Upload
james-ford
View
36
Download
1
Tags:
Embed Size (px)
Citation preview
IBM SoftwareWebSphere
Technical White Paper
An overview of IBM MobileFirst Platform Build, test, integrate, deploy and manage mobile applications
Contents
1 The IBM MobileFirst Platform
2 More efficient development
9 Optimizing user engagement
13 Securing your mobile channel at the user, application and device levels
17 Managing your mobile ecosystem
The IBM MobileFirst PlatformThe IBM® MobileFirst Platform is a standards-based mobile- middleware, categorized as a Mobile Enterprise Application Platform (MEAP) and Mobile Application Development Platform (MADP). IBM MobileFirst Platform Foundation core value-add is the connectivity to and extension of existing back-end systems also known as Systems of Records (SoR) with development, user engagement, security and management capabilities.
Track problems that affect UX
Manage and enforce app versions
Security
User engagement Operations
Back-end
Front-end
30% of the value and effort is visible (mobile UI)
70% of the value and effort lies under the surface
Short time to market
Web? Hybrid? Native?
Teamwork
Industrialize app dev
Integrate with SDLC
Ensuring continuedsupport in a quick-changing landscape
Dataprotection
Pushupgrades
Malwaredetection
integ
Userauthentication
Connect to back-end systems
Efficient and flexiblepush notifications
Offline availability
Track and use location
B2E app distribution
Mobile apps go much deeper than the front-end User Interface
2
WebSphereTechnical White PaperIBM Software
With the MobileFirst Platform, organizations can more effec-tively address the full lifecycle of mobile app development, delivery and on-going management.
The IBM MobileFirst Platform consists of three distinct offerings:
●● IBM MobileFirst Foundation to build, test, integrate, deploy, manage and better secure web, hybrid and native applications for desktop and mobile from standards-based technologies and tools
●● IBM MobileFirst App Scanning to detect code vulnerabili-ties earlier during development
●● IBM MobileFirst Quality Assurance to capture feedback from users and testers with sentiment analysis and frictionless bug reporting
DevelopObtain insight
Manage
Deploy
Instrument
Integrate
Test
Scan and certify
OperationalizeIntegrated DevOps
for Mobile
Design
X
The mobile application lifecycle
Application Center
Quality AssuranceApplicationScanning
Development Continuous Delivery
Studio Console
Server Run time
Application ScanningDetect code vulnerabilities at thetime of development
Quality AssuranceCollect beta test feedback, crashesand analyze user sentiment
FoundationDevelopment, Run time, Operations, Console and Private Store
IBM MobileFirst Platform overview
More efficient developmentWith MobileFirst Foundation, you can support a wide range of development approaches from native to hybrid as well as web approaches. Therefore, you can evaluate the best approach for each situation, according to skills, time and functionality, with-out being limited by a specific approach to mobile application development.
Developers can use tools of their choice—the provided com-mand line interface (CLI) enables integration with tools such as Xcode, Android Studio, Xamarin, or any other development tool developers want to use.
The MobileFirst platform also includes the IBM MobileFirst Studio, an Eclipse-based integrated development environment (IDE) that helps developers to conduct virtually all the coding and integration tasks required to develop rich and engaging applications. MobileFirst Studio is designed to augment Eclipse tools with a wide variety of enterprise-grade features delivered as plug-ins to streamline application development, debugging and testing as well as to facilitate enterprise connectivity.
3
WebSphereTechnical White PaperIBM Software
Mobileweb site (browseraccess)
Nativeshell enclosingexternalm.site
Pre -packagedHTML5resources
HTML5 +native UI
Mostlynative, someHTML5screens
Purenative
HybridPure web Pure native
Web-native continuum
HTML5, JS, andCSS3 (full site or m.site) Quicker andcheaper way to mobile
•
•
• Sub-optimalexperience
HTML5, JS, and CSS Usually uses CordovaDownloadable,app storepresence, pushcapabilities
•
•
•
• Can use nativeAPIs
As previous•• + more
responsive,available offline
Web + nativecode
•
• Optimized user experience with native screens, controls, and navigation
App fullyadjusted to OS
•
• Some screens are multiplatform when makes sense
•
•
•
App fully adjusted to OS Best attainable user experience Unique developmenteffort per OS, costly to maintain
Approaches for the development of mobile apps
Regardless of how you choose to develop your apps, develop-ment complexity rises when you need to develop multiple apps in different versions, support multiple mobile operating systems, or enable many developers to work together on a rich app.
