Empowering Africa's Next Generation: The AI Leadership Blueprint
Security and Mobile Application Management with Worklight
1. Security and Mobile Application
Management with Worklight
Miku Jha, Senior Solutions Architect
Worklight, an IBM Company
2. IBM Mobile Foundation
Development
Firewall or Security Gateway
Lifecycle
Tools
IBM End Point
IBM Worklight Manager for Mobile
Devices
CastIron Hypervisor Edition Elastic Caching
Mobile
threats and IBM Mobile Foundation
security
SOA & Connectivity
(Messaging, ESBs, Cloud Integration, Governance)
Business
Decision Social
Analytics Process
Management Management Software
Enterprise Apps
2
3. Components of the IBM Worklight Mobile
Platform
Worklight Studio
The most complete, extensible environment with maximum
code reuse and per-device optimization
Worklight Server
Unified notifications, runtime skins, version management,
security, integration and delivery
1001010101011
Worklight Runtime Components
1010010100100
1010111010010
0110101010101
0010010010111
1001001100101
Extensive libraries and client APIs that expose and interface
0101001010100 with native device functionality
Worklight Console
A web-based console for real-time analytics and control of your
mobile apps and infrastructure
3
4. Worklight Security Focus: Support Creation
and Delivery of Secure Mobile Apps
Take advantage of
platform architecture
and mobile capabilities
Address
mobile-specific security
issues
Security is a platform-wide
consideration, relating to all components:
• Server
• Device run-time
• Studio
• Console
4
5. Taking Advantage of Platform Architecture and
Mobile Capabilities
Platform architecture benefits:
– Combining server-side and client-side functionality to provide a
comprehensive set of security features
– Opportunity to simplify security approval process
Mobile capabilities:
– The device itself can be used as a second factor for user
authentication (i.e., “what you have”)
– Use built-in support for secure communications
– Leverage security APIs when available (e.g., keychain services
API, app signatures)
– Some app stores provide high confidence in app legitimacy
5
6. Worklight Runtime Architecture
Worklight Server Device Runtime
Application Code
Server-side
Client-side
Application Code
App Resources
Stats Aggregation
Cross Platform Technology
JSON Translation Direct Update
Mobile
Authentication Web Apps Security and Authentication
Back-end Data Integration
Post-deployment control
Unified Push
Adapter Library Diagnostics
Notifications
6
7. Mobile Application Security Objectives
Protect data on Enforce security
the device updates
• Malware, Jailbreaking • Be proactive: can’t rely
• Offline access on users getting the
• Device theft latest software update
on their own
• Phishing, repackaging
Streamline Provide robust Protect from the
Corporate authentication “classic” threats
security approval and authorization to the application
processes • Existing authentication security
• Complex infrastructure • Hacking
• Time-consuming • Passwords are more • Eavesdropping
vulnerable • Man-in-the-middle
7
8. Security Features Mapping
Protecting data on the Enforcing security
device updates
Secure
App Compatibility
Encrypted Offline challenge- Remote Direct
authenticity with jailbreak
offline cache authentication response on disable update
testing detection libs
startup
SSL with
Mobile Auth Data Proven
Device server Code
platform as a integration protection platform
provisioning identity protection
trust factor framework realms security
verification
Streamlining Providing robust
Application
Corporate security authentication and
Security
processes authorization
8
9. Protecting data on the device
Malware, Jailbreaking
Protecting data
on the device Device theft
Offline access
Phishing, repackaging
Secure
Encrypted App Compatibility
Offline challenge-
offline authenticity with jailbreak
authentication response on
cache testing detection libs
startup
Encrypted offline cache
Offline authentication using password
Extended authentication with server using secure challenge response
App authenticity testing: server-side verification mechanism to mitigate
risk of Phishing through repackaging or app forgery
Compatibility with various jailbreak and malware detection libraries
9
10. Enforcing security updates
Can’t rely on users Remote Disable: shut down
getting the latest
software update on specific versions of a
their own downloadable app, providing
users with link to update
Enforcing
security
updates
Direct Update: automatically
send new versions of the
Remote Direct locally-cached HTML/JS
disable update
resources to installed apps
10
11. Middleware Security
Proven SSL with
Code
platform server identity
protection
security verification
Proven platform security: tested by the most
Protecting from demanding customers (e.g., top tier banks)
the “Classic”
security threats Client<->Middleware communications over
HTTPS to prevent data leakage
Fail on server certificate verification error
Packaged JS code can be encrypted on desktop
to make static analysis more difficult
Hacking JS code integrity verification on startup
Eavesdropping SQL adapter designed to mitigate SQL-injection
Man-in-the-
Built-in audit trail
middle
11
12. Authentication and Authorization
Authentication Data
Device
integration
framework
protection
realms
Provisioning Very flexible framework for simplifying
integration of apps with enterprise
identity & access management solutions
Providing robust
authentication and Manages authenticated sessions with
authorization
configurable expiration
Open: e.g., custom OTP as
anti-keylogger mechanism
Need to integrate with existing Server-side services grouped into
authentication infrastructure separate protection realms for different
authentication levels
Authenticate users when offline Secure device ID generated as part of
extensible provisioning process
Mobile passwords are more
vulnerable (keyboard more
difficult to use, typed text is
visible)
12
13. Simplifying corporate security processes
Mobile Objective: apps developed on the platform
platform as a will be easier for the security group to
trust factor
approve
Mechanisms: pre-approve platform with
Streamlining
corporate security security group. Identify corporate-specific
processes concerns and provide solutions within the
platform framework.
Result: release cycle for apps made by
Mandatory independent development groups within
approval the organization significantly shortened.
processes that
are complex and
time-consuming
13
14. Centralized Build System Provides Control
Over Coupling of Shell and Inner App
“Official” Android code-signing
certificate, iOS bundle seed id
Source Code Worklight
Repository Build System
14
15. Worklight Studio simplifies the reuse of
custom containers across the organization
One team creates a custom
container (“Shell Component”) for
extensive security certification
Other teams create
HTML-only “inner apps”
wrapped in that container
15
16. Mobile Security Enabled with IBM Solutions
IBM brings together a broad portfolio of technologies and services to meet the
mobile security needs of customers across multiple industries
•Application security
•Worklight
•IBM Rational AppScan
•Mobile device management
•IBM Endpoint Manager for Mobile devices
•IBM Hosted Mobile Device Security Management
•Secure enterprise access
•IBM Security Access Manager
•Security Intelligence
•IBM QRadar
16
18. The Difference Between Secure Apps and
Device Management
Mobile Device Application-Level
Management Security
Device-level control: App takes care of itself:
• Password protection • Authentication
• File-system encryption • File encryption
• Managed apps • Remote administration
• Jailbreak detection • Adaptive functionality
Requires consent of user to Applicable in all scenarios,
have enterprise manage including BYOD and
entire device consumer-facing contexts
18
20. Session Authentication Management
Step 1 – Unauthenticated Session
1. Call protected Procedure
Worklight Server
Access denied because
session is unauthenticated or
expired
2. Request Authentication
Session:
• Created on first access from client
• Identified using session cookie
• Associated data is stored on the server
20
21. Session Authentication Management
Step 2 – Authentication
1. Obtain credentials from
user and device
Worklight Server
2. Forward credentials Process authentication data
3. If necessary:
• Consult with authentication servers
• Perform device provisioning
• Receive authentication token
• Associate token with session
21
22. Session Authentication Management
Step 3 – Authenticated Session
1. Procedure call on
authenticated session
Worklight Server
Authenticated token
associated with session
3. Procedure result
Session ID Auth
Tokens/State
2bd4296a3f29 Realm 1:
25487
Realm 2: ------ 2. Access back-end service
--
using authentication
25617ff82a90 Realm 1: ------
---
token
Realm 2:
a6c9a
89a77921b02 Realm 1:
7b8df
Realm 2:
6a8a0
22
23. Deployment for SSO and Security Intelligence
Security Intelligence Platform
Hybrid Mobile Apps IBM Endpoint
Based on WorkLight Manager
Risk Based Access
Hybrid App. SSL Security Proxy SSO WorkLight Server Enterprise
Hybrid App.
(IBM Security Applications,
Worklight Runtime Access Manager) (WAS w/ security) Connectivity & Data
Mobile Device
Security Proxy
Risk based access decisions and authentication - Context awareness
Single SignOn and Federation – standards based support OAuth, SAML, OpenID
Added value through integration of Security proxy with Mobile application platform (Worklight) – offline authentication,
secure cache, app authenticity,..
Security intelligence with mobile context
Intelligence around malware and advanced threats in mobile enabled enterprise
User identity and device identity correlation, leading to behavior analysis
Geo-fencing, anomaly detection based on device, user, location, and application characteristics
23
Notes de l'éditeur
A quick note on IBM Worklight.IBM Worklight is a core component of IBM Mobile Foundation enabling enterprises to build mobile, connect and manage mobile applications.The key essence of the platform is to remove the overhead of building powerful mobile apps across different environments and to meet high end enterprise needs. One of the top concerns of enterprises is security.What you see here are four primary components of the platform and each component plays a role n the overall security.When it comes to security,IBM has a comprehensive end-to-end solution solution on mobile Security spanning across Mobile Apps, Devices and network but in this session we will focus on theWL platform and its approach to mobile security.
Lets dive into the security aspect of the platform.They way that we address security is by creating and delivering secure mobile apps.There are 2 primary aspects to doing that:One is addressing mobile specific security issues. And you will find there are mobile specific security issues out there.The counterpart of that is taking advantage of the architecture of the mobile platform to deliver secure mobile apps.
