Secure enterprise apps

You can use app wrapping and the app SDK to implement MaaS360® Application Security on your enterprise apps.

App wrapping and the app SDK work great for apps that are developed for your enterprise. You control your app development plan and strategy, and also control your artifacts for wrapping and signing. Even apps that are developed by another company can be wrapped and signed with your code signing certificate.

App wrapping

App wrapping unwraps the app, injects MaaS360 container security code, and rewraps the entire package. This process occurs automatically by MaaS360 after the app is uploaded to the IBM® MaaS360 Portal and the administrator selects the App Wrapping option.

To rewrap your app, MaaS360 needs the following platform-specific artifacts for packaging and signing apps:

  • iOS: iOS provisioning profile, code signing certificate, and credentials
  • Android: Keystore file, keystore alias name, and credentials

Because you need these artifacts, you can wrap only enterprise and native apps. Public, third-party apps cannot be wrapped because third-party app developers do not usually share their code signing certificates and credentials to rewrap their app.

The app wrapping process

App wrapping summary

  • MaaS360 adds a security layer to enterprise apps (iOS and Android) by injecting code and rewrapping the apps.
  • Requires no code changes by the developer. The security layer is automatically added by MaaS360 on-demand.
  • Requires code signing certificates, and keystore credentials to sign the app after the code injection.
  • Supports private, enterprise, native, and hybrid apps.

App SDK integration

For app SDK integration, the MaaS360 App Security Software Development Kit (SDK) is used in the app code during the development process. You have more flexibility and control on how the app security features work in your app. App SDK integration provides the same features as app wrapping, plus some additional features.

The following diagram outlines the app SDK integration process:

App SDK integration process

App SDK integration summary

  • Requires app developers to integrate the MaaS360 App Security SDK during app development.
  • Offers granular controls over security features.
  • Offers more APIs than app wrapping (for example, you can fetch MaaS360 user and device data for apps to use).
  • Supports both native and hybrid apps.
Table 1. Device and user identity and access
Feature name Feature description Benefit iOS Native SDK iOS Cordova SDK Android Native SDK Android Cordova SDK iOS Wrapping  **  Android Wrapping  ** 
Get user and device information Allows the SDK to obtain information about the device and user that includes Device UDID, MaaS360 Device ID, User name, Access Groups, Email Address, Compliance Status, and Out of Compliance reasons (if applicable). Provides unique identification details about the user and the device. Yes Yes Yes Yes N/A N/A
Single sign-on. Access control across apps Allows the user to use a single PIN to access any app that is built by the same developer. Users sign on with a simple container PIN and stay logged in until the login time lapses. Yes Yes Yes Yes Yes Yes
User custom attribute support Allows custom user-level attributes to be defined and propagated to the app. Enterprises define custom attributes for users that are used across apps. Yes

(Note  A )

Yes

(Note  A )

Yes Yes    
Shared device support Allows the user to access the app only when the user is signed in, and prevents the user from accessing the app when the user is signed out. Makes sure that data is secure when multiple users share a single device. Yes

(Note  B )

Yes

(Note  B )

Yes Yes   Yes
Table 2. Security and compliance
Feature name Feature description Benefit iOS Native SDK iOS Cordova SDK Android Native SDK Android Cordova SDK iOS Wrapping  **  Android Wrapping  ** 
Compliance enforcement Sets up policies for user and device compliance and enforces restrictions on apps for non-compliant devices. Detects user and device compliance events and automatically enforces restrictions on apps, such as blocking user access to an app. Yes Yes Yes Yes

(Note  C )

Yes

(Note  D )

Yes
Location and time-based policies Defines location and time boundaries for using an app. Allows or blocks users from accessing an app based on time and location.     Yes Yes   Yes
Restrict access on jailbreak Detects jail-broken devices and restricts user access to an app. These APIs are enforced automatically by the app SDK or the SDK provides the delegate call backs on these events for the app to implement. Detects jailbreaks and immediately restricts the user from accessing an app. Yes Yes Yes Yes

(Note  C )

Yes Yes
Restrict access after long periods of inactivity These APIs are enforced automatically by the app SDK or the SDK provides the delegate call backs on these events for the app to implement. Enforces authentication to an app after a specified login period expires. Yes Yes Yes Yes Yes Yes
Restrict access on selective wipe These APIs are enforced automatically by the app SDK or the SDK provides the delegate call backs on these events for the app to implement. Sends an alert when the admin starts a selective wipe to protect or delete corporate data within the app. Yes Yes Yes Yes

(Note  C )

Yes Yes
Table 3. Data protection features
Feature name Feature description Benefit iOS Native SDK iOS Cordova SDK Android Native SDK Android Cordova SDK iOS Wrapping  **  Android Wrapping  ** 
Data at rest encryption Enforces maximum security for the app data at rest. Encrypts the app data for more security. Encrypts the metadata for the app, the app database, and all the files that are in use for the app. Yes Yes

(Note  E )

Yes Yes

(Note  F )

Yes Yes
Advanced encryption handling Encrypts an app that uses a container PIN. Provides simpler key handling for encryption. Yes Yes Yes Yes Yes  
Encrypted inter-app data transfer with MaaS360 Encrypts and transfers data between MaaS360 and the app securely without the possibility of man-in-the-middle attacks. Encrypts data while in transit between MaaS360 and the apps on the device. Yes Yes Yes Yes Yes  
Restrict cut, copy, or paste Allows cut, copy, or paste only within the set of containerized apps. Restricts the user from copy or pasting documents from within the container to a personal app. Yes Yes Yes Yes

(Note  G )

Yes Yes
Restrict screenshot Restricts the user from taking a screen capture of the device. Protects sensitive data from leaking through screen captures. N/A

