 All right, so welcome again. First session of the day, going mobile, configuration and security. During this, well, let me go first to these objectives. So this is gonna be a session of 30 minutes, 15 minutes of very quick theory where I'll be talking very fast. And I hope you complain today in feedback saying Jaime spoke very fast today. Sorry about that. The thing is I need to pack a lot of things in this session. And it's more, I think for you to have this session as reference that you can go through afterwards. In any case, if at one point you don't understand anything, please let me know. I will rephrase it during the exercise session or I will try to say better. But during this session, what I'm gonna try to explain, it's basically what are the implications on going mobile? So you have already a DHI stream implementation and you decide to add Android. And we're gonna try to see from different perspectives. In this first session, we will be talking from the configuration perspective and from the security perspective. At the end, you will have to do a quick exercise, proving that you understood why or how to set up some security measures. I think it's very easy, but the important thing is that for you to know that when you implement Android, when you add Android to your implementation, there are big things that you need to consider. And during this whole week, we have been talking about how to set up the server, et cetera. This session more a bit about how to project manage, maybe, or if at one point you become consultants for HHSU, et cetera. This is a bit less on getting your hands dirty with setting things, but more to understand why or what you should be thinking about when implementing the HHSU with Android. I have divided this session, as I was saying, in two main parts, basically, and they will be overlapping. The first thing I'm gonna be talking is that offline data entry, what does it mean? And then security. What I said, don't think that these are silos or isolated contents because they will be overlapping, but it's the way I thought it could be easier for you to kind of understand or have two ways of thinking. So, let me go here. The first group of offline data entry, if you know, or if you didn't know, and I will ask you to do it eventually during the session, you have to be using the application the whole week and probably you were having connection. You were having either Wi-Fi or you were having 3G connection. Maybe you didn't realize, but if you could have, I mean, if you could have turned the Wi-Fi or the data out. Sorry. Excuse me one second. I need to cough very hard. We are destroying you with all this session. Sorry, I'm not ready for so much talking. So, what I was saying is that one of the main reasons that this application, so Android application was built is to allow offline data entry. And this means that you can turn the Wi-Fi off or a 3G off and you will still use the application. So try doing this session, eventually turn it off and see how you can still use the application. And this makes the application very cool because you can have now people going to collect data to facilities, to schools, wherever where you might not have connectivity, but because of this, the moment that this concept enters, we have many things to consider. And these are some of the points that I have put here that we will be covering quickly, but it's important to know that if you want to work offline, you need to perform some things that is what we're learning. So basically offline data entry, your devices might not have data connection. And you will see how is my application gonna work if I don't have data. This is the key thing. Android application, what it's gonna do is gonna download all the information that might use. And please note that I'm using the word might. This means that if you set up wrongly your DHS server, because you say, okay, this user will be assigned to the whole country. Android, the device will say, okay, I have been assigned with this user the whole country and I don't know if he will be in the north part of the country, in the south, or where he or she will be. So I'm gonna allow this information. This has a big impact because you have to download many, many things. So first of all, we're putting a lot of information in the device that might use or might not use. But on top of that, you need to have as well, and here we're overlapping the two concepts from security perspective. Now this device will contain much more data that probably will be needed. And this poses a security problem, okay? So just that's it. The last question, try to limit the scope, the programs and the data says that the user will be using, because if you don't do this, a lot of data is downloaded on the phone. And this implies, apart from security, you are misusing or using wrongly the resources you have. Here, it's something that was briefly covered yesterday. On the right side of the screen, you see the refill. And on the left side, you see the amount of the default values. Basically, what I'm trying to say here is that your Android devices, they read a configuration from the server, as Milagros was explaining yesterday. And this information tells the Android how much data I need to download. So for one side, we are setting the programs, the data set, et cetera, but then we need, so that's the metadata, but then we have to put the content inside, that's the data. So by default, just for you to know that Android will be downloading 500 TI's and 1000 events. And on the right side, we see that we will have 100 reserve values. This limits the amount of information I will be able to put in the system. So if just to make a quick comparison, imagine you are sending someone on the field to collect data and you give this person three sheets of paper and this person is gonna be out for one week. Probably with three pages, he or she will not have enough. So you need to make sure you give this person many more papers so they can perform their job. With Android is a bit similar. We can tweak these values and we need to do it depending on the setup. I will not go through examples, but just have this in mind that if the person