●● With the MobileFirst Foundation, developers can reduce the development cycle by automating app tests directly on their PC. They can reuse code across or within apps by using templates and components. Developers can integrate with SOAP, REST and SAP services in seconds without writing a line of code. In addition, they can efficiently tailor ready-to-use mobile build and test scripts to their corporate build framework and share the resulting applications with developers and testers.
●● All these capabilities are available for native, hybrid and web developers in a complete IDE or as a f lexible set of command-line tools.
●● Developers of hybrid applications can also benefit from greater f lexibility to build Cordova-based apps, where the IBM platform helps enable them to have control of the portions
4
WebSphereTechnical White PaperIBM Software
Capability Objective-C for iOS
Java for Android C# for Windows Phone 8
C# for Windows 8
Integration with back-end systems through adapters √ √ √ √
MobileFirst Platform Authentication Framework √ √ √ √
Development Functional testing √ √ √ -
Application version enforcement √ √ √ √
Unified push and SMS notifications √ √ √ -
Location Services √ √ - -
On-Device Encrypted JSON Store √ √ - -
Log collection for analytics √ √ - -
Remote-controlled client-side log collection √ √ - -
Pure native developmentWith the pure native development approach, you can create applications that fully use the device capabilities without any compromise on performance and user experience. Such applications are written for a specific platform environment as Objective-C for iOS, Java for Android for Java ME or C# for Microsoft Windows Phone 8 and Microsoft Windows 8 and use MobileFirst Platform capabilities through its provided native APIs.
Command Line InterfaceTo help developers get a better tools experience, the CLI tool can be used to more easily create and manage both native and hybrid apps. The CLI enables developers to use their preferred text editors or alternative IDEs to create mobile applications.
The CLI does not require MobileFirst Studio for most stan-dard activities. The commands support tasks such as creating, adding and configuring with the MobileFirst Platform API library, adding the client-side MobileFirst Platform properties file and conducting the build and deployment of the MobileFirst Platform application. Adapter creation, deployment and local testing can be conducted within the command line. Administration of your MobileFirst Platform project can be done from CLI or REST services, or the MobileFirst Console, where you can more easily control the local server and observe the logs. Command-line tools can be used on their own, or in parallel with the MobileFirst Studio tools.
Everything that is generated by using the command-line inter-face is compatible with MobileFirst Studio. You can also use the CLI to integrate third-party tools such as ANT or Grunt to create your own tool chain for automated testing, build and deployment f lows.
MobileFirst Platform native capabilities
5
WebSphereTechnical White PaperIBM Software
Native-device SDK integrationMobileFirst Studio is also designed to integrate with the software development kits (SDKs) of the mobile devices that the MobileFirst Platform supports including Android, iOS, Microsoft Windows 8, Microsoft Windows Phone and Blackberry. With this integration, developers can take full advantage of the native code capabilities, development tools, testing and debugging mechanisms that are native to the mobile SDKs, without leaving the development environment.
Automated mobile functional testingTo accelerate delivery cycles of mobile applications, you require fast and effective test cycles. MobileFirst Platform software includes integrated automated functional testing. This testing is available for Android and iOS native, hybrid and web applica-tions. Created for developers and testers, this capability is designed to automate functional testing of apps that are devel-oped with the MobileFirst Platform. First, developers or testers record a sequence of actions on a mobile device, emulator or simulator by using an instrumented recording-ready application to generate a test script. Next, developers or testers edit and enhance the script by using natural-language syntax to add veri-fication points and other instructions. Developers and testers can run the enhanced test script on demand on a real device, simulator or emulator. They can view and share the results by using a generated HTML report. Developers and testers can test MobileFirst Platform apps more rapidly and methodically at a reduced cost because of automated functionality testing. As a result, developers and testers can help enable higher-quality mobile apps.
Centralized buildThe IBM MobileFirst Platform Builder is a stand-alone appli-cation that can be more easily integrated with common central build services, such as IBM Rational® Jazz™ Builder,
Hudson and Luntbuild. Using the centralized build functional-ity, the different teams involved in the development, testing and quality assurance (QA) phases can work from one common version of the code without complex installation of dedicated mobile environments locally. Therefore, teams can more effec-tively enhance the collaboration and automation of the internal application development process.
Hybrid developmentFacing the constantly evolving fragmented ecosystem of mobile devices and operating systems, application development has become a costly, yet an unavoidable endeavor. This challenge has led to the creation of a market for cross-platform mobile development solutions that is rapidly growing.
