Page Comparison

Bridge will store encrypted study data in a combination of AWS DynamoDB and AWS Simple Storage Service (S3).  The only unencrypted data stored in either system will be the study participant ID, the study ID, the ID of the data module (defines the data schema), and the time the data was captured, stored in Dynamo for each time point at which data is collected.  This allows Bridge to support time-range queries for a user to retrieve his / her own data.  This will allow clients to build complete histories for customers, even if data is collected from multiple devices / interfaces.  Large binary study data such as voice recordings, and bundled uploads will be stored in S3, using Amazon’s server-side encryption. Amazon manages the server-side encryption transparently for us.  It currently uses 256-AES-GCM.

...

Certificate pinning can be beneficial at two places.  One is where the Bridge servers calls Stormpath.  Current implementation relies on the Java 7's trust store to authenticate Stormpath.  For better security, we could pin Stormpath's certificate.  The other place is where the mobile client calls Bridge.  Bridge server's certificate could be pinned to reduce the risk of man-in-the-middle attacks. This improvement is being tracked by BRIDGE-369.