A quick note on IBM Worklight.IBM Worklight is a core component of IBM Mobile Foundation enabling enterprises to build mobile, connect and manage mobile applications.The key essence of the platform is to remove the overhead of building powerful mobile apps across different environments and to meet high end enterprise needs. One of the top concerns of enterprises is security.What you see here are four primary components of the platform and each component plays a role n the overall security.When it comes to security,IBM has a comprehensive end-to-end solution solution on mobile Security spanning across Mobile Apps, Devices and network but in this session we will focus on theWL platform and its approach to mobile security.
Lets dive into the security aspect of the platform.They way that we address security is by creating and delivering secure mobile apps.There are 2 primary aspects to doing that:One is addressing mobile specific security issues. And you will find there are mobile specific security issues out there.The counterpart of that is taking advantage of the architecture of the mobile platform to deliver secure mobile apps.
Let’s look at WL runtime This is a typical deployment: Having WL server installed behind the firewall and mobile applications deployed on devices outside the firewallIn this case it doesn’t matter whether the devices are employee owned, enterprise owned or consumer owned. There is a separation between the devices and the server component connected to the backend.There might be variations to this but it is a typical deployment with WL server protected.Let’s look at what security in a mobile context means…
Here is a categorization of different security issues faced by enterprises when they run mobile apps.Large number of security challenges are categorized into 5 different categories.Protecting data on deviceEnforcing security updatesHow do you streamline corporate governanceHow do you authenticateAnd finally classic security threats that are applicable to mobile devices as well such as Man in the middle attach, SQL injection etc.
Here we see a catalog of security features that WL platform provides and how it maps to the categories that we outlinedIn the previous slide.Lets go through these in details.
Lets review these and try to understand these challenges.Protecting data on device: mobile apps provide users access to sensitive data: pass code, banking account detail, transaction history, account details. The corporate data that keeps CIOs up at night.Mobile devices are a portal to this data and are subject to loss. Devices can be stolen. They are not immune to malware especially for jail broken or rooted devicesAlso mobile applications have to function offline so apps have to cache this data which makes things even worse. So measures have to be taken to secure this on device data.Jailbroken devices present a significant risk on terms of data security.Mobile users as still not at the point where they install malware detection software on their devices. One of primary features is encrypted offline cache. This creates a secured storage area where an application can store the dataTo access it online or offline and prevent access to the data unless the user is authorized.We use AES 256 bit encryption to encrypt the data.The key is derived from the user provided passcode and is not stored in plain text any where in memoryServer is responsible for generating the encryption key.The encrypted cache mechanism can also be used to validate the users in the offline mode.Other features include:Integrity verification of hybrid code makes sure that application was not compromised after it was installed on the device.When app starts it does a checksum of JS resources of itself and will refuse to run if it finds a checksum mismatch.App authenticity testing to provide security measures against forged apps so you validate the originality of the app.Include custom code that tries to identify if a device is rooted and we integrate with such libraries.
The second category is enforcing security updates.It is not uncommon to find security issues/bugs after the apps are released and installed on devices.Unlike web pages where if you want to fix or change something, all you need to do is put a new copy on the web server and the applications get it automatically, for theDownloadable apps, users have to be proactive to look for notification and manually download the fix from the app store or market place.Relying on users to do this is a challenge. For example, about a year ago, a leading bank found a security issue in its mobile app but couldn’t get its users to download the fix. They ended up sending letters in the mail for users to get the fix.We cant rely on users to get security updates.Wl provides 2 features to help with this challenge: remote disable and direct update.remote disable.Direct update:
Classic security threats apply to mobile devices such as man in the middle attacks.Wl platform is deployed with several top tier banks and has been tested by them.The client has been tested, the server has been tested.Overall we have validation from customers that platform is secure.Communication from the app to the server is done over https so data is encrypted to prevent tapping into data stream between client and serverWhen a WL hybrid application initiates a procedure on server that procedure call will fail if server doesn’t present a valid certificate that matches the host name of the server.Code obfuscation to prevent reverse engineering of the code.We have a built in audit trail in the server. Every adapter procedure can be marked audited and server will keep a log of requestsMade to that procedure
We are used to web applications connecting to single sign on and things like that.Mobile apps do not come with such built in infrastructure to make that happenEnterprises have to build that on their own.Applications are difficult to protect because passwords as more vulnerable in mobile context.Unlike PC context where you can type your pwd easily mobile is different. You have a hard time typing the long password.[which Ibmers in this room can identify with ]Wl server provides a flexible framework to integrate with existing authentication infrastructure.WL server manages a state for each open session from the mobile app running on the deviceAn advanced feature of authentication is to maintain multiple authentication realm. For example once client application can make calls to multiple backend system where WL server can maintain different authentication policy/tokenFor each backend system. The openness: each customer can introduce custom authentication mechanism.One of our customers created a custom key pad to prevent key logging attack.An image of a randomly ordered key pad is generated on the server and is sent to the client. The user is presented with a pin code entry pad.The client application has no information about the order of the keys.The client application passes the coordinates of the pin code to the server and server validates it by comparing the pin code with the image.2 factor authentication is possible to do as well and has been done using device ID as a second factor by one of our customers.