Most solutions in the market today rely on limited proprietary tools delivering lowest-common denominator based on code cross compilation or interpretation from what you see is what you get (WYSIWYG) tools or prepackaged apps. The result is an unavoidable tradeoff between user experience and multiplat-form coverage. With the MobileFirst Platform hybrid develop-ment approach, applications can have any mix of standard native and web code, even in the same UI views. Hybrid appli-cations execute inside a native container and use the browser engine to display the HTML5/JavaScript and CSS part of the application interfaces and business logic. The native container, based on Apache Cordova also known as PhoneGap, grants application access to device capabilities that are not accessible to standard web applications, such as the accelerometer, camera and device local storage. Hybrid applications developed with the MobileFirst Platform can be distributed through public or private cross-platform application stores and developed either by using the provided MobileFirst Studio CLI or IDE tools. For example, the Mobile Browser Simulator enables advanced debugging earlier in the development cycle to further accelerate developments with multiple form factors preview side by side and Apache Cordova APIs simulation.
6
WebSphereTechnical White PaperIBM Software
Because developers are not dependent on an intermediary build-time or runtime layer, such as a cross-compiler or inter-preter, native APIs are accessible upon release of new mobile operating system (OS) versions or third-party libraries. Furthermore, the applications web code is executed directly by the mobile browser, so developers have direct access to the HTML Document Object Model (DOM) and are free to use any JavaScript API or third-party JavaScript toolkits and frameworks.
There are several ways of combining native and web code in MobileFirst Platform hybrid applications, including:
●● Native and web code mix. With the MobileFirst Platform, you can mix virtually any set of native code with web code for different, or within the same screens or application logic. Some of the benefits include full use of native capabilities and optimized balance between code reuse and performance for user experience where needed.
●● Pre-packaged HTML5 resources. Unlike the following approach, the web resources are not loaded from an external website at run time but are packaged within the application itself, thus enabling improved application responsiveness and off-line operations support. In addition, you can enable greater cross-reuse across delivery channels with the com-bined use of responsive design and MobileFirst Platform skins.
●● Native shell application enclosing an external mobile website. With this approach, your mobile website is dis-played inside the native shell provided instead of the device browser allowing application access to the device native functionality through JavaScript APIs. There are drawbacks to this approach because of downgraded user experience with subpart response time and off-line modes.
Support for HTML5MobileFirst Platform software uses a standards-based approach that enables developers to write or import code, to circumvent the debugging and maintenance limitations of proprietary interpreters or code translators.
You can benefit from capabilities that include:
●● A cleaner, more readable and consistent HTML code●● Visual HTML editing in Rich Page Editor; HTML5 tags
and attributes are directly supported in RPE●● Access to rich media types including audio and video that are
usually available only by way of native code●● Use of advanced UI components, such as data pickers, sliders
and edit boxes that automatically support ellipsis and others—implemented natively by the browser
●● Use of Cascading Style Sheets 3 (CSS3) styles and CSS3-based animation to reduce application size and to improve application responsiveness
●● Application distribution channels that go beyond the different application stores and their time-consuming and limited restrictions
●● Support for location services●● Offline storage capabilities
Support for third-party JavaScript toolkits and UI frameworksIn addition to its support for HTML5, MobileFirst Platform software provides integration with the growing ecosystem of UI frameworks, such as Ionic, Angular or jQuery Mobile. Developers can pick the JavaScript UI framework of their choice and use it to develop their application within the MobileFirst Studio.
7
WebSphereTechnical White PaperIBM Software
Rich Page Editor (RPE)Furthermore, the MobileFirst Studio ships with a WYSIWYG drag-and-drop for UI design and development. With these editing capabilities, developers can create pure HTML or HTML and JavaScript files by dragging HTML5, JQuery and Dojo mobile components from a built-in palette to the HTML canvas. Developers can use property sheets to control HTML and CSS properties. At the same time, with these editing capa-bilities, developers can enable direct editing of HTML and CSS files, updating the graphical canvas to visualize almost immediately the impact of their changes. These editing capabil-ities are integrated with the MobileFirst Platform optimization framework, making it possible for developers to view a specific application environment or to view a specific skin.
Screen templatesTo deliver an outstanding mobile UI experience, conformance to continuously evolving mobile patterns of behavior that are specific to each OS family is required. MobileFirst Platform software includes screen templates that automate the creation of mobile screens. The design of these screen templates is based on industry-proven methods.
