Tuesday, June 19, 2012

Issues/Questions Before Designing A Mobile Application

Before any coding of a mobile application starts, there are issues that should be discussed to limit the chance of having to rewrite an application, or find that a decision may have legal ramifications.  For example, as the following article explains, many patient/doctor mobile applications may be violating HIPAA requirements: http://www.americanbar.org/newsletter/publications/aba_health_esource_home/aba_health_law_esource_1110_barrett.html.

This process is an iterative process, so there should be multiple passes through the questions, as the answer to one will influence the answer to another, until answers to one area doesn't lead to confusion with another.

  1. How should the application function if there is no Internet connection?  This may be tricky as, for example, if the application had medical information on it, for example, if an insurance company or doctor’s office provided the application, then it may be used deep in a hospital where there is no signal, and you should be in airplane mode anyway.  So there are many places where there is no connection, or it is spotty.
  2. Should the information be stored on the device or on a server?  This is similar to (1), but if the information is to be stored on the device then there will be other questions.  And it may be that storing it on the server may be annoying to the user. For example, if you have an application for lawyers or hairstylists for billing, and you are required to use two-factor authentication, so there is a username/password/rsa token to get into the server, then each time a person changes clients or projects they may need to log into the server, which will be bothersome, so they will uninstall the application.  Now, if the information is stored on the device, then they just need to upload the information at the end of the day, and the device is basically a scratchpad that may have additional information that is only useful to the user.
  3. If the information is stored on the device, even if just for a short time, how sensitive is it, and could any national regulations govern how to protect the data?
  4. For example is two-factor authentication required? Is it possible for one factor to be the device, which would require that it be uniquely identified.  If sending a password, is the password actually needed, or is there better solutions?
  5. If storing sensitive information then strong encryption should be used, so an Export Registration Number is probably needed, even if just using SSL to send data to the servers.
  6. How will the application be distributed? Is it targeted to just a small group, such as employees of a company, or will it be open to anyone to download, but only those that can create an account will actually be able to use it?
  7. How will the server and mobile device communicate?  For example, SOAP and REST are two common approaches.
  8. A mobile application will put a higher load on a server, as people can use it when they are paused somewhere, as they are no longer limited to their location, so is the server-side prepared for the increased traffic?  One solution may be a mixture of relational databases (RDBMS) and NoSQL databases
  9. If strong encryption is used, should it be available outside the US?
  10. Due to the indemnification clauses in the developer contracts for iOS or Android, is your company a likely target for patent trolls to aim for you?


No comments: