Using the App

Owned by Theresa Baker (Unlicensed)
Last updated: Apr 25, 2023 by Madison Lethebe
10 min read

Getting Started

  1. Log into REDCap and select your correlating project from your “My Projects” page.
  2. Grant mobile apps rights. Locate the Applications features on the left sidebar. Choose the User Rights application and add REDCap Mobile App rights for yourself or another appropriate user. By rule, you will now be able to download the full data set and request an API token regardless of previous permissions levels.
    • The ‘REDCap Mobile App’ user right allows users to:
      • Set up the project inside the Mobile App on your device.
      • Collect data which is stored locally on the device.
      • Sync that data back to this project on the REDCap server.
      • The REDCap Mobile App section is where users can view the App log and file archive.

    •  The ‘Allow user to download data for all records to the app?’ user right allows users to:

      • Download records from the server to the app.
      • Unchecking this privilege prevents users from unwittingly (or wittingly) downloading lots of sensitive data to their mobile device.
      • If a user is given this privilege, then when they initialize the project in the App and the project contains at least one record, then the App will prompt the user to choose if they wish to download all the records to the App or not.
  3. Request token and get app access code. Click the REDCap Mobile App link on the sidebar and request an API token. Once the token is created, return to that page (or refresh the page). A QR code is now available under the Initialize Project in Mobile App tab. If you have trouble with the QR code, click the “Can’t get the QR code to work?” link to access a 10-character access code that can be entered manually.

  4. Download and open the app on your device. Download the Mobile App on your iOS or Android device by searching the App Store or Google Play Store for 'REDCap' on your mobile device to find the app there to download.  The app is available for the following platforms: iOS 6.0 or later (iPhone 4 and up, iPad 2 and up) and Android 4.3 or later (phones and tablets). Below are the links for downloading the app from the Apple App Store or from the Google Play Store (depending on what type of mobile device you have).

  5. Set up the project. Click the ‘Set Up Mobile Project’ button.

    • Optionally downloading data: In addition to the data collection instruments, you can choose whether you want to download data from the project or not. This process happens while online immediately after adding or resynchronizing the mobile project. When resynchronizing a mobile project on the REDCap Mobile App, all existing data for that project on the app will be deleted. (This will not affect any other projects that you have added in the app.)

  6. Provide the code. Click the Scan QR Code and Initialize button. Scan the QR code that you see displayed or enter the 10-character access code here. If correct, either will grant you access to the project which has now been replicated on your device for offline data collection.

Data Collection

With the project in place, you can begin data collection for both new and existing records.

  • Tap the Collect Data button and choose an instrument and a record. (This selection order is slightly different for classical projects, one-armed longitudinal projects, and multi-armed longitudinal projects.)
  • If this is a new record, you must choose the first instrument. If this is a new record on a project without auto-numbering enabled, you will also have to choose a record name.
  • Enter data and set the form status at the bottom as needed.
  • Save your data in one of three ways:
  • Save Record (to save data entered and return to the records list)
  • Save and Continue (to save data entered and remain on the same screen)

Save and go to Next Instrument (to save data entered and move on to the next instrument in sequence)

Data collection features:

  • Besides free text and structured data entry, pictures, videos, and audio can be uploaded into designated file fields. Signatures can be captured as well.
  • Records can be renamed on the first form. Note that renamed records will appear as new records when uploaded to the main database, so you will need to delete the original record there to complete the replacement process.
  • Instruments can be secured so that participants/users will only have the option of entering data (and not traversing the rest of the app, which can jeopardize confidentiality). They can be unlocked via the primary user's pin.
  • The amount of data collection is only restricted by what your device's hard drive will allow.
  • All data collection can be offline – without Internet access.

Sending Data

When back online, you can send data to the project’s REDCap server. This will coordinate the mobile device’s data with the main REDCap project. If record names or data values conflict, you will be given the opportunity to make adjustments before completing the upload. If the instruments themselves have been modified significantly in the main REDCap project since REDCap Mobile App project setup, you will not be able to complete the upload.

