Security – A Layer in the Mobile Ecosystem

Security – A Layer in the Mobile Ecosystem

Successful Mobile Solutions are often praised for their simplicity and intuitiveness, while this is very true this part of the solution is often one component of the entire ecosystem. Mobile Solutions are very much like icebergs where the Presentation Layer (Often referred to as the App) is the tip of the Iceberg. Although this analogy has been overused over the years, I find it to be a very accurate representation of a Comprehensive Mobile Solution. Under the surface of the successful App or Series of Apps we often find well thought out Application Distribution and Delivery, Service & Integration, as well as Structured Data and Infrastructure Layers. All these components serve to make up a great Mobile Solution. Picture again the Iceberg, and I am sure you will imagine the water around it, that is the Security Layer, something I have been covering in my most recent posts.

Although I can go into great detail about any one layer mentioned above, it is the security layer that I have emphasized most of my posts on over the last few weeks and the one I want to close out on today. In order to have a great solution, we need to identify the right combination of people, processes, and technology, and I realized that most of my posts speak to the process and people aspect of security and omit the technology aspect.

One of the reasons for omitting technology is because there are several great solutions in the market place and narrowing down my security recommendations to just a few does not do the marketplace justice. Picture Mobile Security to be like the home page of your phone; if your phone is like mine no two apps are built by the same company (Unless you count the text and phone app), the reason for this is because we look for best in class solutions that can help us solve our unique needs. Similar to this is the Mobile Security Market Place. That being said, I do want to mention a few products, in no particular order, that Shockoe has had the opportunity to work with and deploy for several clients over the last few months.

One of the first security questions we normally get is “How can we protect the data on an app deployed on an employee device”. While the answer to this is not simple a solution can be found in one of my previous posts (SDK vs Wrapping). Some of the solutions we have worked with include Mocana, Air-Watch, Good, and Citrix.

Mocana is a unique application in that it is a leading Mobile App Protection Platform; this company is strictly focused on providing a simple yet secure solution to wrap Enterprise Mobile Apps without the Big Enterprise Systems. Although one of the primary focuses for Mocana is Secure App wrapping, it does this job second to none and as such is a strong competitor in the marketplace. One of the benefits to this company is its customer service, working with Mocana, Shockoe was able to develop an Appcelerator Titanium Module that can be used with all Titanium Apps.

Air-Watch is one of the most well know Enterprise Mobility Management suites in the marketplace. Although acquired by VMware in 2014, this acquisition only served to strengthen its foothold on the market. Air-watch continues to innovate like no other company in the market and offers a comprehensive suite of Mobility Management products, including the option to use an SDK or Wrapper. Outside of the level of security offered by the products, one of the things that interested us the most in our dealings with Air-Watch was the console; the step-by-step approach helps IT administrators become productive with the tools extremely quick. Again, the level of service provided by this company is always helpful when the security situations cannot be resolved. We find that Air-Watch has been a great fit for those companies looking for a comprehensive EMM solution on multiple platforms.

Last, and certainly not least is Good Work, a recent introduction by Good Technology in an effort to replace Good for Enterprise. The Good Platform has been around for a very long time and is great for organizations that have strict policies on devices and/or are working on a BYOD policy. Be on the look out for an announcement from Shockoe for a new Good Module that can be used with cross-platform solutions such as Appcelerator.

While these three solutions only represent a small subset of Mobile Security Technology Vendors, they are ones we have worked with closely over the last few months. The key to selecting the best suite of solutions comes down to understanding your businesses short and long term Mobile needs.

Mobile Security – Wrapping vs SDK

Mobile Security – Wrapping vs SDK

As we stated last week, protecting company data and a user’s personal information is essential when building Mobile Solutions.  One of the questions we are often asked is; “When selecting a method to protect data (Containerizing), which is better using an SDK or Wrapper?”

There are benefits to both and more often than not, companies can use both methods depending on the mobile solution and content.  To containerize an app essentially means enabling security around specific rules, authorization, or content a business wants protected – In some cases it might be specific to the app while in others it might be specific to the device.  Containerizing Enterprise Apps is a great strategy to protect corporate data while not touching personal data.  