Let’s look at WL runtime This is a typical deployment: Having WL server installed behind the firewall and mobile applications deployed on devices outside the firewallIn this case it doesn’t matter whether the devices are employee owned, enterprise owned or consumer owned. There is a separation between the devices and the server component connected to the backend.There might be variations to this but it is a typical deployment with WL server protected.Let’s look at what security in a mobile context means…
Here is a categorization of different security issues faced by enterprises when they run mobile apps.Large number of security challenges are categorized into 5 different categories.Protecting data on deviceEnforcing security updatesHow do you streamline corporate governanceHow do you authenticateAnd finally classic security threats that are applicable to mobile devices as well such as Man in the middle attach, SQL injection etc.
Here we see a catalog of security features that WL platform provides and how it maps to the categories that we outlinedIn the previous slide.Lets go through these in details.
Lets review these and try to understand these challenges.Protecting data on device: mobile apps provide users access to sensitive data: pass code, banking account detail, transaction history, account details. The corporate data that keeps CIOs up at night.Mobile devices are a portal to this data and are subject to loss. Devices can be stolen. They are not immune to malware especially for jail broken or rooted devicesAlso mobile applications have to function offline so apps have to cache this data which makes things even worse. So measures have to be taken to secure this on device data.Jailbroken devices present a significant risk on terms of data security.Mobile users as still not at the point where they install malware detection software on their devices. One of primary features is encrypted offline cache. This creates a secured storage area where an application can store the dataTo access it online or offline and prevent access to the data unless the user is authorized.We use AES 256 bit encryption to encrypt the data.The key is derived from the user provided passcode and is not stored in plain text any where in memoryServer is responsible for generating the encryption key.The encrypted cache mechanism can also be used to validate the users in the offline mode.Other features include:Integrity verification of hybrid code makes sure that application was not compromised after it was installed on the device.When app starts it does a checksum of JS resources of itself and will refuse to run if it finds a checksum mismatch.App authenticity testing to provide security measures against forged apps so you validate the originality of the app.Include custom code that tries to identify if a device is rooted and we integrate with such libraries.
The second category is enforcing security updates.It is not uncommon to find security issues/bugs after the apps are released and installed on devices.Unlike web pages where if you want to fix or change something, all you need to do is put a new copy on the web server and the applications get it automatically, for theDownloadable apps, users have to be proactive to look for notification and manually download the fix from the app store or market place.Relying on users to do this is a challenge. For example, about a year ago, a leading bank found a security issue in its mobile app but couldn’t get its users to download the fix. They ended up sending letters in the mail for users to get the fix.We cant rely on users to get security updates.Wl provides 2 features to help with this challenge: remote disable and direct update.remote disable.Direct update:
Classic security threats apply to mobile devices such as man in the middle attacks.Wl platform is deployed with several top tier banks and has been tested by them.The client has been tested, the server has been tested.Overall we have validation from customers that platform is secure.Communication from the app to the server is done over https so data is encrypted to prevent tapping into data stream between client and serverWhen a WL hybrid application initiates a procedure on server that procedure call will fail if server doesn’t present a valid certificate that matches the host name of the server.Code obfuscation to prevent reverse engineering of the code.We have a built in audit trail in the server. Every adapter procedure can be marked audited and server will keep a log of requestsMade to that procedure
We are used to web applications connecting to single sign on and things like that.Mobile apps do not come with such built in infrastructure to make that happenEnterprises have to build that on their own.Applications are difficult to protect because passwords as more vulnerable in mobile context.Unlike PC context where you can type your pwd easily mobile is different. You have a hard time typing the long password.[which Ibmers in this room can identify with ]Wl server provides a flexible framework to integrate with existing authentication infrastructure.WL server manages a state for each open session from the mobile app running on the deviceAn advanced feature of authentication is to maintain multiple authentication realm. For example once client application can make calls to multiple backend system where WL server can maintain different authentication policy/tokenFor each backend system. The openness: each customer can introduce custom authentication mechanism.One of our customers created a custom key pad to prevent key logging attack.An image of a randomly ordered key pad is generated on the server and is sent to the client. The user is presented with a pin code entry pad.The client application has no information about the order of the keys.The client application passes the coordinates of the pin code to the server and server validates it by comparing the pin code with the image.2 factor authentication is possible to do as well and has been done using device ID as a second factor by one of our customers.
Approving mobile apps in terms of security is not easy.Every time you release a new version you have to go through a set of tests and policies to ensure it complies with enterprise.This can become a bottleneck. The core idea here is that security org within the enterprise will go through the rigorous process of approving the app, verify the policies as followed and so on.For each application developed on the platform now has to check fewer things. Beyond that security org can enforce use of a custom/tested hybrid container tested by the org.This ties into the next slide.
Explain custom shell.Release cycles can be shortened.One of our customers chose WL because of our ability to do this.