When using your Go.Learn mobile app, you need to keep a few technical and security requirements in mind. This article provides security guidelines for the app and details the requirements and limitations of the Go.Learn mobile app relating to different areas of the platform.
Security Notes for the App
- Data transmission is secured using the HTTPS protocol. While using a standard ECS solution, the certificate is issued by Go Daddy Secure Certificate Authority and uses 2048 bit RSA cryptography together with SHA-256 hashing for data signature. Users are allowed to use their own certificates in case of custom-named domains. HTTP protocol for custom domains is not supported on Go.Learn.
- The app access info is saved in the Keychain in secure mode, and it is accessible from the app only.
- Passwords are never saved locally.
- The offline login feature uses hashing functions to permit access.
- Courses, training material and asset data downloaded to play the content in offline mode is securely stored within the isolated storage. This data is not saved in the SD memory. Please note that you cannot access this content using another app.
- SSO tokens are never saved within the context of the GoLearn app. SSO tokens are immediately converted into HTTPS access keys, then destroyed and removed from the device memory.
- Refer to the Go.Learn Permissions table to know which permissions are required by the Go.Learn mobile app.
Security Questions & Answers
This section is a collection of the most frequently asked questions about security in the Go.Learn app. In case your Information Security Officer needs more detailed documentation, you can contact Docebo via the Help Center or through your Account Manager if your plan includes this option.
Which programming language and/or framework was used to create the application?
The app relies on many external third parties libraries, but they are not up-to-date with the latest version. Why?
As for the updates of the libraries, it's an operation that is partially out of Docebo's control. In the context of React Native apps, you cannot control directly the dependencies of an app, you can simply choose the packages you want to add to your app using RNPM (React Native Package Manager), then the package manager decides which libraries (and versions) will be included into the app according to the packages you use in such a way to prevent conflicts.
Is the app protected by any code tampering prevention technique?
Yes, the Android app is protected by ProGuard, while the iOS app is implicitly protected by its environment.
Does the app implement controls to prevent unauthorized access to paid-for resources (wallet, SMS, phone calls etc.)?
The app doesn’t access any of these services, so it doesn't even ask for the required permissions to access such resources.
How do data handling practices work? Which data may be collected through the app and how may it be used?
The Docebo mobile app is an integral part of the Docebo platform solution, and as such it is compliant with the practices described in Docebo Data Processes Addendum.
Is user authentication required?
Yes, of course!
How does the user authenticate?
Username and password are required, or as an alternative, Single Sign-On (SSO) is supported.
Are any passwords being stored on the client?
No, absolutely not. Even in the case of the offline login, the app saves the irreversible SHA256 of the password.
Is the encryption key derived — even if securely — from the user's login credentials?
No, absolutely not.
Does the application store user credentials? If so, how are they stored? How does the application store session keys, passwords, device enrollment data, etc.?
The application never saves passwords locally. All the other sensitive data are stored in the system keychain.
What would an attacker be able to do if they got the user’s credentials?
An attacker could use the access key to make API calls, log into the platform, download training material, take courses.
Mobile App Info and Limitations
- Android and iOS minimum versions supported by Go.Learn are constantly updated. Refer to the System Requirements article to find all of the info you need on the versions of supported operating systems.
- For those using Android devices, remember that you need to have access to Google Play Store to be able to download and access the app.
- For those using Android devices, the screen automatically rotates when you move your device between portrait and landscape even when the auto-rotate setting is not enabled on the device.
Language of the App
- Go.Learn mobile app is shown in the language set in the language settings of the device on which the Go.Learn app is used (regardless of your preferred language in the platform). If your device language is not available, the app language will be English by default.
- All of the languages supported in the desktop version of the platform are available for the Go.Learn mobile app (except for Estonian and Latvian languages, supported on Android devices but not supported on iOS devices)
- File Field user additional field type, allowing users to upload a file from their My Profile page, is not supported on the mobile app.
- The only external course catalogs available for the mobile app are Docebo Content and LinkedIn Learning.
- You can view the price of courses or learning plans that are for sale in catalogs, but you cannot purchase them directly in your app. In order to finalize your purchase, you need to access your learning platform via desktop.
- Enrollment links are not supported.