will be offline for more time than other people, maybe we need to adjust these values. Another thing that poses usually problems is when you try to use auto IDs. So auto generated IDs. And this, it's a bit complex. I'm putting you down here a reference, but because Android, again, it's gonna go offline and you don't know when this person will be entering values. When you use generated IDs that have, for example, current date parts might not work as you expect. Very quick example. I'm gonna go here to the last part. Please pay attention because this goes in the exam. Here, look what I'm saying. I'm generating a value. This, for example, you might enjoy registering patients that have COVID and here you are trying to put current, these patients should have a unique code that is the current date, year, month, and day, and sequential from zero to 99. If this sounds a bit weird, don't worry, basically what I'm trying to say is like a generated ID that contains the specific quarter. Android is gonna connect to the server and it's gonna request values, but Android doesn't know if you're gonna be entering patients today, tomorrow, in one week or in one month. So if you realize here, I'm putting years, month, and date. So today is the 3rd of December of 2021. This is from last year, sorry. And it will generate, Android will say, listen, I cannot know if you will be entering values today or tomorrow or in three weeks. So I'm generating everything for today. So it might not work as you expect. If this person goes offline and tries to register values tomorrow, Android will say, I'm sorry, I have run out of values because all the ones are from yesterday and I don't have values for today. I'm putting here a reference that is very well explained is just for you to have this in mind when you set up a system that this might not be the ideal way of generating values. And this is something that changes a lot from using web and from using Android because in web we're always working online. People have connectivity in Android we might not have connectivity. And another thing to know is that Android, despite I've told you that you can remove your data connection or your 3G, your data or your wifi connection at the moment you can use the application but of course you can not synchronize because in order to synchronize you need to reach the server. Important to know that you can synchronize by SMS. It's not covered here I'm putting more references here that you can use in case you need, but it is good to know that with your devices if at one point you're going to places where there will be no wifi and no connectivity at all you could still synchronize by SMS. If you're syncing TI's it might require several SMSes per TI but it's a possibility and Android application can do it. I know I talk about maybe blur concepts I hope I managed to just meet you that there are big trick perks into setting for Android or not anymore and now we're gonna talk quickly about security and unfortunately I think the session should be much longer but I don't have the time. Yes, wanted to mention that when we talk about data security we talk mainly about these three which are confidentiality, integrity and availability. Reviewing them very quickly confidentiality means that you want to transmit information and you want this information to reach only the person. So I want to send a letter to my mom and I want her to be the only one reading the letter. That's what we call confidentiality. Integrity is that this information needs to be authentic if I have written a letter and I have put a lock in the envelope. For example, I want that my mother sees the letter but I want her to read the letter I wrote. So that's what we call integrity. Nobody can mess with the message. And availability is that information needs to be available when it's needed. So I'm sending a letter to my mother and I want her to let her know that I'm arriving tomorrow. If this letter does not arrive tomorrow but in three weeks doesn't make sense this letter. So that's the three concepts very quickly explained in terms of data security but we cannot talk about data security without mentioning these concepts. Again, this is something that I'm hoping that you will need in case you become more like a implementer of the HSU more than a person setting the system or you become a project manager. Just for you to have these concepts in mind and for this, I have prepared a quiz that we don't have the time to do now but I'm gonna take, for example, this last well this question here in the middle. I know I went in 10 seconds to this concept but for example, imagine you have set up a DHS2 system and your database on your server gets corrupted but you have backups. I'm giving you five, 10 seconds to think if you think that this means that it has an impact in confidentiality, that it has an impact on integrity or it has an impact in availability. I give you five, 10 seconds if you want to open your mic, microphone and talk, say it. If not, I will read the chat. I have one answer, integrity, someone else. All three, two, one, go. So no, thanks for participating in the case. In this case, our concept being impacted is availability. If you think about it, the confidentiality, exactly, it's availability, thanks. Confidentiality is not because nobody accesses this database, nobody has read the information. Integrity, this database, nobody read on the confidentiality. Integrity, the database is still there because I have my backup. The promise of availability. The moment my database is corrupted, I cannot have DHS2 running. So my impact is in availability. So I need probably to restore the server and this is gonna take one day, one week, whatever. In any case, this is a quiz that I'm putting you here. What I would like you to do, I'm gonna say this weekend because I don't want people to work in the weekend, but maybe next week, when you review the slides and giving you the answers at the end of the session, but maybe you want to quickly go through it and try to analyze. I think it's a good exercise in case you need to assess at one point DHS2 implementation. Again, this is not a course on security, but I think this