The Bevi machines contain an embedded Android tablet. From the tablet we post regular events to our backend at https://well.bevi.co. Every now and then, we upgrade our app. This process will download an apk from the same backend at https://well.bevi.co or https://bevi-static.nyc3.digitaloceanspaces.com. The tablet always calls out to the cloud, we do not call the tablet directly. We use the data to tell when the machine needs servicing and to find out which flavors are most popular.
The tablets themselves can connect via Ethernet, WiFi or Cellular. For WiFi we use the stock Android WiFi configuration support and can support WPA/WPA2 PSK and other types of security. We use standard https over port 443. We do rely on a regular internet connection that keeps working long term without manual intervention.
The Bevi machine makes outbound GET/POST HTTP requests to:
- https://well.bevi.co
- https://bevi-static.nyc3.digitaloceanspaces.com
- https://bevitouchless.co and wss://bevitouchless.co
- https://bevipay.co in case the Bevi uses QR payments
What kind of data does the device send back to Bevi?
We track anonymous user interactions, dispense data and hardware sensor readings. We use the usage data of the machine to track consumable levels to inform us to restock the Bevi. The data is sent to our cloud infrastructure in JSON format in post requests.
Does the device allow remote access over the internet, typically done through a reverse proxy type of connection?
No, the Bevi machine only makes outbound requests to our cloud infrastructure. No inbound requests or port opening are required for the Bevi machine.
Does the device have any open ports that could be reached from our network?
The Bevi machine only makes outbound requests to our cloud infrastructure. No inbound requests or port opening are required for the Bevi machine.
Is the device running a full OS, if so which one?
The Bevi machine runs a version of Android, based on AOSP.
How does patching/updating of the device take place?
We do periodic updates to our applications, these are done OTA when the Bevi machine connects to our cloud infrastructure.
Were security coding practices used, and if so how is security done and have any audits been done by a 3rd party against the device?
No audits have been done by a 3rd party. When implementing new features we have standard practices to ensure we do not introduce security vulnerabilities. We regularly update third-party software libraries we use. We follow security bulletins and patch high-risk items.