Training Material and Assets Management
- If you have a SCORM, xAPI or AICC training material in which you have embedded a video training material coming from a social video platform, you can access your training material while you are offline, but you cannot play the video inside of the package. If you want to make the video available also while offline, the video must be included in the SCORM/xAPI/AICC package, but it cannot be embedded in the package as a social video.
- If you have downloaded courses and/or training material for offline viewing, once your app is online again, the status of your enrollment into the courses that you downloaded in the Offline Courses page is checked. Then, if a course expired or if you are no longer enrolled in a course, the course itself or the training material included in that course are removed from the Offline Courses page and deleted by the local storage. In this way, the content in the Offline Courses page is always aligned with the status of your enrollments, and only courses into which you are currently enrolled (or training material included in the courses into which you are currently enrolled) are shown on this page. For more info, refer to the article Navigating and Using Your Go.Learn App.
- SCORM or HTML Page training materials will play smoothly in offline mode only if they are completely encapsulated, meaning that they do not reference any external websites.
- Multi-SCO and multi-chapters SCORM training materials are not supported in offline mode.
- Surveys, tests, TinCan, LTI and AICC training materials are not supported in offline mode.
- Youtube/Vimeo/Wistia video assets, and links asset type are not supported in offline mode.
- Youtube/Vimeo/Wistia videos are not playable in offline mode regardless of whether they are training materials or assets.
- The Allow users to download an asset's source file option that you as a Superadmin find in the Discover, Coach & Share settings needs to be enabled so that assets can be downloaded on the mobile app.
- The mobile app supports domain-restricted Vimeo videos when they are part of a course and they are video training material. On the other hand, domain-restricted Vimeo videos are not supported by the Go.Learn app when the video is embedded within training material other than videos — for example SCORM, xAPI or HTML. If you need to embed a Vimeo video in a SCORM, xAPI or HTML training material, make sure that the video is publicly available and not restricted by Vimeo privacy settings.
- Some SCORM and TinCan training material cannot be played on the mobile app, depending on the content within the package. Even if the object plays on the desktop learning platform, it is not guaranteed that it will work on the mobile app. The content should be HTML5 with responsive design.
- The download of files within a SCORM training material is supported only for the following file types: 'pdf', 'zip', 'doc', 'docx', 'csv', 'xls', 'xlsx', 'ppt', 'pptx'.
- Files must be HTML responsive to be playable on the mobile app. Docebo is not able to tell you in advance whether a file will or will not be playable on the app.
- Subtitles added to video training material are available in the mobile app, and they must be written in VTT format. When converting in this format, it must be completed with a cue identifier, as described here.
- Training material's description is shown as plain text (images aren't displayed). This applies to training material included in any type of course, e-learning and ILT.
- Surveys training material including formatted HTML and images will be loaded as plain text.
- In tests training material, answers (to single choice and multiple choice question types) including formatted HTML will be loaded as plain text.
- If the text of a question included in a test training material contains multimedia content, the media content is not displayed. Images and text are displayed and formatting is supported, while multimedia content such as videos, audio files, tables are not displayed.
- The body of the answers included in a test training material is displayed as text (images aren’t displayed, for example).
- If you as a Superadmin create and add inside of a course a training material whose duration is longer than the value you configured for Session Lifetime (in the platform Advanced Settings, Advanced tab) and the learner plays that training material, the tracking for that training material may not be saved.
General Limitations for Training Material or Assets on Mobile (for Both Online Mode and Offline Mode):
- The maximum suggested resolution for training material and assets on mobile is Full HD (1080 × 1920 pixels or 1920 × 1080 pixels). Images that exceed this resolution may be shown, but they slow down performances and may cause malfunctioning.
- Training material imported from Skilla is not supported.
- Training material or assets containing pop-ups or links to be opened in a pop-up window are not supported, the pop-up won’t be opened.
- Assignment training material is supported by the app, but if you need to submit your assignment uploading a document you stored in your Google Drive, remember that you need to upload it as a link, since the integration with Google Drive is not supported by the Go.Learn app. If you want to upload a screencast as an assignment, please note that Screencast-O-Matic is not supported by the app. For all iOS mobile devices and for Android starting from version 11, you can use the native screen recorder tool (open it from the Control Center panel for iOS or from the Quick Actions panel for Android). For Android devices with a version older than Android 11, you may need to install a screen recording app from the store.
