Skip to main content

Security

Security practices for deploying and operating ODE (Synkronus, Formulus, and related components).

ODE is self-hosted research infrastructure. Regulatory compliance (IRB, data classification, BAAs, audit programs) is the host organization's responsibility. This page describes technical controls ODE provides and what operators must add. ODE does not claim HIPAA, SOC 2, or similar certifications.

For a one-page infrastructure overview aimed at IT departments, see Server Architecture for IT.

Supported versions

Security updates are provided for the latest release and the immediately preceding major version. Current ODE release: v1.1.1.

ComponentSupported
SynkronusLatest release and previous major version
FormulusLatest release and previous major version
Synkronus CLILatest release and previous major version

Keep server and mobile clients on compatible versions. See Installing Formulus.

Reporting a vulnerability

Do not report security vulnerabilities through public GitHub issues.

Full disclosure policy and PGP key: SECURITY.md on GitHub.

Encryption and data protection

In transit

  • All production API traffic must use HTTPS (TLS 1.2+).
  • Terminate TLS at a reverse proxy or load balancer you control (Caddy in synkronus-quickstart; Nginx, Apache, or cloud LB are equally valid).
  • Formulus on iOS enforces App Transport Security (HTTPS). On Android, HTTP is allowed with a warning—enforce HTTPS via server URL policy.

At rest (server)

  • Database and attachment encryption at rest depends on the underlying storage layer (volume encryption, managed database TDE). Synkronus does not add a separate at-rest encryption layer inside the container.
  • Encrypt database and volume backups before off-site storage.

On field devices

DataStorage
Login credentialsiOS Keychain / Android Keystore
ObservationsSQLite (WatermelonDB) in app private sandbox
Photos / attachmentsApp-private directory in the sandbox
Android backupDisabled (allowBackup="false")

Recommend device passcode or biometric lock and MDM remote wipe for lost devices via institutional policy. Offline synced data remains on the device until wiped.

What ODE does not provide

  • Application-level database encryption on mobile devices
  • Certificate pinning (institutional TLS inspection may work if your CA is on devices)
  • Built-in rate limiting (configure at proxy/WAF)
  • High availability or bundled monitoring (use /health and your log stack)
  • Compliance certification

Authentication and access control

  • JWT access tokens (default 24 hours); refresh tokens (7 days).
  • Roles: read-only, read-write, admin.
  • Passwords hashed with bcrypt on the server.
  • Change default admin credentials immediately after deployment.
  • Generate JWT_SECRET with openssl rand -base64 32.

Deployment security

Container images

  • Production: pin ghcr.io/opendataensemble/synkronus:v1.1.1 (not :latest).
  • Scan images for vulnerabilities as part of your supply-chain process.

Network

# Example: allow only web ports on the host
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
  • Expose only the reverse proxy publicly. Keep Synkronus and PostgreSQL on internal networks.
  • Rate limiting: not built into Synkronus—configure on the proxy, especially for login endpoints.

Database

  • Container (quickstart): sslmode=disable on internal Docker/Podman network is normal.
  • Managed PostgreSQL: use sslmode=require in DB_CONNECTION.
  • Limit database access to the Synkronus service only.

Secrets

Never commit secrets to version control. Required secrets:

VariablePurpose
JWT_SECRETJWT signing
DB_CONNECTIONPostgreSQL (includes password)
ADMIN_PASSWORDInitial admin (change after first login)

Use your platform's secret manager in production.

File uploads

  • Attachment limit: 32 MB per file (configure proxy body size accordingly).
  • Attachment IDs validated against path traversal.
  • All attachment endpoints require authentication.

Portal

The Synkronus Portal (admin UI) is embedded in the Synkronus binary at /portal. Protect it with TLS, strong passwords, and network ACLs where possible.

Mobile app (Formulus)

  • Signed release APKs; ProGuard/R8 on Android.
  • Permissions: camera, storage, location as required by form features.
  • Data syncs only to the server URL configured by the user—no third-party analytics pipeline in Formulus.

Install paths: Obtainium (recommended) or F-Droid.

Logging and monitoring

  • Synkronus logs to stdout (structured). Ship logs to your SIEM or log stack.
  • Health check: GET /health on Synkronus (via proxy in production).
  • Do not log passwords, tokens, or other secrets.

Deployment checklist

Before production:

  • All default passwords changed
  • Strong JWT secret generated
  • HTTPS/TLS enabled (TLS 1.2+)
  • Database connection uses SSL/TLS when not on a trusted internal network
  • Firewall configured (proxy only public)
  • Secrets stored securely (not in git)
  • Postgres and appdata backups configured and restore tested
  • Monitoring and log shipping configured
  • OS and image dependencies patched
  • Reverse proxy rate limiting configured
  • Proxy upload limit ≥ 32 MB
  • Synkronus image tag pinned (e.g. v1.1.1)
  • Device passcode/MDM policy for field tablets

Security updates

SeverityTarget response
CriticalWithin 7 days when possible
HighWithin 30 days
MediumWithin 90 days

Subscribe to GitHub Security Advisories for the ODE repository.