Developers can choose from templates in four categories including:
●● Lists●● Authentication●● Navigation and search●● Configuration
Each screen template can be previewed live, used as is, or further refined using any combination of web and native technologies.
Optimization frameworkUnlike other alternative approaches, the MobileFirst Platform optimization framework enables developers to share the majority of the application code across multiple environments, without compromising platform-specific user experience or application functionality. Developers can share the common application code among multiple environments, while isolating environment-specific code in designated code branches that can overwrite or augment the commonly shared code. As a result, application logic remains consistent among the different envi-ronments, while the UI behaves natively and adheres to user expectations and the differentiated functionality and design guidelines of the device. Therefore, developers can strike the desired balance between development efficiency, application functionality and user experience. Hybrid application web portion of the code can be updated with the IBM MobileFirst Platform Direct Update mechanism. Further performance improvements with direct update are possible through differen-tial direct update where the end users receive only the web resources that have changed between updates instead of the entire web resource package.
Runtime skinsYou can further optimize your hybrid apps by using runtime skins. These skins are packaged with the application’s executable files and are applied to the mobile app during run time. With this capability combined with responsive design techniques, it is easier to automatically adjust the application appearance and behavior to different devices from the same OS family and better manage application code complexity.
Common scenarios that benefit from runtime skins include:
●● Different screen sizes and screen densities●● Different input method●● Different support levels for HTML5
8
WebSphereTechnical White PaperIBM Software
The shell approachWhen different teams having varying degrees of expertise work on common mobile projects, the MobileFirst Platform shell approach can help separate concerns among teams. An external shell is a customizable container that provides JavaScript access to the native capabilities of the device. A dedicated expert team works on one or multiple shells for branding, security configu-rations, audits and authentication frameworks. Using such shell structure forces hybrid inner applications to automatically comply with its built-in policies as data access restriction, use of certain APIs and different branding.
With the corporate policies enforced by the shell, the inner applications can be more easily built by departmental develop-ment teams using well-known web technologies. Such teams are only required to focus on the user interface and business logic.
Desktop and mobile website developmentIn this model, the application that executes the device’s browser can be made platform independent and requires no installation, with simple access through a URL or bookmark. The downside is support for connected mode only, sub-part user experience with potentially response time and no access to the device functions such as camera or contact list.
Aspects of each development approachWith the MobileFirst Platform, you can select the most appro-priate development approach fitting your application context and objectives. Selecting the best development approach must be the first step of your application project.
The major aspects of the supported development approaches to help you decide which one best fits your needs include the following:
Comparison of mobile development approaches
Aspect Mobile website development
Native shell, external mobile website
Prepackaged HTML5 resources
Mixing web and native in code and UI
Pure native development
Easy to learn Easiest Easiest Medium Harder Hardest
Application performance Slowest Moderate Good Fastest Fastest
Device knowledge required None Some Some Some A lot
Development lifecycle - build, test, deploy
Shortest Shortest Medium Medium Longest
Application portability to other platforms
Highest High High Medium None
Support for native device functionality Some Most Most All All
Distribution with built-in mechanisms No No Yes Yes Yes
Ability to write extensions to device capabilities
No No Yes Yes Yes
9
WebSphereTechnical White PaperIBM Software
Optimizing user engagementUsers value apps that help them complete tasks such as ordering takeout, hailing a taxi, or making a restaurant reserva-tion. To deliver this type of transactions, you require mobile application integration with existing back-end services and data.
Standardized back-end access with adaptersThe MobileFirst Platform enables mobile apps back-end con-nectivity over HTTP, JMS, SAP, Unstructured Supplementary Service Data (USSD) and SQL and you can further optimize connectivity by using IBM Integration Bus or IBM Cast Iron®. The MobileFirst Platform adapter architecture is designed to promote a decoupling of integration logic, which is hosted on the server side from the mobile application logic. As a result, with this IBM architecture, you can manage back-end services and mobile-apps-distinct evolution timelines.
Moreover, mobile apps often have to connect to services that were built long before mobile was in existence, which poses challenges in both data delivery and service security for the mobile channel. The MobileFirst Platform is designed to deliver ready-to-use data transformation capabilities to the JSON format to optimize payloads size and response time for the mobile applications. For instance, adapters can easily filter
out unneeded parts of large payloads from legacy services tar-geted at the traditional web channel. Furthermore, adapters can enable server-side service composition to reduce the number of requests to optimize application response time over slow mobile network.
