BlkBag Mobile App Security

The first Healthcare Apps featuring Zero Trust

Zero Trust isn’t just a buzz word, it is the core of how BlkBag apps work. When you login to a BlkBag app, it uniquely identifies you and the device. Every request after that, is authenticated with the Dedicated Security Component ("DSC") on your phone. This identity is immutable, globally unique, and can be use to prove who performed what actions on a piece of data.

Data at Rest and in Transit

On the mobile device, BlkBag apps leverage AES-256 encryption for data at rest on the device, provided by the device. The apps are configured to use encryption at rest. The SQLite database within the apps themselves, are encrypted using a series of key encryption keys. To do this, all app users must have at least a passcode configured on their device and a device with a dedicated security component ("DSC"), which all iOS and most modern Android devices have. Failure to have a device with this configuration means the user will be unable to use the application. Removal of the passcode protecting the phone will delete data from the application.

When a user authenticates into a BlkBag app, a few encryption elements are generated. A 256 bit encryption key and a 128 bit initialization vector are generated that will derive the key encryption key master key.

The BlkBag app then leverage a dedicated security component ("DSC"), the Secure Enclave Process ("SEP") on an iOS device and the Trusted Execution Environment ("TEE") on Android, to encrypt the key encryption key master key. To accomplish this, the app asks DSC to generate a Elliptical Curve Key ("EC") within the SEP and a RSA key ("RSA") within the TEE. These asymmetric encryption keys are then used to encrypt the key encryption key master key, for storage within the iOS or Android keychains.

To perform decryption of the key encryption key master key, the user must perform biometric or passcode authentication with the application. This leverages the devices built in biometric or password authentication. Once the DSC has been unlocked, the encrypted key encryption key master key is taken from the keychain and decrypted with the DSC. The output key, is then fed into a PBKDF2 algorithm, leveraging SHA-512 hashing and 200,000 iterations.

Raw data, like photos are encrypted leveraging the devices provided full disk encryption.

When sending data to the server, BlkBag enforces TLS 1.2 and TLS 1.3 connections to endpoints in the BlkBag cloud infrastructure.

Multi-factor Authentication for Apps

BlkBag provides several multi-factor authentication technologies to ensure that data is protected by our customers. BlkBag manages the BlkBag Identity Service ("BlkBag ID") that enables Single Sign On ("SSO") for all BlkBag apps. Users are managed from the https://id.blkbag.app identity portal, with all cloud apps leveraging BlkBag ID to authenticate and authorize users. BlkBag ID enables users and organizations to leverage hardware based security keys from Yubico as well as online Authenticator like Google Authenticator and Microsoft Authenticator. Our entire strategy is to security identify users performing actions based on their assigned roles for specific applications.

App Privacy

While we collect data like GPS, IP addresses, and other metadata, BlkBag does not share, unless at the direction of your entity or through a court order, data with any outside organization. This includes everything from emails, usernames, entities, and patient data.

Mobile App Development

Development of the mobile solutions is comprised of leveraging AWS Cloud services to build, test, and deploy BlkBag iOS and Android apps. With our development process, we can securely, repeatedly, build and deliver apps.