HandScanner Backend Architecture

Security & Data Transmission Protocols 

Device

• Authentication: Uses RSA cryptographic authentication and certificates to prove identity and establish trust between the device and the cloud.

• SSL/TLS encryption protects the data

  • All data and software updates sent through SSL/TLS-encrypted channels.

• JSON is used as a structured format for data transmission

  • These packets are transmitted securely using SSL/TLS and are processed by AWS Lambda (see below). 

__________________________________________________________________________________________

Backend 

• Leverages AWS IoT Core (Amazon Web Services Internet of Things Core)
  • Message routing using TLS MQTT (Message Queuing Telemetry Transport) or HTTPS (Hypertext Transfer Protocol Secure).
• AWS Lambda processes incoming JSON data from IoT Core:
• Amazon API Gateway

  • Accepts RESTful HTTP(S) requests from both:

    • Devices (e.g., for pushing updates).

    • Dashboards (e.g., for visualizing data).

• All REST response endpoints are base64 zip and payload is encrypted

__________________________________________________________________________________________

Frontend 

•  React (JavaScript Framework) 

• Uses SSL/TLS encryption via HTTPS to ensure secure content delivery.

• Exclusively use TypeScript on the frontend 

__________________________________________________________________________________________

How connectivity works

• All communication is device-initiated (“phone home”) over outbound connections.
• No inbound access, port forwarding, or pinholes are required.
• Once connected to the network, the HandScanner sends status updates and telemetry to our cloud platform and checks for update instructions. Software/configuration updates are then downloaded by the device over outbound HTTPS.

__________________________________________________________________________________________

Summary & required network allowances

• Blocked inbound is not an issue.
• Permit outbound connections on TCP 443, TCP 80, UDP 53, UDP 67/68, UDP 123 to the above destinations.
• If outbound filtering is enforced, whitelist the domains above.
• Static IP addresses are not required. If the network uses MAC filtering, we will provide the MAC address for each device in advance so it can be added to the allow-list.
• With this setup, devices will continue to send status updates and download software/configuration updates without any inbound access.

__________________________________________________________________________________________

Traffic patterns

• MQTT heartbeat every 3 minutes, plus on scans, every 5 min, every 20 min, on network connection, and every 59 min.
• HTTPS authentication hourly.
• S3 file transfer at boot, during updates, and on scan.
• Captive portal check on network connect.
• NTP time sync on app launch.