principle, which is what we call the triad, the CIA, those these three principles are the ones that you need to think of when doing an assessment or implementing DHS2. My only thing for you to remember if you want to forget the 15 minutes I've been talking is that when you implement Android, please understand that it has a huge impact in the security perspective. Remember that, if you remember that concept, I'm happy. And this is basically because what I was saying before, when people are you working on the web, you have one laptop connecting to a server and you put all your efforts in your server, which might be better efforts or worse efforts, but you put the efforts there because we are taking mobile phones and they're going out there and we said that the phones have all the information they have, they might have. This is exposed. If I lose my phone, someone could access my phone, et cetera. So we need to protect this data. So now I cannot put the efforts only in the server. I need to put also in these devices. And these devices, there are many different devices. Everyone has different phones with different requirements. So this makes it very complex. I'm saying here that we need to do this because we care about data security. It really depends on the project. Sometimes you will be collecting information that is very sensitive, but it's not because you care. Sometimes in different setups, you might be obliged by the law in different countries. If you're collecting medical data, you need to ensure a level of security. And this is something that you need to check because I don't know, of course the legislation of any country, to be honest. Basically that's it. I'm gonna quickly finish with this, that we are doing our part by following this security framework that we call OWASP and it has the impact on this thing sampling here. That's the reason basically you cannot take screenshots with your phone because following this framework tells that we should not let people take screenshots so they cannot share sensitive information. There are other things here. I will not cover it because I don't have the time. But this is what we could do and we have done it. Now it's up to you to make sure you secure your implementation. And for this, there are things you can do on the phone. For example, by setting a pin code and this is something we're giving you in the application. You can set up a pin code on the application but you can also set it on your phone. I'm sure most of you have already a pattern or a fingerprint in case you have a phone that reads fingerprints, whatever. But we also provide you to do this within the application. And also you need to set up the server to make sure that this security level is increased. And for this, what you should do is grant always the minimum permissions and the minimum scope. I can think that this device will go out on the wild. And if I have downloaded more data here, enlarging the scope of or the architecture if you wanna talk with security terms. That's it. Let's secure our implementation. I think I have one more slide. I'm gonna go over it quickly. Let's see. Yeah, okay. Sorry. So as you see, the slide that is coming afterwards is the one with the solution to the test. If at one point you wanna go through the test, please go. I think it's a nice activity. But let's secure our implementation. Let me stop share. And I will start sharing now the one with the exercise. One second, please. Okay. Screen. I'm using question to unlock, there is one. Do you have time at this about, would you please explain again about integrity, security and availability? I don't know if you have time, maybe, yeah. I'm gonna go through the exercise and then I will answer that question, okay? Because it's very quickly explained. And then I will answer that question. So in this exercise, I was telling you, let's secure our implementation. I think that's the last thing my last sentence was, oh no, don't look at the screen. Okay. Let's secure our implementation. What I'd like you to do now is to make sure you can put in practice these concepts I was talking about. And basically this is the heading of the exercise. After the whole week working with Android and setting your server, I'm telling you that we have reached the finish the end of the campaign. And you have been all assigned a user that we call ST001 or zero or whatever. So this user is no longer gonna collect COVID data. It's not gonna go out there to collect patients, but you still need to do some work with this device. So these phones are still need to, they still need to be able to see the patients you entered, but you don't want to let the user create more patients. So for this, you need to do two things. Well, and we consider that this phone, the scenario is going out there on the wall and you are scared that people can lose their phones and then someone could access the phone and read these patients with COVID that they have been received the phone. So what I'm asking you in this scenario, fictional scenario is to secure your implementation. And by this, what we would like you to do is to convert this Android user that you have been using the whole week into a read only. So this person can only read the data. And sometimes it's called a manager or an access in some implementations that I have been working with. And also I want you to put a pin code on the application. It's very easy to do these tasks, but I think it will allow you to go through these concepts a bit. Here is the example, what you have to do. If you see on the left side of my screen, in this one, if this screenshot I took from my phone, you can see that I create this here. You can see I have click here and you cannot see down there, but I have my keyboard and I could type. While on the right one, I cannot, it's a read only. And this you see the fields are a bit like grayed out. So what I'm asking you is to convert, to pass from the left side to the right side. And for this, you need to change your sharing settings on your program like I'm putting here. The exercise, and also you need to limit the scope that I'm putting here. So there are four things you need to send. So a document with four