Mobile Foundation on IBM Cloud: Your Mobile App Security is Our Concern
By: THEJASWINI Ramachandra and Kavitha Varadarajan
Using Mobile Foundation to build hack-proof apps
Mobile app security no longer needs to be a battle of wits, with a hacker trying to find gaps and a developer trying to close them. Security features provided by Mobile Foundation on IBM Cloud simplify various aspects of Mobile security, enabling developers to build hack-proof apps. Apart from security, Mobile Foundation also provides backend capabilities like push notifications, app management, offline capabilities, app, user, and business insights, etc. that facilitate the building of engaging apps.
Addressing security challenges
Mobile Foundation handles security holistically, covering the device, over-the-air, and server-side aspects. The following is a list of critical security requirements that Mobile Foundation addresses:
Avoid misuse and prevent unauthenticated or unauthorized users from accessing mobile app. Some privileged operations also require additional security to ensure that only the intended users perform the operation. Coupling basic user-id and password-based authentication with another factor (e.g., bio-metrics) is becoming a norm for extra protection. The primary, step-up, and multi-factor authentication capabilities in Mobile Foundation allow only authenticated users to access the app and enable additional security for privileged operations. Furthermore, the Mobile Foundation security framework is based on the OAuth standard and provides easy integration with third-party identity management systems.
Comply with the business requirement and prevent back-listed users from accessing the app, restricting to a single device per user. This operation of blacklisting or whitelisting users and limiting to a single device per user can be performed from the Mobile Foundation Console.
Prevent apps running on hacked or jailbroken devices from accessing your company backend. Also, deny app access to stolen and lost devices. If a user reports the device as lost or stolen, the admin can select this device and mark it lost/stolen from the console to prevent it from accessing backend systems.
Disable an obsolete or a compromised app version and force users to the latest version of the app. With Mobile Foundation, users can remotely disable a specific version of an application and notify the user to download a new version. Users can also be advised of an upcoming change so that they are informed to perform the updates.
Prevent unauthorized parties from viewing and modifying network data passing between a mobile app and backend systems which could compromise enterprise security. Leverage certificate pinning in Mobile Foundation to prevent a man-in-the-middle attack by linking host and device with a common public key.
A mobile app, unlike its web counterpart, is downloaded on to the device. Hackers can download the app and reverse engineer the app code to obtain the app intellectual property and sensitive data. Mobile Foundation provides Obfuscation capabilities to make sure that the web resources are not readable.
Tampering with an app to create morphed apps is a common practice to get access to sensitive backend data. Mobile Foundation App Authenticity Framework checks the authenticity of the connecting app to ensure only authentic company distributed apps can access the backend.
Storing sensitive data on a compromised device makes it prone to theft and misuse without proper encryption. Leverage Mobile Foundation’s secure offline storage capability to encrypt offline data on the device and securely sync with the backend systems when connected.
Multiple apps from the same vendor may want to allow a user to sign into one application to access the other apps without signing in again as long as the sign-in token is valid. With the device SSO capability of Mobile Foundation, users can successfully sign on to one application on their device and also be authenticated on other applications on the same device.
Configuring security capabilities
We will walk you through the steps to configure some of the above-mentioned features with the help of a sample community Health App. Refer to getting started section if you do not already have an instance of Mobile Foundation on IBM Cloud.
Security checks constitute the necessary server-side building blocks of the Mobile Foundation security framework. It is a server-side entity that implements a specific authorization logic, such as obtaining and validating client credentials. Resources are protected by assigning it a scope that maps to zero or more security checks. Some security checks can be reused to protect different resources. The security framework ensures that only a client that passes all of the security checks of the protecting scope is granted access to the resource. Let’s see how to configure security checks to satisfy your app security requirements.
Join the conversation to discuss this and other Mobile Foundation Service topics in our dedicated Slack channel.