Determine a strategy for how to support student development for mobile apps that require the use of student data, and more specifically the support for the GoGaucho app (https://gogaucho.app/).
a year ago the developers reached out to Leesa. Seth met with Hengiy and identified the security issue. Seth reached out to Jennifer Lofthus. Nothing has been done since then. Now that the APIs exist the students reached out to us again.
Login screen to get the student ucsbnetid and password
Login to GOLD with the student credentials
Screen scrape the class schedule screen and present it to the student in a mobile app
Technologies used
iOS and Android apps
Heroku for server-side development. Credentials are passed to Heroku and the screen scraping happens there.
Other
The students have registered a student organization with about 20 people - iOS developers, Android developers, back-end developers, marketing person, and project managers.
They have a professor sponsor their app development - Tobias Hollerer - Professor of Computer Science Department holl@cs.ucsb.edu
privacy policy is on their website. they are not interested in monetizing the app.
it is important to make clear to them what our policy is
Leesa - very interested in independent student development, we don't have away to leverage student developers.
it takes campus resources who are responsible to manage it.
Steven - we can address some issues - credentials - use Google OAuth
can reach out to associated students to get funding for the server
other campuses have professors sponsor a year-long project to develop an app
we have credentials to look at the mobile apps code
Do code reviews with the students
James do we ask them to deploy the code to a UCSB space?
Oversight of the technologies and security of the apps
We have been in communication with the students, reviewed their implementation and identified several security improvements
Will begin regular meetings with the students after Dec 11.
Provide APIs and better security implementation
We can provide the necessary data and security mechanisms to remove the need for screen scraping
Google OAuth for authenticating the student which will be transitioned to the Campus OAuth when it becomes available
The Student Basic Info API was released today to allow them to get the perm from the ucsbnetid
Class schedule API is on the roadmap to replace the need for screen scraping the student schedule
Provide other APIs as needed - dining menus, events, etc. The dining menus API already exists and we are in conversations with Public Affairs and Associated Students to provide an events API.
Nancy Hammil - general council, she can approve the use of the name
between option 2&3
most of apps die in a few months, this one stayed
Leesa - students come to us with similar questions all the time, how are we going to support them? Need to come up with clear guidelines on how to support students
Use of student data
Can we leave the screen scraping on for now until we can provide a better option?
Students will be testing the Google OAuth in December.
Class Schedule API will be released in January.
Legal documents to sign
Data security agreement?
What protections the Student Code of Conduct give us?
Who takes responsibility if there is a data breach?
With the screen scraping
With the UCSB APIs
What support can Associated Students provide?
Can we create a badge that the app is approved by UCSB?
Can we add language to the app to let students know that this is not an official UCSB app?
How do we support the next student development team that comes up with a similar app?
Leesa - other campuses are letting students designate if they are OK to open their data fro app development
Sam - in tis app the student is accessing their own information
Jennifer - can't transfer rick to students
Sam - they do need to be aware that they have access to something special and they need to treat it this way.
Anthony - include the faculty sponsor in the DS Agreement signing
Leesa - talk to the faculty in comp science and give them a formal structure
Sam - before any stopping effort, we want to tell students how to get to a Yes.
Sam - see policy that says you cannot ask someone for a password.
Ask students to put verbiage on the app that this is a student developed app. Every time they go to login have a message displayed.
Leesa - OK to have the student schedule
Leesa, Sam - if they are committed to changing to the API once it is available we are OK to leave the screen scraping for now.
Cam associated students help - Sean - can provide funding for the project, can be on a recurring basis. if they are an they can get lock in funding. now they are part of campus life org. AS groups are different. they can go for funding from elections to pay for staff also
Leesa - this might stop other apps
Anthony - bring AS to the conversation with Faculty to see what the partnership can look like.
Shea - identity is working towards providing this
Jennifer - can work with Nancy on the kind of language that we want students to sign.
Decisions
Action items
Type your task here, using "@" to assign to a user and "//" to select a due date