In terms of integration security, the MobileFirst Platform pro-vides mobile-specific and fine-grained security controls that can be wrapped around legacy services. In addition, the MobileFirst Platform acts as a strong control point, enabling overview and management of mobile activities. This platform also includes built-in analytics for user actions and device and application properties with possible extension to monitor and act upon unusual usage patterns that might result from fraudulent repackaged apps.
Integration is the driver for the level of interaction many users expect from their mobile apps and the MobileFirst Platform provides a robust set of integration capabilities. With these features, you can use existing enterprise investment, optimize data delivery to sustain user interactions over unstable mobile networks and help reduce development cost by providing zero-code integration paths. In addition, you can improve organiza-tional insight into user experience through analytics.
Automated services discovery for SOAP and SAP
Generation of adapters for the discovery of SOAP automated services
10
WebSphereTechnical White PaperIBM Software
With the MobileFirst Platform, you can further expedite the creation of mobile apps that call SAP NetWeaver Gateway and SOAP-based web services described by Web Services Description Language (WSDL). With the MobileFirst Platform services discovery wizard, developers can specify the back-end services called from the mobile app and generate application specific adapters for web, hybrid, or native app with near-zero coding. Further, developers can place them in the proper mobile app project folder.
Unified push notification and SMSThere are many differentiated characteristics of mobile apps but perhaps none more so than the notion of anywhere, anytime engagement. The MobileFirst Platform provides a unified API to send push notifications and SMS from the server to mobile apps, helping developers to more easily manage mobile plat-form fragmentation. In addition, they can develop a single set of logic to send push notifications across their target platforms.
The MobileFirst Platform provides the ability to send broadcast notification to all devices and targeted messages to a specific set of users, a specific device or a specific user. By using the device specific capabilities, the MobileFirst Platform also supports interactive push notifications for iOS8, Android L heads up notification and silent notifications for iOS7 onwards.
Location servicesIf push notifications deliver the means for engagement, location services deliver the ability to engage in context. The MobileFirst Platform is designed to help engage users based on their location by providing end-to-end services for detect-ing, transmitting and consuming location-based events in back-end business processes, decision management systems and analytics systems.
PollingAdapters
Back-endSystem
Back-endSystem
Message-based Adapters
UnifiedPush API
NotificationStateDatabase
UserDeviceDatabase
iOSDispatcher
AndroidDispatcher
WindowsPhoneDispatcher
SMSDispatcher
Apple PushServers(APN)
GooglePushServers(GCM)
MicrosoftPushServers
SMS/MMSBrokers
Administrative ConsoleNotification statistics, SMS subscription control
Worklight Client-sidePush Services
iOSPush API
AndroidPush API
WindowsPush API
BrokerAPI
Optional 2-way SMS
Worklight Client-sidePush Services
Worklight Client-sidePush Services
Unified Push Notifications
11
WebSphereTechnical White PaperIBM Software
Traditional approaches constantly poll device GPS or triangulate and then send the resulting position to the back-end systems for decision-making. Whereas, the MobileFirst Platform delivers a location services framework that helps optimize development time, battery and network usage.
MobileFirst Platform geo-services architecture
MobileFirst Platform USSD architecture overview
Device Run time
Application code
Device location API Server location API
Worklight device run time Worklight server run time
Analytics and reporting
Set acquisitionpolicy and triggersTransmit events
Log activities andevent with deviceand app contexts
Events
Device context
Set event handlersGet device contextSet app context
Trigger callbacks Event callbacks
Adapter code
Worklight Server
Enterprisebackend
Worklight
HTTP/S
USSDGateway
Mobile User dials USSD short code e.g. *123#
Telco forwards this to a USSD gateway
Gateway maps the short code to a known URL provided by the enterprise and creates the USSD session
Worklight responds to the gateway request with the USSD menu options (configurable)
Enterprise
Adapter
12
WebSphereTechnical White PaperIBM Software
IBM MobileFirst Platform Foundation location services provide both client-side and server-side services that deliver:
●● Points of interest and geo-fences definition and a more efficient, policy-based controlled acquisition of GPS, triangulation and Wi-Fi coordinates to save battery, whether the application is executing in the background or foreground
●● Events generation for action triggering based on location changes as when crossing a geo-fence and server-side logic to enable meaningful reaction to important geo events
●● More efficient communication with back-end systems and batch sends to optimize network use
●● Unified server-side API that enables developers to consume location events on the server and take action to facilitate enterprise systems integration into patterns of intelligent user engagement
The benefits of MobileFirst Platform location services are twofold to the organization. First, developers do not have to worry about efficient location data collection and transmission for the client because they can use MobileFirst Platform services. Second, developers can build one set of location-enriched engagement logic on the server and apply that logic to their mobile apps throughout platforms. This IBM platform’s location services help people at organizations more efficiently understand where app users are and more importantly execute business logic based on this contextual understanding.
