Glide privacy and security

Ask for Help
1

Folks,

I gave a talk about Glide to the Lexington (MA) Computers & Technology Group. You can see this talk at:

One of my good friends sent me a set of questions based on what I talked about as well as what I showed in the demo of using Glide to create an app for our group. I don’t feel qualified to answer these questions, so I submit them to the community at large. I appreciate anything you can contribute to answering these questions. You don’t. have to answer them all – feel free to pick off one of the four questions and answer it.

Thanks,

– Harry

A couple of “privacy and security” questions.

Question 1: First, authentication. Suppose I have an app that’s only intended for “authorized users.” How does someone who starts up the app on their phone authenticate themselves? Does Glide provide an authentication service? Is it username/password? Do they use 2FA? Of course, there’s not only the binary question of whether or not a given user can access the app’s data but also what the particular user’s rights are—to read, to modify, …

Hopefully, one authenticates to a specific app, and not just to an overall Glide account.

Question 2: Second, the privacy of the app’s data. It’s all in spreadsheets, stored either as Google docs in the Google cloud or in Glide’s own cloud storage (I think you said that was a feature in the newest version). What keeps an app’s data private to the users of that specific app, and prevents it from being spied on or, worse, modified by, others—either other Glide users or outside hackers? I.e., how tight is Glide’s security, and do they assume any liability for keeping your data private? Or should one use Glide only for apps that don’t have any privacy concerns re their data?

Question 3: Third, security. How is data “in-flight” between the app and Glide’s server protected (or is it?)?

And a few more questions on other topics:

Question 4: Is there a way for a Glide app to access data contained in a database that is not a Glide spreadsheet or table; i.e., a 3rd party database, perhaps containing real-time data. For example, suppose my company had a trouble ticket system that kept its database on my company’s own server. I want to make it easy for my field service team to access the trouble ticket system while they’re out and about, so I want to create an app for them to do that. But, the app needs to access the actual trouble ticket database on my server; the trouble ticket database is not going to be uploaded to a Glide table/spreadsheet. And of course, such access to a third-party database needs to be in real-time, because the data can change.

Thanks: I will appreciate answers to any of these questions.

2 Likes
2

  1. A Private Pro App, just like a Pro App with the Public with Email option, will authenticate the same way. So the user will enter their email and receive a one time use PIN to authenticate themselves to the app. Authentication cookies are then stored on the user device until they sign out or you choose to not store authentication cookies. Private Pro adds the option of whitelisting only the emails that you want to have access to the app. It’s like 2FA, but without a password.
    -User rights can all depend on how you set up to app. It’s easy to do by setting a role for the user in the user profile table, and then conditionally hiding or showing Add/Edit options based on the signed in user’s role.
    -A user only authenticates to a single app.

  2. I would say that the data stored on glide servers and/or google sheets is secure as long as nobody other than the developer has access to it. Where you have to be careful is what data is actually downloaded to a user’s device. First of all, data will not be downloaded until a user is authenticated and signs into an app. So if an app is Public or Public with Email, then anybody can access the app and anybody can sign in, which will download available data. Private apps will restrict who can even sign into the app, so only those that have access to sign in will have data downloaded. Now, I will say from experience that once a user is in an app, a savvy user can find ways to access and see that data. Now that’s not saying that all data is available. If you apply and use Row Owners properly, then you can restrict the data in a particular table so a signed in user will only download the data that they own. Don’t purely rely on visibility conditions and filters. They may hide the data from the forward facing app screens, but the data is still there on the user’s device. Only Row Owners will guarantee that a user will only see the data that they own, because only their own data is downloaded.
    -Images and files stored in glide are a bit of a gray area. I believe the images and files are publicly accessible if the url is known, but the urls are very hard to “guess”.
    -I wouldn’t worry about users maliciously manipulating data if they haven’t been granted access in the app to make changes. At least I have never heard or seen any cases of that. I would recommend the following documentation along with the T&C and Privacy Policy to learn more:
    Security & User Data - Glide Library
    Terms of Service • Glide
    Privacy Policy • Glide

  3. To the best of my knowledge, data is encrypted when it is in transit between the server and the app but unencrypted on the user device so it is accessible to the app. It may be possible that data is cached on a user device in the browser cache.
    Encrypt data - #4 by david

  4. I guess this depends on how you are accessing your third party database. If it’s via something like a webview or a computed column, then no I don’t believe glide themselves would have access to the data. Things like that would be rendered and displayed directly on the user device. Like all computed columns, webviews, images, etc, all of that is rendered on the end user device. Storage is another matter, if you are storing data in your glide table or google sheet in basic columns…and it’s sourced from your third party database somehow, then the glide servers would have access to the data. I guess it really depends on how you intend to access the third party database and if those access methods are secure in and of themselves.

I’ll just throw in a disclaimer that all of this is to the best of my personal knowledge. I will not guarantee the accuracy of my comments above. This is only what I have perceived over the past few years of using Glide. I would advise contacting Glide directly if you have specific questions regarding privacy and security. I personally believe that they have taken necessary security precautions and performed necessary security audits to stay compliant, but only they can confirm that.

7 Likes
3

Jeff, as usual, your answers to my questions are excellent. Thank you for taking the time to explain what you have gleaned from your use of Glide.

Thanks,

– Harry

1 Like
4

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.