As I mentioned above, there are two primary methods of securing mobile app’s data, and content – Software Development Kits (SDKs) and App Wrapping. While the concept behind each can is the same, understanding the scenarios of when to use one vs. the other is essential to determining which is best for a business.  Depending on the Security Vendor, both wrapping and the SDK should accomplish the following:  Data Encryption, Prevent the cutting or copying of data, App-Level VPNs, & Device Integrity Checks.  Furthermore either of these methods can be used to validate user authentication and allow system admins the ability to gain control of the app or remote wipe specific content or the entire app from a user’s device.

The key to determining what strategy to uses lies in your company’s ability to access the Mobile App Source Code.  The SDK method to containerize individual apps requires app developers to have access to the app source code in order to integrate the SDK.   One benefit of the SDK method is that it does give software developers the added option to choose to use custom components or methods prescribed in the SDK for securing the app.  On the other hand the major challenge in the SDK method is that Software providers often need to create and maintain multiple versions of the same app to support multiple security solutions and/or deployments thus making the maintenance and total cost of ownership (TCO) for the SDK method more expensive.  A firm understanding of the source code and developer skills, which could vary, based on the platform, are also required for this method.

Conversely, app wrapping methods do not require any changes to the app’s code and are more cost effective.  App wrapping does not require any developer skills, but has more limited security features, in most cases.  A power user or system admin would upload the APK or IPA to the Security Vendor’s Solution to enable the app wrapper, and proceed to distribute the app through appropriate methods.  In most cases, businesses can only use the wrapper when they do not consume a shared service and do not have access to the source code.

To learn more on this topic and how to strategically select the best option for your business Contact Us

Top Mobile Security Threats to Consider when developing an App

Top Mobile Security Threats to Consider when developing an App

As the demand for mobile apps and technology continues to rise, so do the security threats.  As we all just learned a few days ago, even the US government is vulnerable to it.

According to BBC:

Four million current and former federal employees, from nearly every government agency, might have had their personal information stolen by Chinese hackers, U.S. investigators said.

Although, we cannot prevent all security threats, we believe that everyone should have a plan in place to mitigate these.  Attacks that proved successful on PCs are now being targeted towards unwitting mobile devices, for now attackers are focussing on the weakest point of the chain, which is why I wanted to share the top Mobile Security threats and risks we have identified:

1)  Authentication and Authorization:  The apps and the systems these connect with should be properly protected with authorization and authentication methods. You should have a procedure in place to block un-authorized devices, users and scripts when identified

2)  Insecure Data Storage:  You should limit storage of data such as usernames, auth tokens, passwords, etc on the device, but if necessary have a plan to secure this information

3)  Client Side Injection:  Although there is software to help prevent this on the app side, attackers can send untrusted data through your system if it is vulnerable to injection, identify the sources of input and user validation before you deploy your app.

 4)  Security Decisions Via Untrusted Inputs:  Attackers can change any information request/customize inputs, you need to detect when these changes occur

5)  Side Channel Data Leakage:  This is an attack based on information gained from the physical implementation of a encryption system, rather than attacks through brute force or theoretical weaknesses in the algorithms

6)  Broken Cryptography:  Ensure that the cryptography you are employing is stable and has not yet been broken.

7)  Improper Session Handling:  Have you ever been in the middle of checking your bank account online when your attention is called away? You return to your computer to see a message like, “Session Timed Out – Please Login Again”.  Do you have a process in place like this for your mobile app?

8)  Insufficient Transport Layer Protection:  Again, there is software to help with this, but protecting data exchange as it travels across the network and the internet “threat agents” can use techniques to view sensitive data while it’s traveling across the wire

9)  Weak Server Side Controls:  The servers that your app is accessing should have security measures in place to prevent unauthorized users from accessing data (Internal and External Servers)

10)  Sensitive Information Disclosure:  Although this is not an app threat, ensure that your users understand the type of information that could be disclosed and at risk when using your app

BONUS  Insecure Data Storage:  The back end systems where your mobile data is stored should be secure, consult experts to determine the steps you should take to secure information such as usernames, location data, and other personal information.  Keep in mind that application logs can also be useful to hackers

Contact Us if you are interested in learning more about how we have helped our clients protect against these and many more mobile threats.

Digest Authentication with Appcelerator Titanium HTTPClient

Digest Authentication with Appcelerator Titanium HTTPClient

I’ve been working with web technologies for over a decade and never had to touch Digest Access Authentication.  All of the services I had worked with had other solutions for authentication.  A few months back that all changed.  I was finishing up a mobile project, to be used for internal purposes for the client, when suddenly the API requirements changed.  They had implemented Digest Access Authentication with MD5.  Uh-oh.

What is Digest Authentication?

Let’s start small; I certainly had to.  Digest Access Authentication is a method for validating a user and granting them some access over HTTP.  It involves making a request, being presented with a challenge, answering that challenge with another request, and finally getting the resource originally requested.  It works like this:

  1. Client sends request to the server
  2. Server responds with a nonce (number to be used once) with a status of 401
  3. Client makes another request to the server providing identification information
  4. Server evaluates whether the user is valid and if they are who they say are
  5. Server responds with desired resource

How do we do this in Titanium?

The idea is to send out requests like normal, check for a 401 status code, and respond to the presented challenge if applicable.  That is simple enough:

When I was originally tackling this problem I found a very helpful example on github by rollsroyc3:  The majority of the following code is from that example, but I made a few changes.

Before adding any code to actually handle the challenge, let’s take a step back.  Assuming you have multiple HTTPClients, like I did, every HTTPClient would need to be rewritten.  Instead, let’s encourage code reuse and turn this into a commonJS lib that wraps the HTTPClient.  Then we can have one HTTPClient that does Digest Authentication when it encounters a 401 status code and acts normally with all others:

(I use underscore.js a bit here, and you should too)

We can then require this in and use it:


This is just one example of how it can be accomplished.  Your needs may be different.  There are many more options available to the HTTPClient that are not exposed (like headers).  This was a quick and dirty solution to a last minute problem.

If I needed the library today for a new project I would modify it to make use of Backbone events.  Imagine different components being notified when a new request has been made, when that request has been met with Digest Access Authentication, and when the response is finally successful!  Evented networks are both a blessing and a curse.  Allowing various controllers to listen for updates to data is amazing, but if you’re not careful with cleanup then you’re begging for memory leaks.

Why iOS7 is a Game-Changer for the Enterprise

Why iOS7 is a Game-Changer for the Enterprise

The recent launch of Apple’s new iOS7 has many talking about how the new version of the operating system was the final death knell of Apple’s skeuomorphic roots, but beyond the style and sleekness of the upgrade, the enterprise should see the feature dense iOS7 as a major force in driving enterprises to mobile.

Security has and will continue to remain a major concern for the enterprise, but as’s CSO Jay McLaughlin recently stated, the iPhone is by far the most secure device to try and integrate into the enterprise — as long as users aren’t jail-breaking the device.

“iOS 7 presents new vulnerabilities in the fact it contains new code, technology and features,” McLaughlin told “Once discovered, you’ll see new exploits created – many of which would be used for jailbreaking purposes – which inherently breaks and destroys the strength of Apple’s underlying security model for iOS. […] Historically, Apple has tightened its security within iOS with each subsequent release, adding stronger encryption, Data Execution Prevention, ASLR and the new A7 processor’s ‘Secure Enclave.’ As such, when in a non-jailbroken state, the iPhone is one of the most secure consumer devices.”

Here is eight features of Apple’s iOS7 that will change the business world for the better:

Stronger Security through TouchID & Activation Lock

One of the biggest drawbacks of extending the enterprise to mobile is the multitude of security threats to which mobile devices can expose an enterprise.  TouchID made news when in less than a week a computer club in Germany demonstrated there are ways to bypass the TouchID system.

Even so, ComputerWorld’s Michael deAgonia writes that it is still a groundbreaking advancement for mobile.

“I’ve already decided [TouchID] will be a game-changer. In concert with new Activation Lock features in iOS 7 — GPS tracking can’t be deactivated and access to the iPhone is blocked without entering your iCloud username and password, even after a device wipe! — it’s hard to see this as anything but a major win for security.


The hoops someone would have to jump through to hack into the phone — lifting fingerprints, making a fake print using latex — are complicated, if they even work at all. For me, this doesn’t change its usefulness; it’s just a reminder that no security function is 100% foolproof.”

Weak passwords, disabled security locks and misplaced devices are what keep security-minded companies up at night when thinking about extending mobile in the enterprise.  While not perfect, fingerprint-based authentication in concert with the Activation Lock and device wipe capabilities can allow companies to quickly intervene in a potential security violation before sensitive data is compromised.  Better to wipe a $200 smartphone quickly than expose a business to tens of thousands, or even millions of dollars to a potential data breach while a would-be hacker fiddles with latex fingerprint molds.

