help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security questions

‎04-17-2019 11:10

‎04-17-2019 11:10

We are looking into consuming Web API to extract data. We have a couple of questions on the data and security:

1. Is user's password stored encrypted?
2. Is user's data encrypted?
3. Are security administrative functions within the application, logged user's access and safeguarded from tampering?

Best Answer
Labels:
0 Votes
6 REPLIES 6

‎04-18-2019 18:08

‎04-18-2019 18:08

Hi @hsinghAllstate 

 

We support OAuth2 authentication when sharing Fitbit data with 3rd party applications.  When retrieving someone's Fitbit data, you won't have access to their login information.   Instead, the /oauth2/authorize API call will present a consent screen to the Fitbit user.  The user will select which data or scopes they want to share with your application.  Fitbit will provide your application with an access token which is specifically linked to your application.

 

We support 2 main authentication methods.  Based on your security questions, I would recommend the authorization code grant flow.  When a user consents to sharing their data, you will be provided an access token and refresh token.  The access token is short-lived and will expire in 8 hours.  Afterwards, you will use the refresh token to obtain a new access token and refresh token pair.  Once the refresh token is used, it will become invalid.

 

If you want to add additional security, we do support authorization code grant flow with PKCE.

 

The endpoints are executed using https.

 

What type of security administrative functions are you asking about?

 

Gordon

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

‎04-28-2019 10:51

In response to Gordon-C

‎04-28-2019 10:51

Thank you for the response. Actually, we (Allstate Insurance Company) have a couple of questions related to the data stored for the customers at your end. We would like Allstate app to integrate with Fitbit using Fitbit's API. Our security team have the following questions as part of internal approval process for the integration here in Allstate:

1. Is user's password stored encrypted?
2. Is user's data encrypted?
3. Are security administrative functions within the application, logged user's access and safeguarded from tampering?   

Best Answer

‎05-02-2019 13:41

In response to hsinghAllstate

‎05-02-2019 13:41

Hi @hsinghAllstate,

 

I think the answer is yes to most of your questions.  We take data privacy extremely serious at Fitbit.  Let me confirm.

 

Gordon

 

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

‎05-06-2019 11:51

In response to Gordon-C

‎05-06-2019 11:51

Hi @hsinghAllstate 

 

This response requires an NDA.  I'm working with your account manager to provide this information to Allstate.

 

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

‎05-08-2019 14:34 - last edited on ‎05-08-2019 15:34 by Fitbit Developer

In response to Gordon-C

‎05-08-2019 14:34 - last edited on ‎05-08-2019 15:34 by Fitbit Developer

Hi! Who is the Account Manager for Allstate? Also, when should we expect to receive the NDA?

 

 

Best Answer
0 Votes

‎05-08-2019 15:34

In response to hsinghAllstate

‎05-08-2019 15:34

I'll private message you with the details.

 

Gordon

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes