GoGaucho Improvements

Project Title
Target Release
Epic
Document Status	IN USE
Document Owner
Document Sign-Off
Subject Matter Expert(s)
Technical Expert(s)

Background

What parts of the GoGaucho app need to be improved/revised before campus data can reasonably be delivered securely and within the intended usage of the Campus.

Goals

Develop a list of improvements that are required for the GoGaucho application(s)
Develop a timeline for the improvements

Assumptions

Out of Scope

Requirements

Title	Description	Notes	Status	Expected Delivery
Not an official UCSB App	It's been requested that the application have the first line of the description in the application stores a disclaimer stating that it is not an application officially produced by UCSB. As similar disclaimer should be on the login page.	Store Text: This is not an official UCSB application. (GoGaucho is a mobile app developed by UCSB students ... Login Page Text: Not an official UCSB app	COMPLETED	07 Jan 2019
GoGauchoApp Account	Create an account on the Developer Portal for the GoGuacho app, and create applications for the app & cams.	Create new account at https://developer.ucsb.edu for gogauchoapp@ucsb.edu Set up new applications under the new account gogauchoapp ~~gogauchoapp-cam~~ (no need at this time, will revisit later)	COMPLETED	25 Jan 2019
International Server/Service	Remove the international server/service from the architecture. It's purpose was to caching the Menu; which is now available as an API.	This service was only being used to cache the dining menu information. But, it's location is an issue. Resolution Moving to Heroku This is not quite ready yet ... gotta work out the caching	COMPLETED (New Functionality Not Available Yet)	29 Mar 2019
Use Google SSO Development/Proof of Concept	Get the development work done to sign in with Google's OAuth; and the ability to call Campus API's using the OAuth token.	Add JWT onto requests to the Heroku service. Yaun Yao will be working on this.	COMPLETED	29 Mar 2019
Switch Apps to use OAuth	When ready, switch the GoGaucho mobile app to use Google OAuth to login.	Development work	COMPLETED	10 May 2019
Replace Screen Scraping Development	Replace the screen scraping with Campus API web services in a Development branch.	The goal it to replace the screen scraping with a web api call to the GoGaucho Heroku service. The Heroku service will then call the API Gateway. Not the updates for the screens on the apps Menus In Progress (because Auto-Approved) Student Schedules DONE - Need to fill out API Access Request form on developer.ucsb.edu	Android COMPLETE iOS COMPLETE	Android 21 Jun 2019 iOS 13 Sep 2019
Update the iOS App Store and Google Play Store	After the update of the student-schedules API, update the apps in the app store and google play store	Android (Jimmy) 01 Jul 2019 The function of GOLD login has completely transferred to Google OAuth. It is available in Google Play Store 20 days ago. More than 70% of active users have updated to the newest version. iOS (Henry) 01 Jul 2019 From Henry: here’s only small things left to finish OAuth for getting student’s schedule. I can finish it before this fall quarter. 10 Jul 2019 The app has had the Schedule information removed until the OAuth implementation can be put in place. This is a great compromise to keep things secure. 13 Sep 2019 Updated and released (released: 30 Aug 2019 )	Android COMPLETE iOS COMPLETE	Android 28 Jun 2019 iOS 13 Sep 2019
Use Authentication on Heroku Service	Add authentication onto the requests between the mobile apps and the Heroku service to ensure only known clients are using the service.	GoGuacho team will figure it out and bring their solution back Very closely connected to one above "Store Keys/Secrets on Mobile App Securely" Resolution Will send a magic string between the mobile apps and Heroku Henry found a way to encrypt the communication between Heroku and the app	AndroidCOMPLETE iOS COMPLETE	Android 11 Oct 2019 iOS 11 Oct 2019
Store Keys/Secrets on Mobile App Securely	Use encryption at rest to store keys/secrets in the mobile application.	Encrypted Data File should not be in source control Should be packaged into the distributable GoGuacho team will figure it out and bring their solution back Android (Jimmy) On Mobile Device - Not Yet On Heroku - Implementing iOS (Henry) Researching iOS Keychain	Android COMPLETE iOS COMPLETE	Android 11 Oct 2019 iOS 11 Oct 2019
Move Keys/Secrets to the Heroku Service	Where possible, move keys/secrets to the Heroku service so that they aren't stored within the mobile application.	UCSB API Key has to be in Heroku and not the mobile apps This is really a part of "Store Keys/Secrets on the Heroku Service Securely (nodejs)"	COMPLETED	29 Mar 2019
Store Keys/Secrets on the Heroku Service Securely (nodejs)	Use encryption at rest (or a reasonable alternative) to store the keys/secrets securely.	Encrypted Data File should not be in source control Should be packaged into the distributable Reasonable alternative is using Heroku built in key stores to save passwords and inject them at runtime.	COMPLETED	29 Mar 2019
Access Card API - Remove Username/Password	Disable the access card functionality because of the need to enter a username/password.	Android (Jimmy) Disable the functionality iOS (Henry) Disable the functionality	Android COMPLETED iOS COMPLETED	Android - 13 Sep 2019 iOS - 13 Sep 2019
Events API	When ready, add events API into GoGaucho app	Need to be able to filter Student events from API endpoint	PIPELINE

Questions

Below is a list of questions to be addressed as a result of this requirements document:

Question	Outcome	Decision Date