(Note  H )

N/A Yes Yes

(Note  J )

N/A

(Note  H )

Yes
Restrict import from camera or gallery Restricts the user from using the camera or importing images from the Gallery into the app. Isolates work apps from personal images and data.     Yes Yes   Yes
Restrict import from SD card Restricts the user from importing content from the SD card into the app. Isolates work apps from extraneous content that is stored on the SD card. N/A N/A       Yes
Restrict file import Restricts the importing of files from other apps into the containerized app. Prevents users from importing non-work related documents into the containerized app.     Yes Yes   Yes
Filter notifications if container is locked Prohibits notification messages from the app when the container is locked, preventing data leakage. Blocks sensitive notification messages from displaying on the screen if the container is locked. These notifications are displayed when the user unlocks the container.     Yes Yes   Yes
Allow file import from set of allowed apps Allows the importing of files from a select list of allowed apps, as defined in the policy. Allows users to import documents from a select list of trusted apps into the containerized app.     Yes Yes    
Restrict file export Restricts the exporting of files to allowed apps only.

(The SDK provides a separate interaction controller to handle this action.)

Prevents the leakage of files and allows files to be opened in a set of allowed and containerized applications. Users cannot export files to other apps. Yes Yes Yes Yes

(Note  J )

Yes Yes
Restrict printing Restricts the printing of files, if enabled. Prevents leakage of data from printing. Users cannot print from the wrapped app. Yes Yes Yes Yes Yes Yes
Certificate pinning Validates that the trusted CA public certificates match with certificates that are pinned by the app. Protects apps from certificates that are fraudulent.     Yes Yes   Yes
Table 4. Enterprise Gateway features
Feature name Feature description Benefit iOS Native SDK iOS Cordova SDK Android Native SDK Android Cordova SDK iOS Wrapping  **  Android Wrapping  ** 
Per-app VPN Establishes the gateway access for the app to access resources behind the corporate firewall. Provides app-level intranet access without a device-level VPN. Encrypts data in motion. Reduces VPN traffic since only corporate apps fetch data through the gateway, while all personal apps directly access the internet. Yes Yes Yes Yes Yes Yes
Regional gateway support for per-app VPN Uses a regional MaaS360 gateway for the per-app VPN based on the geographic location of the user. Allows users to access data faster due to reduced network latency. Yes Yes Yes Yes Yes Yes
Corporate Network Detect Uses direct access and skips the per-app VPN in the corporate network. Allows users to access data faster through direct access to corporate resources while in the corporate network. Yes Yes     Yes Yes
Identity Certificate for direct gateway Allows Identity Certificate validation by a load balancer during SSL negotiations. Validates an identity certificate from the device by using a direct gateway setup with a load balancer.     Yes Yes   Yes
Table 5. App configurations and app security
Feature name Feature description Benefit iOS Native SDK iOS Cordova SDK Android Native SDK Android Cordova SDK iOS Wrapping  **  Android Wrapping  ** 
App configuration A configuration file with required inputs is passed from MaaS360 and delivered securely to the app. Provides a better user experience because the app is preconfigured. Yes Yes Yes Yes N/A N/A
App authenticity Validates the app signature before an app accesses the MaaS360 container. Makes sure that tampered or malicious apps do not gain access to the container.     Yes Yes   Yes
Table 6. Interaction with MaaS360 WorkPlace
Feature name Feature description Benefit iOS Native SDK iOS Cordova SDK Android Native SDK Android Cordova SDK iOS Wrapping  **  Android Wrapping  ** 
Send MaaS360 email Provides an interaction controller that is used to send email through MaaS360 Secure Mail with or without attachments. Allow users to send email from your app with MaaS360 Secure Mail. Yes Yes Yes Yes N/A N/A
Open document directly in Secure Viewer Provides the option for developers to open documents directly in the Secure Viewer, since Android does not provide a viewer. Enables developers to easily provide document views within apps that use the MaaS360 SDK. N/A N/A Yes Yes N/A Yes
Save documents in MaaS360 app Provides an interaction controller for the app to allow users to save the document securely in the MaaS360 app. Users can save documents from any app into the My Docs section of the container. Yes Yes Yes Yes N/A N/A
Open links in MaaS360 Secure Browser Allows users to open links from apps in the MaaS360 Secure Browser. Users are directed to the MaaS360 Secure Browser to open URLs present in apps, including intranet sites without a device-level VPN. Yes Yes Yes Yes    
Browse in MaaS360 Docs Provides an interaction controller for the app to allow users to browse documents securely from MaaS360 Docs. User can browse documents in MaaS360 Docs from any app securely.     Yes Yes   Yes
Edit documents in MaaS360 Secure Editor Provides an interaction controller for the app to allow users to edit the document securely in the MaaS360 Secure Editor. The SDK handles the transfer of the document to the editor and handles the receiving of the document from the editor when the edit is complete. Allows users to edit a document directly inside the container by using the MaaS360 Secure Editor. Yes Yes Yes Yes   Yes
Table 7. Notes and symbols
Note Description
 A  Can be used with app configuration
 B  Requires app reconfiguration
 C  Selective Wipe action by MaaS360 app only. No delegate call backs.
 D  Only for selective wipe events
 E  Provided by iOS. JSON database encrypted by Worklight.
 F  Files and text encrypted by MaaS360. JSON database encrypted by Worklight.
 G  By extending the MaaS360WLDroidGap class
 H  Available by using MDM
 J  By extending the MaaS360WLDroidGap class
 N/A  Not possible or made available by the OS
 **  Wrapping support for iOS Cordova-based apps is at parity with SDK-integrated apps, while wrapping is not currently supported for Android Cordova-based apps.