Speckle.xyz and security for custom app

Help Developers
,
1

Dear specklerrs,

We are building a front-end web application based on speckle. The client asked some questions regarding #security of their data that will be stored in the #specklexyz server. So I tried to collect some information but unfortunately I did not find much that could clear my doubts.

How the app works:
I’ve initially followed this guide.
The user lend on the app and authorize the app on speckle using the token exchange the guide suggests.
From now on the app act on behalf of the user and it has read-write permissions.

  • The user see all the speckle projects, and he’s asked to choose one.
  • The user can download some models from different branches into the app
  • The user will interact with these models (they won’t be modified) and create some data
  • The user can now save the project and the app does the following:
    a. create a dedicated branch on the project if not present
    b. create a speckle object and commit the data on the dedicated branch
  • The user has now saved it’s work. Next time he choose the same project he can choose (from the dedicated branch) which version of the last saves to load, and continue the project.

Long story short: we are using speckle.xyz as database for the app, saving there the project data as primary cloud storage.

Security doubts:
The user is mainly worried about:

  • “what if speckle is down?” ( → we can skip this one, since I’m aware that speckle is 99.999% online and reliable)
  • “what if I’m hacked and I loose all my work?”
    They are not worried about data being stolen (not sensible data really) but mainly being locked out from their data and be blocked on their work.

My “dumby” questions are:

  1. What happen if someone steal the app access token from the local storage of the laptop of the client?
  2. What happen if someone steal also the speckle credentials of the user?
  3. Can a malicious attack encrypt the data of one user on your servers? (This probably not, but I just drop the question…)
  4. Can a user get back to his account if someone else manage to get in and change password?
  5. Any best practice to share streams between users to prevent bad thing happening if just one user is hacked?
  6. Anything else can go possibly wrong?

Thank you!
Gianluca

2

Ciao Tabe,

You can find information about our security practices here: Security 🔐

Some inline replies:

  • “what if speckle is down?”
    If Speckle is down, no data will be accessible during that time. Unfortunately we’re all depending on our cloud providers here :slight_smile: There is no SLA as part of speckle.xyz usage, but it instead comes with our Enterprise plans.

  • “what if I’m hacked and I loose all my work?”
    Our DBs are regularly backed up, so no data should be lost.

  1. What happen if someone steal the app access token from the local storage of the laptop of the client?
    Tokens are like passwords, so whoever takes will have the same access as the token allows. But tokens can also be revoked.

  2. What happen if someone steal also the speckle credentials of the user?
    You should contact us immediately and trigger a password reset.

  3. Can a malicious attack encrypt the data of one user on your servers? (This probably not, but I just drop the question…)
    Data is already encrypted :sunglasses:

  4. Can a user get back to his account if someone else manage to get in and change password?
    We can assist users in recovering access to their accounts.

  5. Any best practice to share streams between users to prevent bad thing happening if just one user is hacked?
    Only share what you need with who you need. For extra safety of mind, our enterprise plans offer dedicated servers with no shared databases.

  6. Anything else can go possibly wrong?
    A lot can go wrong, Speckle is not inherently less or more prone to risks than any other service out there using industry-standard security practices like ours. If your customers want to avoid the cloud, they could look at self-hosting speckle on their prem - but that doesn’t necessarily mean it’ll be safer.

Hope it helps!

2 Likes
3

Thanks Teo,

All helpful information!
It is good to know that you can assists users in those scenarios.
I forgot about the Enterprise plan which is something I can propose to the client in the future.

This is exactly what I tried to explain to them :wink: I actually think there are high chances is going to be less safer.

1 Like