Hi Robert,
Belated reply, sorry and I would have replied directly but thought this may
be of interest to the list.
I don't know how other providers handle this but the current set up with a
SOLUS App is as follows:
"The SOLUS server does not access any private user information in the LMS,
save for the user's name. When the user enters their login credentials into
the app, this is encrypted and sent to the SOLUS server which in turn uses
it to authenticate with the LMS. The communication to the LMS uses whichever
method has been made available by the LMS (HTTP, HTTPS/encrypted, SIP2,
etc...). Our preference is for this not to be sent in plain text, but we
work with whatever the LMS has provided. The LMS is normally only configured
to respond to this type of connection from our locked down range of IP
addresses.
The SOLUS server neither accesses nor stores any private user data (e.g.
DOB, address, email, etc). The only information that our server retrieves
from the LMS is lists of loans, reservations and charges to send back to the
app which retains the information for that session. If the user closes and
re-opens the app, the information is retrieved again from the server and is
not stored in the application cache. The reason the system accesses the
user's name is to display this in the "Settings" tab in the app so that the
user can tell at a glance which account is currently logged in. Note,
multiple users e.g. parent and child, can use the App on the same device.
The only information that the SOLUS server retains is the user's borrower
number to match up borrowers to device ID's. This is necessary so that the
user does not need to log in every time they open the app, and to enable
push notifications to devices (our system needs to know which device should
receive which - if any - push notifications). Again, please note, push
notifications and GPS are opt in either on the device or App settings."
If you need further information, please do not hesitate to contact me.
Regards,
Neil
Neil Wishart
Director
Solus UK Ltd : James Watt Building : James Watt Avenue: Scottish Enterprise
Technology Park : East Kilbride : G75 0QD
Tel: + 44 (0)1355 813 600
Mob: + 44 (0)7779 296 088
email: [log in to unmask]
http://uk.linkedin.com/in/neilwishart
Skype: neil.wishart-solus.co.uk
Solus
www.solus.co.uk
-----Original Message-----
From: lis-pub-libs: UK Public Libraries [mailto:[log in to unmask]]
On Behalf Of Robert Bleakley/urbreg/STHMBC
Sent: 09 December 2013 09:21
To: [log in to unmask]
Subject: Library Apps and Security Considerations
Hello All,
We're in the process of introducing a Library App for users of the service.
Clearly we need to be confident that our patron details remain secure and
some questions have been raised in relation to the security of the
connection between the App supplier and the library catalogue server,
particularly in relation to name, address, date of birth, phone number,
library membership number
Whilst the authentication of the Library Patron to the App only requires the
membership number to be sent, this would be sent in plain text across
the internet. IT have raised a more significant concern relating to the
other patron information (listed above) that resides on the production
server, and the potential risk of this being compromised.
Have colleagues experienced similar issues when connecting mobile/app
services to their LMS? If so, what solutions did they arrive at to address
them?
Regards
Rob
____________________
Rob Bleakley
eServices Manager
Libraries Management Team
Chester Lane Library
Four Acre Lane
St. Helens
WA9 4DE
M.07940 007 227
T.01744 677813
F.01744 677114
Follow us on Twitter
(Embedded image moved to file: pic09314.jpg) ___________________________
"This e-mail and any file transmitted with it are confidential, subject to
copyright and intended solely for the use of the individual or entity to
whom they are addressed.
It may contain privileged information.
Any unauthorised review, use, disclosure, distribution or publication is
prohibited. If you have received this e-mail
in error please contact the sender by reply e-mail and destroy and delete
the message and all copies from your computer. "
|