- When playing a SCORM or TinCan training material, in order to exit from the training material view, always use the X button in the top left corner of the training material's player in the app, and do not use the X button (nor any Close or Exit buttons) inside of the SCORM or TinCan. This ensures that the user progress is properly tracked when closing the training material.
- If the Next button isn’t automatically enabled after having played a SCORM or TinCan training material, you need to exit from the training material view with the X button in the player, then move to the following training material by opening it from the list of training material in the course.
- App users located in China may not be able to access training material and assets coming from social video platforms (YouTube, Vimeo and Wistia). As a consequence, if the completion of the training material they cannot access is a prerequisite for the completion of the course, the latter cannot be completed.
Comments and Questions & Answers
- Emoji are not supported in the text of questions, answers and comments (this applies both to courses and informal learning assets)
The same enrollment policies you set for the desktop version are used for the mobile app.
Also, remember that the iframe enrollment additional field isn’t compatible with the Go.Learn mobile app at the moment. Thus, if the iframe field is a mandatory field for learners, then they will not be able to enroll into those courses from a mobile device. Find out more about the enrollment additional fields.
- Date and Iframe filters are not supported.
Branding & Look
- You cannot use custom CSS.
- When managing the theme settings for your platform, if you've flagged the option to display square tile thumbnails in your platform, note that at this time, the mobile app can only display rectangular tile thumbnails.
- Badges, points and coins, leaderboards and contests are shown in the mobile app on the My Gamification page in your profile panel (you can reach it from the app menu) and via the Gamification widget. However, for contests, you can only view your position in the related leaderboard, but the top 3 of the contest and the full leaderboard for the contest are not available on the app.
- The mobile app supports the following SSO integrations: SAML, OKTA, Google Apps, Gmail, Auth0 and OpenID Connect. Any other SSO integration is not supported. Keep in mind that when using these SSO credentials, they are not supported in offline mode, meaning that you cannot use an SSO login in offline mode. You as a user must be in online mode to login via SSO. Remember that you should not log out of the app when in offline mode.
- When configuring the SSO Behavior for SAML, OKTA, Google Apps, Gmail, Auth0 or OpenID Connect, please note that the Show standard login page option is supported by Docebo's Go.Learn mobile app. If you set this option and you use on your mobile app the Single Sign On integration you have configured (among those listed above), remember that it is necessary to set also the Show SSO button on login page. The Automatic redirect to identity provider setting (and as a consequence the possibility to add a specific logout landing page) is not supported by the Go.Learn mobile app.
- When logging into Go.Learn via SSO and using the same SSO service in LinkedIn Learning, your credentials are not automatically transferred to the LinkedIn Learning portal.
- If you're experiencing issues with SSO login using Apple iOS 12 or earlier, you should update your device to Apple iOS 13.
- On mobile, we guarantee that HTML/WYSIWYG (What You See Is What You Get) widget layout is maintained only if it is composed with a WYSIWYG editor. This doesn’t mean that HTML composition isn’t supported, but it means that only some of the HTML tags are supported. Refer to the HTML Tags Supported by WISIWYG table to know which tags are supported. Please note that the list in the table is not meant to be completely exhaustive. It includes all of the main tags and styles, but remember that the best way to know for sure which tags and styles are supported is doing a test directly on your device, and then see what is shown.
- On mobile, HTML/WYSIWYG widget is considered to be a dynamic widget and it does not support custom CSS defined at platform level.
- Dynamic widgets are only allowed among the first 10 widgets of the page on mobile, then, starting from the 11th widget, the type of widget must be static.
- GIF format in Image widget is not supported. If you insert a GIF file in Image widget, iOS will show it because it supports GIF format by default, but the same file will not be visible in the Android app instead.
- When configuring a Courses and Learning Plans widget, please note that the options in the Display Mode section are not supported on mobile. On the Go.Learn mobile app, the Load More button at the bottom of the widget is the only option that allows you to display extra results.
- Among course widgets, only Comments widget and Questions & Answers widget are supported by the mobile app.
External Link Pages
When navigating to an external page, the mobile app will open the page corresponding to the URL you have set when creating and configuring the external link page and it will display just the content of the page, while additional query parameters won’t be passed, additional HTTPS headers won’t be shown, and additional cookies won’t be used. Only cookies already associated with the page will be used (please note that these cookies have been created previously while navigating this page from the browser and not from the app).