04-17-2019 11:10
04-17-2019 11:10
We are looking into consuming Web API to extract data. We have a couple of questions on the data and security:
1. Is user's password stored encrypted?
2. Is user's data encrypted?
3. Are security administrative functions within the application, logged user's access and safeguarded from tampering?
04-18-2019 18:08
04-18-2019 18:08
We support OAuth2 authentication when sharing Fitbit data with 3rd party applications. When retrieving someone's Fitbit data, you won't have access to their login information. Instead, the /oauth2/authorize API call will present a consent screen to the Fitbit user. The user will select which data or scopes they want to share with your application. Fitbit will provide your application with an access token which is specifically linked to your application.
We support 2 main authentication methods. Based on your security questions, I would recommend the authorization code grant flow. When a user consents to sharing their data, you will be provided an access token and refresh token. The access token is short-lived and will expire in 8 hours. Afterwards, you will use the refresh token to obtain a new access token and refresh token pair. Once the refresh token is used, it will become invalid.
If you want to add additional security, we do support authorization code grant flow with PKCE.
The endpoints are executed using https.
What type of security administrative functions are you asking about?
Gordon
04-28-2019 10:51
04-28-2019 10:51
Thank you for the response. Actually, we (Allstate Insurance Company) have a couple of questions related to the data stored for the customers at your end. We would like Allstate app to integrate with Fitbit using Fitbit's API. Our security team have the following questions as part of internal approval process for the integration here in Allstate:
1. Is user's password stored encrypted?
2. Is user's data encrypted?
3. Are security administrative functions within the application, logged user's access and safeguarded from tampering?
05-02-2019 13:41
05-02-2019 13:41
Hi @hsinghAllstate,
I think the answer is yes to most of your questions. We take data privacy extremely serious at Fitbit. Let me confirm.
Gordon
05-06-2019 11:51
05-06-2019 11:51
This response requires an NDA. I'm working with your account manager to provide this information to Allstate.
05-08-2019 14:34 - last edited on 05-08-2019 15:34 by GordonFitbit
05-08-2019 14:34 - last edited on 05-08-2019 15:34 by GordonFitbit
Hi! Who is the Account Manager for Allstate? Also, when should we expect to receive the NDA?
05-08-2019 15:34
05-08-2019 15:34
I'll private message you with the details.
Gordon