Simplicity With Enterprise Single-Sign-On

For the busy folks on the front line delivering packages, checking manifests and entering patient data and all the while jumping between programs to do so, the repetitive authentication for each transaction can become major deterrent in the use of the products, or at the very least the secure use of them.  What if that worker could log into a CRM app and then jump into an order-tracking app without another sign-on?  iOS 7 allows users to take their corporate credentials across apps, even including apps from the App Store. This reduces the need to remember and enter a number of different passwords while also keeping data secure.

Opening Up on Managed Open-In

Would you like an employee accidentally tweeting the Q4 forecast numbers?  Probably not.  Thanks to Managed Open-In, companies can force their employees to open email attachments in specific corporate-managed applications rather than an app of the user’s own choosing.  So, even without a containerization solution to protect corporate data, enterprise information technology departments can keep business data in business-related applications on the mobile device. The business can then dictate to the user the open in options by app or user account, providing a lot of management flexibility.

Private Server Conversations With Per-App VPN

Per-App VPN allows information technology departments much more granularity in access to back-end systems. Only specific apps can gain access to a corporate network, so unmanaged or unapproved apps can never gain access to sensitive data within the enterprise.  As well this restricts the ability to remove data from unapproved applications thanks to Managed Open-In.  This feature greatly improves user experience and firewalls privacy so that non-business data is unable to touch the corporate network.  One of the major benefits to business?  Since this can quickly create barriers between SAP and Facebook, Per-app VPN makes Bring Your Own Device (BYOD) a much more realistic goal for enterprise.

Mobile Device Management Software Made Simple

iOS7 includes a new MDM protocol to streamline third-party MDM solutions.  For large businesses, the need to keep hundreds or thousands of users up to date with supported versions of software can be daunting without management software.  Corporate-owned devices can be automatically enrolled in an MDM solution during activation, automating much of the custom commands, fonts and wirelessly set-up managed apps.

Giving iWork Mobile to Get

Microsoft made a kingdom into an empire by licensing their end-user productivity tools.  Now, just like Google Drive did, Apple is giving away iWork with Cloud capability in their latest release.  This move won’t push blue chip companies to defect in droves from Microsoft’s enterprise licensing program, but for smaller businesses this strategic investment on Apple’s part could help them justify the cost of equipping Apple devices while simultaneously extending on one set of productivity tools between laptop and mobile device.

Keep the “Property” in “Intellectual Property” Through App Store Volume Purchase Program

Enterprises can now buy apps and books for their iPhone and iPad-using employees and keep the to those apps or books to transfer them to other workers. For a handful of users, this might not seem like much, but those 99 cents start to add up quickly when it comes to thousands of users or expensive B2B apps or books or other such pricey materials.  Previously, companies had to go through a painful process of buying redemption codes to hand out to employees to go out and download the apps on their own.

Microlocation through Apple’s iBeacons

Apple’s iOS 7 supports low-cost transmitters that can work with an iPhone or iPad to collect location data, even if there’s no location system installed in a workplace or other environment. The system works over Bluetooth 4.0 and can be used to interact with an environment just by passing through it.

Major League Baseball has been a staunch supporter of the practical for Apple’s new tech for a few years now, and they have been off and running with how to use the iBeacon technology since last winter.  So far, MLB has created an experience to populate a ballpark guides stadium specific information and which prompts users with different results based on where they are located, be it prompting the ticket bar-code at the entrance for the ticket-taker or popping up a coupon for a free soda once one smells the aroma of hot dogs.

“We’ve been looking at customizing the app based on where you are within the stadium, but GPS is notorious for not working indoors, especially when you are in a building made of steel,” MLB iOS developer Marc Abramson told Mashable. “Instead, we are incorporating Apple’s new Bluetooth and iBeacon technologies for iOS 7 and couldn’t be more excited about the potential.”

“Essentially, we want to create micro-locations within the stadiums where you can get different experiences,” Abramson said.

On the factory floor or in a busy transit center this sort of device/environment interplay could change the way the user interacts and experiences their environment.

Endless Possibilities

These eight features are just a few of the many advances that Apple has made with their revolutionary iOS7 product.  Beyond what we wrote about above, there’s plenty more worth mentioning: Multi-Tasking APIs, AirDrop and PDF annotations are but a few.