Approving mobile apps in terms of security is not easy.Every time you release a new version you have to go through a set of tests and policies to ensure it complies with enterprise.This can become a bottleneck. The core idea here is that security org within the enterprise will go through the rigorous process of approving the app, verify the policies as followed and so on.For each application developed on the platform now has to check fewer things. Beyond that security org can enforce use of a custom/tested hybrid container tested by the org.This ties into the next slide.
Explain custom shell.Release cycles can be shortened.One of our customers chose WL because of our ability to do this.
Security and Mobile Application Management with Worklight
Security and Mobile ApplicationManagement with WorklightMiku Jha, Senior Solutions ArchitectWorklight, an IBM Company
IBM Mobile Foundation Development Firewall or Security Gateway Lifecycle Tools IBM End Point IBM Worklight Manager for Mobile Devices CastIron Hypervisor Edition Elastic Caching Mobile threats and IBM Mobile Foundation security SOA & Connectivity (Messaging, ESBs, Cloud Integration, Governance) Business Decision Social Analytics Process Management Management Software Enterprise Apps2
Components of the IBM Worklight MobilePlatform Worklight Studio The most complete, extensible environment with maximum code reuse and per-device optimization Worklight Server Unified notifications, runtime skins, version management, security, integration and delivery 1001010101011 Worklight Runtime Components 1010010100100 1010111010010 0110101010101 0010010010111 1001001100101 Extensive libraries and client APIs that expose and interface 0101001010100 with native device functionality Worklight Console A web-based console for real-time analytics and control of your mobile apps and infrastructure3
Worklight Security Focus: Support Creation and Delivery of Secure Mobile Apps Take advantage of platform architecture and mobile capabilities Address mobile-specific security issues Security is a platform-wide consideration, relating to all components: • Server • Device run-time • Studio • Console4
Taking Advantage of Platform Architecture and Mobile Capabilities Platform architecture benefits: – Combining server-side and client-side functionality to provide a comprehensive set of security features – Opportunity to simplify security approval process Mobile capabilities: – The device itself can be used as a second factor for user authentication (i.e., “what you have”) – Use built-in support for secure communications – Leverage security APIs when available (e.g., keychain services API, app signatures) – Some app stores provide high confidence in app legitimacy5
Worklight Runtime Architecture Worklight Server Device Runtime Application Code Server-side Client-side Application Code App Resources Stats Aggregation Cross Platform Technology JSON Translation Direct Update Mobile Authentication Web Apps Security and Authentication Back-end Data Integration Post-deployment control Unified Push Adapter Library Diagnostics Notifications6
Mobile Application Security Objectives Protect data on Enforce security the device updates • Malware, Jailbreaking • Be proactive: can’t rely • Offline access on users getting the • Device theft latest software update on their own • Phishing, repackaging Streamline Provide robust Protect from the Corporate authentication “classic” threats security approval and authorization to the application processes • Existing authentication security • Complex infrastructure • Hacking • Time-consuming • Passwords are more • Eavesdropping vulnerable • Man-in-the-middle7
Security Features Mapping Protecting data on the Enforcing security device updates Secure App Compatibility Encrypted Offline challenge- Remote Direct authenticity with jailbreak offline cache authentication response on disable update testing detection libs startup SSL with Mobile Auth Data Proven Device server Code platform as a integration protection platform provisioning identity protection trust factor framework realms security verification Streamlining Providing robust Application Corporate security authentication and Security processes authorization8
Protecting data on the device Malware, Jailbreaking Protecting data on the device Device theft Offline access Phishing, repackaging Secure Encrypted App Compatibility Offline challenge- offline authenticity with jailbreak authentication response on cache testing detection libs startup Encrypted offline cache Offline authentication using password Extended authentication with server using secure challenge response App authenticity testing: server-side verification mechanism to mitigate risk of Phishing through repackaging or app forgery Compatibility with various jailbreak and malware detection libraries9
Enforcing security updates Can’t rely on users Remote Disable: shut down getting the latest software update on specific versions of a their own downloadable app, providing users with link to update Enforcing security updates Direct Update: automatically send new versions of the Remote Direct locally-cached HTML/JS disable update resources to installed apps10
