This document outlines how CloudRail SI works under the hood, how user data is handled and how credentials are stored.
CloudRail SI is a collection of SDKs for various platforms that allow developers easy and unified access to a plentitude of popular APIs. Each SDK is integrated and shipped directly with an application and thus no middleware is involved.
Every instance of a service is, among other parameters, instantiated with developer credentials (client identifier, client secret, api key, etc.) for the service. This information is stored in the service instance and only used for authentication of the developer's application to the service's API. It is not saved anywhere so you need to provide this information every time you instantiate a service.
When the developer's application calls one of the methods of the CloudRail SI service instance, the following happens:
If the service requires the developer's application to ask consent from their end-users to access their account (OAuth and the likes), authorization is triggered unless this has happened before. This usually entails a website being presented to the end-user to login and grant access to their account. Neither the CloudRail SI SDK nor your application get to access the user's username or password.
At the end of the authorization process, the service instance holds a token with which it can make requests on behalf of the user who gave access. It is also not saved anywhere, so by default, if you restart your application the users would have to log in again. The SDK does provide methods to save and load these credentials to service instances, but it is entirely up to the developer's discretion where to persist that information.
Holding the token necessary to access the API, the actual request is executed in the form of a HTTP(s) request to the respective service provider (Facebook, Dropbox, Google, etc.). The answer is digested by the SDK, for instance a JSON response would be parsed, normalized and then returned to the calling party as a native object of the respective platform.
The only networking the SDK does except the requests to the service providers is the sending of statistical data to a CloudRail server. Information about the application and generic, non-identifying information about the device on which the application runs are being transferred. No credentials, no user data and no user-identifying information is sent.
Last edited by florian, 2016-10-21 10:03:40