Skip to content

Is SCORM Secure?

Mark Statkus edited this page May 27, 2015 · 9 revisions

I get asked often whether the Runtime API is secure.

The straight answer is no.

But, there are things that can be done on the platform side to mitigate some of the common issues we face.

  1. Bookmarklets or cheatlets These allow a student to inject code on your platform that connects to the Runtime API and in an automated fashion reports a good score and status. This gives the illusion that the student fulfilled the content. Common issue with this is if your content is more complex you may actually have reported objectives and or interactions, and possibly even have a false session time, or very short session time reported. Either way, there are data forensics here to review if a student truly took the content. The portal can block domain access for other scripts that get injected via XSS Cross-site Scripting. Just be aware there are older browser that ignore these protocols.
  2. Direct Console Interaction Modern browsers come with Inspectors which can be turned on for Developers. Unless you completely control you students access to the Learning Management Server, this allows students to attempt to directly issue SCORM commands against the Runtime API. Code can also be dropped in to detect these commands to halt direct communication with the Runtime API.

It's also important to understand there is more than one way to skin a cat. As parents and authorities install key-loggers, and other tools to effectively spy, restrict or obtain a report of the computer use, this can get flipped around on a teacher. Suddenly the password to the teacher keys, portal, spreadsheets etc. are now exposed and a student has the capability to adjust their grades.

Controlled Access

For some customers, the idea of creating a Shareable Content Object without any Digital Rights Management is a frightful concept. This intellectual property is commonly sold with a platform, or bundled and deployed to 3rd party platforms. You would have to go to other means to secure your content with access keys, which commonly means fulfilled cross-domain scripting, or referencing all your assets on a repository and locking it down that way.

Security through Obscurity

Lastly, its always a good idea to not directly call out correct answers in human readable formats. I've seen people place code directly in HTML which can be inspected for the correct answer. This is also true of XML, JS/JSON and CSV files. It does take extra steps to encode/decode and make your data models harder to read in a production environment, but it commonly is time well spent.