screenshots. The first one is, and this something that some of you already did on the first day. Some people did not do, but we want to make sure you assign the user to only that organization unit that you send an image with your new sharing settings. So I see that on the server, you have set it up properly. On the other hand, I want another screenshot of your Android device where I have, so you perform here, so I'm changing the server. The device retrieves the new with some metadata sync. So you will see that it becomes gray. And the last screenshot you have to provide is a screenshot with the new screenshot. You can see the pin code on your application. Not on the phone, but using the data as to capability of setting a pin code. That's the exercise. I'm gonna be here for the next minutes. I'm gonna answer another question you asked. Well, that's it. I think it's easy. If you have doubts about the exercise, let me know. If, I will give a recording until the end of the four minutes. So let me go back here. I don't know who asked, thanks for the question about the confidentiality, integrity, integrity and availability. I know I went through them very quickly, but basically when we talk about data security, most of the books, most of the information we will find they refer to data security with what is called the triad of data security, which is CIA. Some people add another fourth thing, which is called non-repudiation, but we will not talk about it. Basically, these are three concepts that have been discussed and have been decided that are the main pillars of data security. And we have confidentiality, integrity, integrity, integrity, fuck, integrity, integrity, integrity. Wow, integrity and availability. With each of these concepts, we look at the problem of data security from different lenses or different points of view. The first one is confidentiality. And confidentiality, I'm gonna read the concept here, is that the information needs to be accessible by only those that the information was designated to. Refreshing it means that I want something to be confidential in this domain of data security. I'm talking usually about data, IT data, so patient's data or, yeah, patient's data, as soon as data we talk about the education domain. And I want this information to be only accessible by those that the information was assigned to. So imagine I'm registering patients, I want only the specific doctor to be able to read the information about this patient. That is what we call confidentiality. If I tell someone a secret, I am the person creating this information and I'm sharing only with another person. I'm trying, well, I'm talking here about confidentiality. I have a secret and I share with this person. That's confidentiality. The second concept is integrity. And it's that this information needs to be authentic, real. It needs to reach the person or the agent that the information was designated to. The same way that it was created. So I'm going back to the medical example. I have registered a patient and I say, okay, a patient came with COVID today. He's a male, 32 years old, has AIDS and has had surgery in the last two years. I'm putting and compiling this information. I'm keeping it safe, secret, confidentiality. But when I go back to this information, I want this information to be the same. I want this information to say, this was a patient male, 32 years old, with AIDS, et cetera. If when I read this information, it says it's a female, 18 years old, never had surgery. My integrity of the information is broken. So someone has changed this information. So that's the integrity. So I need to make sure that the information remains the same when I move it from one place to another one or when I transfer or when time passes. If I go back now to the example of the secret, if I'm telling someone a secret and I'm saying, I am gonna drink two beers tonight, I want this in person to receive this information. So I don't want him to understand I'm gonna drink two teas tonight. I said two beers, that's integrity. The information remains the same within time. And the last part is availability. And availability means that this information needs to be accessible when I want it, when I need it. Medical example, this doctor goes now to his or her files, open the filer, takes this thing. It says, we said we're talking about a patient male 32 years old with AIDS and surgery in the last two years, I think I said. The information is there, that means availability. If when I open my drawer, my filer, the information is not there, I have broken the concept of availability. Imagine that this paper has been destroyed. So confidentiality still could be because nobody read it, hopefully. Integrity is authentic, nobody changed. So I'm not reading wrong information, but the information is not there. This slide is not there. If I go back now to the stupid sample of me going out tonight and having two beers, if I'm putting a note here for my, for the person living with me, and this paper flies away because there's a queen in my house, the person that the message was supposed to be intended to be cannot read it because the information is not there. Those are a bit the concepts. If I'm already over time, just to mention that the last one is called non-repudiation. Ah, sorry, I'm reading something. An organization, it's another concept that some people consider and means that if I create information for someone and this person said he received it, later on they cannot say, I did not receive it. That's what's called non-repudiation. But the main ones that everyone agrees on is CIA, confidentiality, integrity, availability. So with these concepts, I quickly explain, you could go to this quiz and say, okay, if my DHS2 server is down due to a network electrical issue, which of the three concepts is impacted? So these concepts I want you to do, there's nothing in the sum, this for you in case you find data security amazing and you want to invest in time, I think there are some questions that you could think of. That's it, I'm a bit over time. I hope I answered the question of where we're asked. Thank you for asking. I'm gonna stop sharing and I'm gonna stop recording.