  • In the app, click on Send Data to Server.
  • Click the Begin Send button.
  • New records will be added to the main REDCap project immediately if no conflicts exist or if conflicts exist but are automatically resolved by the app.
    • If there are no duplicate record names/numbers,recordswilluploadwiththenames/numbersassignedattheapp.
    • If auto-numbering is enabled and there is a record name conflict, REDCap will automatically update the record numbers to the next numerical series of numbers before uploading and provide details on the app page.
    • If auto-numbering is not enabled, a new ID number is suggested but can be modified unless its name conflicts with a new record on the server.
  • Existing records that have been modified on the app will have modifications detailed on the app page.
    • An option to send the data to the server for each modified record appears, as well as the opportunity to view details of the differences between server data and app data for that record. Individual field values can be selected from the details (i.e., server vs. mobile device).
    • Each record that has been modified is usually auto-filled with a “Yes” response to the “Send data to the server?” question. If after reviewing the scheduled changes for that record, you decide not to make the update, change the response to “No” to remove it from the upload queue.
    • To choose field-level changes, click on the cells that have the information you want to enter for the record. You can choose from either the app side or the server side of the table.
    • Special scenarios to note:
      • If a record is deleted from the main project after it has been replicated in the app and a change was not made to the app record, the record will not upload from the app to the project as a replacement. You will not receive a notification from the app or server that the original record has been deleted.
      • If a record is deleted from the main project after it has been replicated in the app and a change was made to the app record, you will receive a notification and option to change the ID number and upload as a new record, or not to upload the record at all.
      • If a record is deleted from the app, it will not be deleted from the server after data syncing. You may only delete records from the main project on the server.
      • For cases where auto-numbering is disabled, if a new record was entered on the server with the same ID as a new record entered on the app, you are given the options to merge the data, to upload the app data with a new ID, or not to upload the data.
      • Click Send Records with Changes to complete data upload when ready.
      • Click Clean & Reset Mobile Project (recommended) to remove old mobile data and replace with the most current project information from the main REDCap project, or choose Back to Project to continue working with the same data. If you choose Back to Project, uploaded data will no longer be marked as new or modified; that is, it will no longer be queued for upload.

Emergency Data Dump

When something prevents the app from sending data back to the server normally, use the “Send Emergency Data Dump” option to send data to the server as a CSV file.

The file will show up under Mobile App File Archive tab, ready for import.

Activity Logs

Mobile App Log: Project log for activity on the REDCap Mobile App is stored in the main project Mobile App File Archive. These can be transmitted to the server (for one given project) via the Send Project Logs button on the Project menu.

The file will show up under Mobile App File Archive tab.

REDCap Mobile App Dashboard tab displays a log of all mobile app related activity.

SECURITY

Security Features

  • Secure Data Transmission: Data is transmitted securely to and from the REDCap server via SSL (https) if it is set up on the server. If SSL is not set up on the server, the REDCap Mobile App will alert the user when the project is downloaded.
  • Device’s Hard Drive: The database is encrypted on the mobile device's hard drive using SQLCipher (public key/private key encryption). This prevents someone from breaking into the file in the event of a stolen device.
  • Application: A login with a 6-digit pin is required to access the application. Five login attempts areallowedbeforelockout, and a 15-minute lockout period is initiated. When the application is sent to the background or is cloaked with a screen saver, the pin is required again to access the application if a user is logged on. Similar log in attempt rules and lockout rules apply when the user reenters the application.
  • Instrument: The Secure the Instrument feature restricts access by a participant to a single form. Enabling this feature allows you to hand over the device to a participant to enter information directly, but locks the participant out of the rest of the application as well as other forms. REDCap Mobile App user’s 6-digit pin is required to unlock the form. Similarly, the 6-digit pin isrequiredtoreenter the form if the participant minimizes the application or if a screen saver interrupts form entry.
  • Logs: Project logs for activity on the REDCap Mobile App are stored in the database’s Mobile App File Archive. These can be transmitted to the server (for one given project) via the Send Project Logs button on the Project menu. These logs record data creation, modifications, and uploads; renaming, deletion, and viewing of records; and downloads of project instruments and records.

