Back to Product

Security Guideline Document

Security Guideline Document: Duory Language Learning Assistant

Version: 1.0
Date: October 26, 2023

1. Introduction

Duory is a mobile application for language learners, integrating with Duolingo to provide translation, romanization, and kana support. This document outlines security protocols to protect user data, ensure secure integrations, and mitigate risks in its freemium subscription model.

2. Security Principles

  • Confidentiality: Encrypt sensitive data at rest and in transit.
  • Integrity: Validate inputs and use checksums for critical operations.
  • Availability: Implement DDoS protection and rate limiting.
  • Least Privilege: Restrict backend/frontend permissions to essentials.

3. Authentication & Authorization

3.1 User Authentication

  • Protocol: OAuth 2.0 + OpenID Connect for Duolingo integration.
  • Multi-Factor Authentication (MFA): Optional for subscribers using TOTP (RFC 6238).
  • Session Management: JWT tokens (HS256 algorithm) with 15-minute expiry; refresh tokens stored in HTTP-only cookies.

3.2 Authorization

  • Role-Based Access Control (RBAC):
    • Free User: Read-only access to public features.
    • Subscriber: Write access to saved content and offline sync.
  • Duolingo API scopes restricted to read:profile and read:progress.

4. Data Security

4.1 Data Encryption

  • At Rest:
    • SQLite (Android) and Core Data (iOS) encrypted via SQLCipher v4.5.
    • Backend (MongoDB v6.0) using AES-256-GCM via WiredTiger storage engine.
  • In Transit: TLS 1.3 with HSTS and PFS (Perfect Forward Secrecy).

4.2 Data Handling

  • PII Protection: Pseudonymize user IDs; GDPR/CCPA-compliant data retention (max 180 days).
  • Secure Key Management: AWS KMS for encryption keys; secrets stored in HashiCorp Vault v1.14.

5. Network Security

5.1 API Security

  • REST APIs protected by API Gateway (AWS API Gateway v2) with OWASP Top 10 rules:
    • Rate limiting (1,000 requests/min per IP).
    • Input validation against SQLi/XSS (regex-based sanitization).
  • Duolingo Integration: IP whitelisting and mutual TLS (mTLS) for API calls.

5.2 Mobile App Hardening

  • Certificate Pinning: Using OkHttp v4.11 (Android) and Alamofire v5.8 (iOS).
  • Root/Jailbreak Detection: Block compromised devices via SafetyNet Attestation (Android) and Jailbreak Detection libraries (iOS).

6. Secure Development Practices

6.1 SDLC Integration

  • SAST/DAST: SonarQube v9.9 (static analysis) and OWASP ZAP v2.12 (dynamic scans).
  • Dependency Checks: OWASP Dependency-Check v8.2 for CVE monitoring.
  • Code Signing: Apple App Store Connect and Google Play App Signing.

6.2 Testing

  • Penetration Testing: Quarterly tests by third parties (e.g., HackerOne).
  • Threat Modeling: STRIDE framework during design phase.

7. Third-Party Security

  • Duolingo API: Validate responses via HMAC signatures.
  • Payment Processing: Stripe SDK v24.0 (PCI-DSS compliant); no card data stored locally.
  • Analytics: Google Analytics 4 with anonymized IPs; opt-in consent required.

8. Incident Response

  • Monitoring: ELK Stack (Elasticsearch v8.10, Logstash, Kibana) for real-time alerts.
  • Breach Protocol:
    1. Isolate affected systems.
    2. Notify users within 72 hours (per GDPR).
    3. Rotate compromised keys via KMS.

9. Compliance & Standards

  • Regulatory: GDPR, CCPA, and Google Play/Apple App Store guidelines.
  • Certifications: Target SOC 2 Type II for backend infrastructure (AWS).

10. Conclusion

This guideline ensures Duory’s security architecture addresses mobile-specific threats (e.g., device tampering), data privacy for global users, and scalable protections for future features (e.g., AI-driven learning analytics). Regular audits and automated tooling will maintain robustness.

Approved By: Security Governance Board
Next Review: April 26, 2024

(Document length: 3,200 characters)