Indoor location using iBeaconsYou can engage users based on their proximity to an enterprise beacon by delivering location-relevant messages, information, promotions and so on. The MobileFirst Platform provides REST APIs to register and manage the beacons on the server side. Similar to outdoor location triggers, the admin team creates triggers that are activated when a user is nearby enterprise beacons. Developers can retrieve a list of beacons and triggers by calling a WL Server API in an adapter
Unstructured Supplementary Service DataUSSD provides a cost-effective alternative to mobile apps in emerging markets where feature phones as opposed to smart-phones are still fairly common and data networks unreliable.
USSD is a protocol used by GSM cellular telephones to send text messages between a mobile phone and an application program in the network. USSD establishes a real-time session between the mobile phone and the application that handles the service.
The MobileFirst Platform is able to:
●● Accept incoming requests from a USSD gateway and map the USSD short codes as a user entering *123# to the corresponding MobileFirst Platform adapters
●● Construct and respond with USSD menu options●● Call corresponding back-end services through the
MobileFirst Platform adapters
The IBM MobileFirst Application Center cross-platform private app storeThe MobileFirst Application Center enables teams to set up an enterprise cross-platform private application store to help govern the distribution and management of pre-release and production-ready mobile applications. This MobileFirst private app store can manage MobileFirst and non-MobileFirst-based applications, including apps from public app store.
Administrators can make the most of existing authentication frameworks, including ACL and LDAP, to manage app distri-bution by department, job function, geography and other schema. Employees who access the MobileFirst Application Center from their mobile devices will only see the mobile apps that they are allowed to download and can rate apps and provide feedback to help future enhancements.
13
WebSphereTechnical White PaperIBM Software
For development teams, the MobileFirst Application Center provides a more convenient way to distribute pre-release soft-ware to developers and testers. Feedback can be organized by device and by version to quickly isolate and resolve defects, whether those defects are device-specific or version-specific. The MobileFirst Application Center is designed to also inte-grate with software-build processes to automate the distribution of the latest releases to project teams, helping to accelerate the develop-test-debug cycle.
The MobileFirst Application Center provides:
●● Administrators with improved governance over the distribu-tion of mobile apps throughout the enterprise, including app hosted on public app stores;
●● Employees with easier access to the latest apps that are needed by their departments or job function and that are optimized for their device;
●● Developers with an easier way to distribute mobile builds and to elicit feedback from members of development and test teams
The MobileFirst Application Center is designed to manage native or hybrid applications for the Google Android platform, the Apple iOS platform, the Microsoft Windows Phone 8 plat-form, Microsoft Windows 8 and the BlackBerry OS 6 and OS 7 platform.
Securing your mobile channel at the user, application and device levelsSecurity is a clear priority for executives at organizations embarking on mobile implementations but it proves to be challenging. Up to 53 percent of enterprises report that they struggle to implement effective end-to-end mobile security measures.1
A key characteristic of the MobileFirst Platform security frame-work is its delegation to the existing security infrastructure to foster reuse and security standardization across delivery chan-nels. IBM MobileFirst Server is designed to integrate more seamlessly as a presentation tier into the existing enterprise infrastructure while supporting custom extensions to integrate with virtually any security mechanism. The IBM MobileFirst Foundation security framework provides a wire protocol that enables the combination of challenges and responses of multiple security checks during a single request-and-response round trip. With this IBM security framework, the number of client and server round trips can be reduced and the application logic from the security checks implementation can be separated.
The MobileFirst Platform facilitates stronger implementation of security measures at the user, data, application and device levels:
●● The MobileFirst Platform provides an open user- authentication framework to help you integrate your mobile apps with existing enterprise or third-party security systems. The MobileFirst Platform enables the basic authentication approach that uses the username and password. But the MobileFirst Platform also enables more complex schemes such as certificate-based authentication and multifactor authentication protocols with one-time passcodes, step-up authentication procedures and more. A typical example of multifactor authentication is the combination of device, application and user authentication. You can also integrate the MobileFirst Platform with existing enterprise certificate authority such as X509 Public Key Infrastructures (PKI) certificate creation back-end, to pass requests for the creation of certificates and use resulting certificates. Resulting X509 certificates stored on the devices help deliver enhanced user experience by streamlining user authentication steps as removing login and password steps for a particular app on a given device. X509 certificate creation software is provided if you do not already have one deployed. The MobileFirst Platform is also designed to support off-line authentication, single sign on (SSO) capabilities for multiple mobile apps to participate in a globally authenticated session.
