Overview#
Responder handsets change hands every shift, cross agency lines during mutual aid, and hold encrypted patient records through hours offline; the responder mobile app is engineered so none of that routine exposes sensitive data.
This module covers the device-side security and privacy protections built into the responder mobile app: hardened sign-in, guaranteed sign-out with offline revocation, shared-device hygiene, exclusion of clinical data from phone migrations, offline record integrity, evidence upload verification, a redacting diagnostics pipeline, and validated web-to-app handoff. It is designed for ambulance services, health-sector deployments, and multi-agency fleets that issue shared devices to field crews.
Key Features#
- Hardened Sign-In: Repeated password, passkey, and multi-factor attempts are progressively slowed on the device, layered on top of server-side rate limiting, with clear too-many-attempts messages in English, Spanish, and French. Account lookups are sent only when the user finishes typing, never per keystroke, all authentication errors map to fixed client-safe messages, and passkey responses are structurally validated so a malformed assertion fails cleanly instead of being partially accepted.
- Guaranteed Sign-Out: Local credentials are purged immediately at sign-out regardless of connectivity. If server-side session revocation cannot complete, only the single credential needed for revocation is queued encrypted at rest and retried on each app start until the session is confirmed revoked or a strict 24-hour cap expires; unreadable queue entries are deleted rather than trusted.
- Shared-Device Hygiene: Sign-out wipes every locally cached inventory record, including stock and readiness data that can contain controlled-substance counts, for every vehicle, kit, and inventory holder the responder handled during the shift. The purge index is fail-closed: a cache entry that cannot be tracked for later purging is never written in the first place.
- Per-Agency Device Binding: Persisted unit call signs, unit assignments, capabilities, and inventory-holder bindings are scoped to the owning organisation; a mismatched or unknown owner triggers an automatic purge before sign-in completes, and sessions without a server-confirmed organisation are refused outright.
- Migration and Backup Exclusion: Offline patient-care records and cached operational data are excluded from cloud backup, local backup extraction, and the separate Android 12 and later device-to-device transfer pathway. Exclusion rules are applied automatically on every build from a single source of truth, complementing the existing on-device encryption of offline clinical data.
- Offline Record Integrity: An encrypted local record that cannot be decrypted, for example after a storage fault, is preserved intact for recovery instead of being overwritten, and new crew edits still queue to the authoritative server copy while the failure is audit-logged. Offline replay is serialised through a single-flight guard so reconnection can never double-submit the same clinical action, with server-side idempotency as the backstop.
- Evidence Content Verification: Before any photo or video is uploaded as evidence, the app inspects the file's actual leading bytes and confirms they match the claimed type for JPEG, PNG, WebP, MP4, MOV, and HEIC. Mismatched files are rejected and removed from the device with a localised message, and the client reports accurate size and type for backend enforcement.
- Privacy-Safe Diagnostics: All device logging and telemetry flow through a single redacting pipeline. Raw server error text, which can contain patient details, never reaches the screen, the device log, or telemetry; only structured, format-checked status codes and identifiers are emitted, with tokens, emails, and identifiers stripped and stack traces removed in release builds.
- Validated Web-to-App Handoff: Links that hand a session from the browser workspace into the installed app are accepted only from the platform's own web domains and the app's own scheme, every field is shape-checked before use, and the link's claimed origin is trusted only after the server verifies a signed handoff token. On any verification failure, externally supplied identifiers and destinations are stripped so the flow degrades safely.
Use Cases#
- Shift Handover in a Dead Zone: A paramedic signs out and hands a shared handset to the next crew with no connectivity, trusting that local data is already purged and the previous session is revoked as soon as the device reconnects.
- Mutual Aid and Shared Fleets: A fleet coordinator rotates handsets between agencies knowing unit identity and inventory data cannot carry one organisation's assignments into another's session, and that controlled-substance stock counts do not persist after shift end.
- Extended Offline Clinical Work: An ambulance crew working a long offline period reconnects without duplicated drug administrations or interventions, and a recovery team can retrieve the encrypted original record after a device storage fault instead of losing it.
- Device Refresh Programmes: An IT administrator lets staff use the standard Android transfer flow to set up new handsets without clinical records replicating onto unmanaged devices.
- Health-Sector Assurance: A privacy officer collects fleet diagnostics and operational telemetry with confidence that device logs and crash channels are free of patient identifiers.
Integration#
These protections underpin the wider responder mobile workspace and its neighbouring capabilities. Offline patient-care-record capture relies on the encrypted local store, preserved originals, and serialised replay; evidence upload management receives only content-verified files with accurate size and type for server-side enforcement; and the browser-based collaboration workspace hands sessions into the installed app through the validated handoff flow. Sign-in protections complement platform multi-factor authentication and cross-device passkey enrolment, guaranteed sign-out works alongside trusted-device management, and every clinical submission carries its confidentiality classification so central audit records remain complete. Server-side rate limiting, idempotency, and organisation enforcement remain authoritative throughout; the device-side measures add defence in depth rather than replacing them.
Open Standards#
- W3C WebAuthn: Passkey sign-in responses are structurally validated on the device before being sent for verification, so malformed authenticator assertions fail cleanly rather than being partially accepted.
- ISO/IEC 10918 (JPEG), ISO/IEC 15948 (PNG), and ISO/IEC 14496 (MP4): Evidence content verification checks captured files against the published signatures of these formats, alongside WebP, MOV, and HEIC, before anything is uploaded.
- HTTP (RFC 9110): Diagnostic telemetry carries standard status codes and validated, format-checked identifiers instead of raw server response text, keeping operational signals machine-readable without leaking content.
- GDPR (Regulation (EU) 2016/679): The redacting diagnostics pipeline, sign-out purge, and migration exclusions support data-minimisation obligations for deployments that handle patient and other personal data.
Last Reviewed: 2026-07-16 Last Updated: 2026-07-16