Siirry sisältöön

Large touchscreen apps and kiosk mode

This guide describes best practices for large touchscreen apps or kiosk developments when using the Kuori’s large touchscreens.

General security considerations

General Google practices for apps


General web kiosk considerations

  • Lock down the device so that users can not access device settings, desktop etc. Checklist:
    • Swiping from top to bring up the settings menu
    • Automatic restart on boot and crashes
    • URL bar, browser toolbar, etc. should not be user-accessible.
    • Physical protection (no access to ports, buttons, etc)
  • No leaks! Keep the user contained inside your web pages at all times. If users are allowed to access the Internet freely, sooner or later you’ll see something unpleasant on the screen.
  • All content should be local in signage kiosks. If a network is cut out, signage platforms should show the last known content until they can update.
  • No embedded Youtube videos. Use local video files. HTML5 player leaks and allows users to reach Youtube and from there the Internet.
  • No links to social media (Facebook, LinkedIn, etc). These do leak.
  • No URL bars accessible to users.
  • Standard ways of accessing kiosk management are tapping on each corner or tapping the screen rapidly for 5 or 7 times. Protect your settings with a pin code that is not 0000 or 1234.
  • Making your kiosk read a config file under /storage/emulated/0/. This makes it easy to push configs via MDM and make sure kiosks are not left to run with their default settings. Should you want to protect your kiosk better than the average one, only let it start showing content when this file exists and only allow settings when it doesn’t.
  • If users can input text data (e.g. search fields) sanitize their input. https://imgs.xkcd.com/comics/exploits_of_a_mom.png
  • Make sure the app behaves correctly with the selected keyboard. All general touchscreen design rules do apply.
  • If a session contains sensitive data, delete everything after a user ends the session. Do not use predictive text input or store previously input values in forms. Delete cookies and downloads.