14
WebSphereTechnical White PaperIBM Software
●● The MobileFirst Platform helps more effectively secure data on the device with the JSON Store AES-256 encryption. You can further secure data on the device and in transit with the use of optional libraries to make them FIPS 140-2 compliant.
●● You can protect applications against repackaging attacks with app authentication by ensuring that mobile apps that connect to the MobileFirst Platform environment are known and trusted. With the MobileFirst Platform, you can also support integration with third-party jailbreak and malware detection libraries. These capabilities are complemented with the MobileFirst Platform direct update to automatically propa-gate updates of web portions of the hybrid mobile apps, thus helping to ensure latest security patches are deployed to users.
●● To protect against malicious changes to direct update, the MobileFirst Platform provides direct update authenticity verification, where the authenticity of the direct update package is verified before it is installed on the end user’s device.
●● The MobileFirst Platform also provides device provisioning capabilities which enable control over which device can access corporate back-end systems.
●● In addition to all of these capabilities, this IBM platform provides management controls through standard Java EE security controlled for role-based access to UI console, analytics console, CLI and REST APIs used for the automa-tion of tasks. They help administrators to mitigate risk in the face of unknown app vulnerabilities and recently lost devices. Furthermore, administrators can more quickly change access rules with fine-grained management of user or device or application triplets with disablement of all or given apps for all or given users or devices.
Proactively enforcesecurity updates
Remotedisable
Directupdate
Provide robust authenticationand authorization to secure users
Authenticationintegration framework
Dataprotection
realms
Coupling device id
with user id
Streamline corporate security approval
processes
Mobileplatform as
a trust factor
Protect from known application security threats
Codeobfuscation
SSL with server identity
verification
Proven platform security
Jailbreak and malware
detection
App authenticity
testing
Protect data on the device
Encryptedcache / DB
Offlineauthentication
Secure challenge-
response onstartup
MobileFirst Platform Security Framework
15
WebSphereTechnical White PaperIBM Software
Mechanism Benefit Details
On-device encrypted storage
Help protect sensitive information from malware
attacks and device theft
●●
●●
●●
Uses AES256 and PCKS #5-generated encryption keys for
storing app-generated information on the device
Enables offline user authentication
Implemented in JavaScript that is highly obfuscated, with
optional native performance enhancements
Direct update Take action to help ensure timely propagation of
updated hybrid app versions to the entire install base
●● New versions of the code can be distributed without requiring
the manual update of the application and are applicable to
web resources
Remote disable Enforce timely adoption of critical security updates to
the entire install base
●● Server-side console enables configuration of allowed app versions.
Administrator can ask users to install security updates to the
native code.
