Student Developed applications are a special subset of the applications that use the Campus API Gateway. To submit a request to access APIs for a student-developed application, please see the API Access Request page. To ensure the safety and security of the data provided there are some special considerations for applications using APIs. These considerations include:
Must Display that it's not an Official UCSB Application
Your application will need to display someplace within it that it is not an official UCSB application. This just needs to be some brief text noting that it is not an official UCSB application.
- For Mobile Apps: This should be noted in the Description of the application within the store (iOS App Store, Android App Store, etc). And, on the application loading screen.
- For Web Applications: This should be noted in the footer of the site, or within an About page description.
- For Browser extensions: This should be in the Description within the store (Google Web Store, Mozilla Add-ons, etc). And, within the About description of the extension.
In general, all credentials, either for the Campus API Gateway or other services, need to be securely stored, protected, and used. To do this, Secret Keys, Passwords, and Secure Credentials need to be:
Not Included in Source Code Repositories
Keys and Secrets should not be checked into source control systems. One of the easiest ways to expose a secret is to accidentally check it into a new GitHub project. GitHub provides a service that notifies interested parties when new repositories are created. Groups (both black hats and white hats) monitor the creation of new repositories and race to scan the source code for secrets and passwords. In general, if a secret key is exposed through an accidental check-in it will be recorded by a malicious group; even if they don't have plans to use it right away. The safest thing to do is be mindful of storing your applications' keys and secrets in files that are assured to not be checked into source control. Two common ways to do this are:
- Use a password safe. (Preferred) These are external services like AWS KMS, Azure Key Vault, Google KMS and there are many more.
- Use a source control ignored file. Often it's easy to just create a file on disk within your source code and simply add that file to your .gitignore list (or your preferred source control's .ignore file).
Encrypted at Rest
Wherever your Keys and Secrets are stored, they should be encrypted. This is a requirement for both the keys and secrets that you use in local development and even more important on any keys or secrets that will be shipped with your application. Mobile applications are very susceptible to be downloaded and decompiled to their original source code; when a secret is stored within the compiled source as plain text it becomes very easy to retrieve. There are many ways to do this:
- Use a password safe. These are external services like AWS KMS, Azure Key Vault, Google KMS and there are many more. This isn't always the easiest thing to do as you have to securely identify your application to the password safe; and how do you secure that password? This works much better in environments where the credentials of the applications are on the system and passed seamlessly in the background to the password safe.
- Inject the password into environment variables. Some deployment systems, like Heroku, Kubernetes, Azure Web Apps, AWS Configuration and more have ways to safely store your applications' passwords and secrets outside of your application and they will inject the values as runtime environment variables to solely by used by your application.
Shared through Secure Mechanisms
So, you've ensured you are securely storing your secret for your development and kept the secret safe in the running application, but now a new developer comes onto the project and you need to share the password with them. How do you share it securely?
- DO NOT SEND YOUR SECRETS OVER EMAIL. Get in the habit of never putting any sensitive information into emails.
- Use a password safe. These are external services like AWS KMS, Azure Key Vault, Google KMS and there are many more.
- If a password safe isn't available, ensure the mechanism you are using to share the secret uses some form of login to authenticate the person that will retrieve the secret. Try diligently to encrypt the password within the shared location, and delete the shared secret once the recipient has retrieved it.
All communication from the client through your applications services/servers all the way to the Campus API Gateway needs to be encrypted (encryption in flight). In general, this is provided by using https to make web service calls. Purchasing SSL certificates is pretty inexpensive and provided by many cloud providers (Heroku, AWS, Azure, GCP). You can also use Let's Encrypt to get free certificates.
Student Credentials (Google OAuth)
Student developed applications could provide some student-specific data to the logged-in user. When the user is a student, the applications will need a safe and secure way to ask the student to authenticate themselves to the system and the application will need to provide those student credentials when making calls to the Campus API Gateway. For more information on this please see Security - Google End User OAuth.
Detailed instructions to request an application for use with the Campus API Gateway can be found on the API Access Request page. However, when a student application has requested access to APIs that require access approval a few special considerations need to be taken:
Sponsorship by a UCSB Faculty Member or Associated Students
Student applications must be sponsored by UCSB Faculty Member or the Associated Student office. This ensures there is an entity on campus that has reviewed your applications idea, and is taking the responsibility of performing periodic security reviews to validate that the application follows required security standards and the data is used appropriately.
Open Source Projects Only
This ensures that the Campus API Gateway team can audit your source code on a periodic basis. The campus wants to ensure that security best practices are being followed and have auditable evidence that the campus' student data is being used appropriately and securely.
Regular Security Reviews
To ensure the applications are following security best practices and that the campus' student data is being used appropriately and securely, regular security reviews will be performed by the Campus API Gateway Team or a designated delegate. These reviews may also include follow-up meetings where discussions about lists of improvements and application roadmaps may be developed. As a project shows long term stability the frequency of the security reviews may become lessened.
Contact person that will be responsive to requests for information
All applications (student and otherwise) are required to have a person or group of people who will be responsible to keep up communication with the Campus. This is necessary to ensure that if there are concerns about the application, its security, or its use of data they can be addressed and remediated quickly.
Servers and Resources used with the application must be in the United States
All servers, services, and resources used to host and provide the application need to be running in the United States. This ensures we don't have to worry about unexpected legal responsibilities that we are not tracking.
Student Information Must Not Be Stored
The student information provided by the Campus API Gateway is expected to be used for immediate processing and display to the students. Do not store or distribute the data in any way.