shape describe the type of attack
  • The red rectangles describe the possible consequences
  • The green rectangles list the implemented countermeasures that are used by VitaDock Online and its components
  • The diamond shape describes the level of sophistication of an attacker:

Amateur: Anyone who can use a computer and might have read in a forum about a possible way to attack the system

Professional: A well versed individual who put significant effort into studying the server structure and/or protocol

Organization: A number of professionals with large computer power

Government: Some attacks are only possible with significant resources and number of experts

Security threats client / server

Security threats client / server Figure 1 - Security assessment (communication)

Security threats user interface

Security threats user interface Figure 2 - Security assessment (web interface)

Security threats mobile devices

Security threats mobile Figure 3 - Security assessment (distributed applications)

Security threats server side

Security threats server Figure 4 - Security assessment VitaDock Online