Middleware Security Proven SSL with Code platform server identity protection security verification Proven platform security: tested by the most Protecting from demanding customers (e.g., top tier banks) the “Classic” security threats Client<->Middleware communications over HTTPS to prevent data leakage Fail on server certificate verification error Packaged JS code can be encrypted on desktop to make static analysis more difficult Hacking JS code integrity verification on startup Eavesdropping SQL adapter designed to mitigate SQL-injection Man-in-the- Built-in audit trail middle11
Authentication and Authorization Authentication Data Device integration framework protection realms Provisioning Very flexible framework for simplifying integration of apps with enterprise identity & access management solutions Providing robust authentication and Manages authenticated sessions with authorization configurable expiration Open: e.g., custom OTP as anti-keylogger mechanism Need to integrate with existing Server-side services grouped into authentication infrastructure separate protection realms for different authentication levels Authenticate users when offline Secure device ID generated as part of extensible provisioning process Mobile passwords are more vulnerable (keyboard more difficult to use, typed text is visible)12
Simplifying corporate security processes Mobile Objective: apps developed on the platform platform as a will be easier for the security group to trust factor approve Mechanisms: pre-approve platform with Streamlining corporate security security group. Identify corporate-specific processes concerns and provide solutions within the platform framework. Result: release cycle for apps made by Mandatory independent development groups within approval the organization significantly shortened. processes that are complex and time-consuming13
Centralized Build System Provides Control Over Coupling of Shell and Inner App “Official” Android code-signing certificate, iOS bundle seed id Source Code Worklight Repository Build System14
Worklight Studio simplifies the reuse of custom containers across the organization One team creates a custom container (“Shell Component”) for extensive security certification Other teams create HTML-only “inner apps” wrapped in that container15
Mobile Security Enabled with IBM SolutionsIBM brings together a broad portfolio of technologies and services to meet themobile security needs of customers across multiple industries •Application security •Worklight •IBM Rational AppScan •Mobile device management •IBM Endpoint Manager for Mobile devices •IBM Hosted Mobile Device Security Management •Secure enterprise access •IBM Security Access Manager •Security Intelligence •IBM QRadar16
The Difference Between Secure Apps and Device Management Mobile Device Application-Level Management Security Device-level control: App takes care of itself: • Password protection • Authentication • File-system encryption • File encryption • Managed apps • Remote administration • Jailbreak detection • Adaptive functionality Requires consent of user to Applicable in all scenarios, have enterprise manage including BYOD and entire device consumer-facing contexts18
Session Authentication Management Step 1 – Unauthenticated Session 1. Call protected Procedure Worklight Server Access denied because session is unauthenticated or expired 2. Request Authentication Session: • Created on first access from client • Identified using session cookie • Associated data is stored on the server20
Session Authentication Management Step 2 – Authentication 1. Obtain credentials from user and device Worklight Server 2. Forward credentials Process authentication data 3. If necessary: • Consult with authentication servers • Perform device provisioning • Receive authentication token • Associate token with session21
Session Authentication Management Step 3 – Authenticated Session 1. Procedure call on authenticated session Worklight Server Authenticated token associated with session 3. Procedure result Session ID Auth Tokens/State 2bd4296a3f29 Realm 1: 25487 Realm 2: ------ 2. Access back-end service -- using authentication 25617ff82a90 Realm 1: ------ --- token Realm 2: a6c9a 89a77921b02 Realm 1: 7b8df Realm 2: 6a8a022
Deployment for SSO and Security Intelligence Security Intelligence Platform Hybrid Mobile Apps IBM Endpoint Based on WorkLight Manager Risk Based Access Hybrid App. SSL Security Proxy SSO WorkLight Server Enterprise Hybrid App. (IBM Security Applications, Worklight Runtime Access Manager) (WAS w/ security) Connectivity & Data Mobile Device Security Proxy Risk based access decisions and authentication - Context awareness Single SignOn and Federation – standards based support OAuth, SAML, OpenID Added value through integration of Security proxy with Mobile application platform (Worklight) – offline authentication, secure cache, app authenticity,.. Security intelligence with mobile context Intelligence around malware and advanced threats in mobile enabled enterprise User identity and device identity correlation, leading to behavior analysis Geo-fencing, anomaly detection based on device, user, location, and application characteristics23