Mobile scorm encrypted

Mobile scorm encrypted

by Nate Nimapas -
Number of replies: 2

Hi,

I have some questions regarding Moodle Moble. When users download a scorm to work offline, can the scorm package be seen by hackers? I wonder if they can be encrypted in case the package may contain sensitive information. I'm not talking about network security while the file being transported, but when the file already on the iPad.

Thanks,

Nate

Average of ratings: -
In reply to Nate Nimapas

Re: Mobile scorm encrypted

by Joris Moodle -

Hi Nate,


The scorm package is saved unencrypted to the device's storage. As far as I know, there is no out-of-the-box support for encrypting a SCORM package (Moodle Mobile would have to be able to decrypt it when the files are being used). I guess if security is important, it would be better to not allow SCORM packages to be downloaded. Perhaps you can create an improvement request asking for encryption in Moodle Mobile:

https://tracker.moodle.org/projects/MOBILE/issues/MOBILE-1843

Average of ratings: -
In reply to Joris Moodle

Re: Mobile scorm encrypted

by Dani Palou -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

Hello,

as Joris said, the SCORMs aren't encrypted in the device. In iOS it isn't easy to access it, but in Android it is. Using any file system app you can navigate to the app's folder, search for the SCORM and see all its contents. You don't need to be a hacker to do that smile

However, in order to do so the "hacker" must have access to the device, and in that case he'll be able to see other user sensitive data like contacts, messages, etc.

I've thought a bit about this and adding encryption can be really complex. The reason is that the SCORM package itself handles the navigation and content, and it expects to receive decrypted files. The app only opens the first file in the SCORM, the rest is handled by the SCORM itself. This means we would have to intercept all the user actions and decrypt the needed files before they're used. Also, we would have to delete all those decrypted files when they are no longer used. This would be really really hard to handle.

I think it would be easier if the SCORM package itself is the one handling encryption. The files are encrypted by default, and the SCORM (via JS) decrypts them and serves the content. However, the SCORM would need to have the secret key hardcoded, so it would be easily broken by hackers.

So in the end, I say the same as Joris: if security is important, it would be better to not allow SCORM packages to be downloaded.

Kind regards,

Dani

Average of ratings: Useful (1)