The advance of mobile technology inside the enterprise will lead to major innovations for businesses and with the introduction if iOS7 large organizations have even less reason to put off extending to mobile.

We wrote months ago that organizations who move quickly but cautiously will be the ones that reap the largest long-term benefit for their business.  That said, Apple has addressed many of the major concerns for caution in the competitive marketplace with the introduction of technologies like Per-App VPN and ESSO.  Extremely secure yet game-changing technology is now available to the enterprise and iOS7 has done enough that smart enterprises will use these security, locational and MDM advances to propel their business forward in the next year with the largest gain at a fractional risk.

Developing for Enterprise Mobile: Speed Up to Slow Down

Developing for Enterprise Mobile: Speed Up to Slow Down

In a ground-breaking technology field like the mobile extension of enterprise applications, the demands by most businesses always boil down to the same two concerns: they want it done as soon as possible and at the cheapest cost possible.  Believe it or not, for many mobile developers, the ability to deliver under those difficult requirements while maintaining high quality finished products is becoming a reality.  How?  Thanks to concepts like Backend As A Service (BaaS),  new applications can be constructed quickly in a much shorter timeframe than might have been expected not all that long ago.

The Fast and The Furious

As a quick and dirty approach, many BaaS platforms offer a web-based method to set up the mobile backend services.  Some of the market’s most robust tools like Appcelerator even offer a Command Line Interface.  So whether web or command line suits a given problem, both would allow the framework for the app to be built extremely quickly.  With some workflow and business logic added on top, the app can then be channeled through individual or multiple lines of business, leaving developers just a user experience away from completing an app’s first rev.

In addition to the opportunity to use web services to deploy quickly, there’s also a growing and increasingly powerful toolbox that can be used to extend enterprise apps.  From drag-and-drop enterprise extension tools, add-ons to existing applications like SalesForce, to plug-in features making use of a mobile device’s unique capabilities, these advancements will only accelerate the speed at which enterprise apps can get into the field and the far-reaching impact on which they will have on their enterprise.

Good stuff, right?

Well … yes and no.

As capabilities of mobile enterprise apps increase and the speed at which they can be delivered increases, it will also mean that security will become a crucial component to its long-term success.  Translation: don’t build or deploy too quickly.

Looping the Loopholes

Security violations can be big problems to business nowadays.  Recently the US Department of Health paid over $1.5 million in a settlement over a single lost laptop in which the data which resided on it most likely wasn’t even compromised.   Now think of the lack of security on most mobile phones and how often they are misplaced.  Do you have enough in the bank to cover all your absent-minded employees?  Physical related security breaches could be rampant, not to mention the growing cottage industry around exploiting mobile devices security holes.  ABI Research estimates that the Mobile Security market will be $389 million market by the end of this year alone.

The ugly truth is that right now, enterprises across the world are having a tough time keeping up with the high demand for mobile applications from both their internal and external users.  As a result, many organizations have not done the normal rigorous quality assurance to build out platforms and that they might have otherwise done for a similar network or even web-based applications.  IBM’s X-Force Mid Year Trend and Risk Report notes that Bring Your Own Device (BYOD) has presented a whole new set of problems for enterprises as they try to figure out how to keep their data secure in the midst of a spectrum of security problems.  “The one constant we have seen in the mobile security landscape is the compromise of nearly every mobile operating system at every released version,” the report stated.  “In fact, often new release versions are jail broken or rooted within days or even hours of their release. This is a consistent statement across nearly all mobile operating systems.”

Good, Fast & Cheap: Pick Two

We’ve all heard the old trope about Good, Fast and Cheap.  So how does a responsible organization protect themselves? While “Fast” and “Cheap” are important, they are not so important at the cost of making it “Good.”

When it comes to mobile, organizations must choose to pick all three.

Organizations that fail to act to game-changing mobile technology will fall behind their competitors, but does not mean that security and testing is a non-factor.  The QA process should look the same as it always would.  Also, enterprises would be wise to take advantage of built-in security tools offered by the device from simple password locks to more advanced biometric locks.  Mobile security software also should be a consideration by enterprises as mobile device usage grows in their organization.

The rapid advance of mobile technology inside the enterprise will lead to major innovations for businesses, but should be rolled out in a calculated manner.  In the end, the organization who can move quickly but also cautiously will be the ones that are the most successful in the long-term.