Additional Security Information

Secure Data Transmission

SSL/HTTPS: All data in the REDCap Mobile App that is downloaded from or uploaded to a REDCap server is transmitted using the REDCap API, which is a RESTful web service API. Therefore, as with all REDCap API requests, data transmitted to/from the app is done using a secure, encrypted transmission (SSL/HTTPS). For increased security, the app additionally verifies the SSL certificate of the REDCap server that it is communicating with in order to validate the server’s identity. By verifying the SSL certificate of the REDCap server, this precludes the possibility of a so-called “Man in the Middle” attack during data transfer. If the REDCap server does not have a signed certificate from a Certificate Authority (CA) – either it is not using SSL or instead has a self-signed SSL certificate - then a warning popup will appear to the user in the REDCap Mobile App whenever sending data to/from the REDCap server. This will ultimately not prevent the user from proceeding with an insecure data download/upload, but it will strongly encourage them to wait and try to find a safer connection at a later time before proceeding. Note: Users connecting to a REDCap server with a self-signed SSL certificate will receive this warning every time.

Secure Data Storage

Encryption: The REDCap Mobile App employs encryption-at-rest on the mobile device’s hard drive so that all important data and information stored on the device is properly protected from unauthorized or malicious users. Encrypting the REDCap data on the device prevents any unauthorized users from accessing data in the app, even if they were to gain access to the device’s file system in some way (whether using a direct hardware connection or via other software on the device). All user PINs are ciphered using SHA cryptography, and all stored REDCap data values (potential PHI or PII), API tokens, and REDCap app logs are encrypted using AES encryption standard on the mobile device’s hard drive. The encryption keys are stored in iOS’s Keychain and Android’s KeyStore, which is standard practice for achieving the highest level of security for encrypted data stored in iOS and Android. Note about external/detachable drives: The REDCap Mobile App does not allow any data to be stored on external hard drives (e.g., USB Flash drives) connected to the mobile device. To maintain the greatest level of security, the app only allows the device’s internal hard drive to be used for data storage.

Built-in Safeguards to Prevent Unauthorized Access

Username and PIN: Each user on the REDCap Mobile App has a username and four-digit PIN that is used to authenticate the user before accessing their REDCap projects and data in the app. User PINs are ciphered using SHA cryptography and stored in the app’s local database on the mobile device. For additional security purposes, the app only allows five login attempts within a fifteen minute window (across all users), after which the user gets temporarily locked out. This severely restricts any unauthorized user from gaining access to someone’s account in the app.

Remote Lockout: In certain situations, it may be necessary to remotely lock out a person so that they cannot (or no longer) access the data stored in the app or to prevent them from downloading or uploading data to the REDCap server from the app. Such situations would assume that 1) they have direct physical access to the mobile device, and 2) they know the PIN for accessing a user’s account on the app. If this occurs, the person whose REDCap account is connected to the device will need to go to the REDCap server to have their API token revoked for each project that has been initialized in the app. This can be done by the users themselves on the REDCap Mobile App page in the project (on the REDCap server). Once their API token has been deleted or regenerated, the person with unauthorized access to the app will no longer be able to download data from or upload data to the REDCap server for that project in the app. Furthermore, if the app is “online” (detects that it has WiFi or cellular connectivity), then the app will check if the API token for the project is still valid. And if not, it will additionally prevent the unauthorized user from even accessing the project in the app, thus preventing them from viewing or accessing the REDCap data currently stored in the app. In this way, the remote lockout feature provides yet another way for users to protect their data, both on the REDCap server and in the app.