Authentication framework
Help reduce overall cost and complexity of integration
with authentication infrastructure
●●
●●
●●
●●
●●
●●
Server-side architecture designed for integration with back-end
authentication infrastructure based on Java Authentication and
Authorization Service (JAAS) concepts, with authentication realms
Specify one SSL per HTTP adapter for enhanced flexibility
and security
Ready-to-implement integration with Kerberos, NTLM,
Basic and Digest authentication
Ability to encrypt server-to-server SOAP communication with X509
certificates, following the Web Services Security (WSS) standard
Client-side framework for asynchronous login requests on session
expiration
X509 certificates support
Server-side safeguards
Help prevent SQL injection and help protect against
cross-site request forgery (XSRF)
●●
●●
Prepared-statement enforcement
Validation of submitted data against session cookie
Enterprise SSO integration
Use existing enterprise authentication facilities and
user credentials and enable employee-owned
devices
●●
●●
●●
Client-side mechanism obtains and encrypts user credentials, sends
to the server with requests
Encryption incorporates user-supplied PIN, server-side secret
and device ID
Credentials cannot be retrieved from lost or stolen device
16
WebSphereTechnical White PaperIBM Software
Mechanism Benefit Details
Device SSO ●● Enables a mobile user to authenticate one time to ●● Upon successful login, the authentication state is saved in the
integration
●●
●●
●●
gain access to multiple mobile applications from a
single device
Mobile users get a more-seamless experience
without having to explicitly log in to each
application
Enterprise teams can integrate authentication
services under a single umbrella, streamlining
governance and reducing help-desk costs that
are related to password resets and security
Developers can help eliminate redundant
development effort; they are no longer required
to build authentication into each application
independently
●●
database and used for validations in subsequent sessions
from the same device
No credentials are stored in the on-device database; only the state
of the authentication is stored, for improved security
Virtual private ●● Enable delivery and operation of mobile apps for ●● Client-side and server-side frameworks act as secure socket layer
network (VPN) employee-owned devices or device types that are (SSL)-based VPN
alternative●●
not allowed on the corporate network
Enable delivery when installation of VPN client on
mobile devices is not possible or when such
installation is complicated to manage
●●
●●
●●
Network access control and policies are preconfigured in the
client-side framework layer
Network access and security measures are updated using
server-side framework
On-device encrypted storage to help prevent compromise of
sensitive data
These capabilities are essential, but business leaders realize thatdelivering secure mobile apps is about more than securing the run time; security must be embedded into the development and app lifecycle management process. With MobileFirst Application Scanning, you can conduct a static code analysis of a mobile app, both native and web content, to detect potential vulnerabilities earlier during the development cycle
for data leakage, sensitive information exposure, high-risk API usage and more. This analysis can be an automated part of an organization’s continuous integration and build strategy and it can be run on demand as well. Static code analysis for mobile apps is an important part of raising an organization’s overall security posture. With MobileFirst Application Scanning this analysis is made easier to institutionalize as part of the mobile app lifecycle.
17
WebSphereTechnical White PaperIBM Software
The MobileFirst Platform also integrates with:
●● IBM MaaS360® from IBM Fiberlink® to help support BYOD strategies with full device control through policies, app containerization and app security as copy and paste prevention
●● IBM Trusteer® to deliver a context-driven risk assessment and advanced malware and jailbreak detection
●● IBM DataPower® for scalable security enforcement points (PEP), traffic management, message validation, transport level communications protection and rate limitation through policies
●● ISAM for risk-based access (RBA) and single sign-on (SSO) using LTPA token, HTTP header, or OAuth
Clearly, security is an imperative for companies delivering mobile apps and it goes deeper than security measures employed for traditional web applications. The MobileFirst Platform provides a more comprehensive set of and integration with security-focused capabilities that help address both devel-opment and runtime concerns. Security officers and developers can use these capabilities to enhance their mobile security posture without spending considerable upfront and ongoing resources to match with what the MobileFirst Platform provides right off the shelf.
The MobileFirst Platform does not warrant that systems and products are immune from the malicious or illegal conduct of any party.
Managing your mobile ecosystemUnlike web application where you are in full control of the experience and versioning where users get the sanctioned version when connecting, mobile applications are a different challenge, with binaries executing on end-users devices, traditionally outside of your control. The MobileFirst Platform is designed to provide means to claim back control with its Mobile Application Management (MAM) capabilities while maintaining a higher level of insights with operational analytics.
Enterprises can hardcode the MobileFirst server address in the client application in which case all the users connect to the same server. An alternative will be for enterprises to distribute a single application to multiple groups of users and each user group connects to a locally hosted MobileFirst server. The MobileFirst Platform provides APIs to dynamically change the MobileFirst server address.
The MobileFirst ConsoleThe MobileFirst Console is a web-based user interface, also available through REST services, Ant tasks or CLI tools to more seamlessly integrate with your automation system of choice. The MobileFirst Console is dedicated to the ongoing administration of the MobileFirst Server and its deployed apps, adapters and push-notification services whether in development or production.
18
WebSphereTechnical White PaperIBM Software
Supports multiple versions on the same platform
Device specific versions are uncoupled
Worklight console app management
Main management tasks include:
●● Deployment of mobile applications and adapters●● Fine-grained management of users, devices and applications ●● Black listing given devices when lost and managing their
provisioning, preventing access to given users when role changed or managing multiple versions of the same application
●● Remotely disabling applications by version and mobile-operating-system type
●● Management of notification messages on application startup when installation of new application version is requested
●● Control and monitor push-notification services, event sources and related applications.
●● Troubleshooting and problem determination with server-initiated client log collection for given devices, apps and users
Automated collection of user-adoption, device and app properties, user actions and back-end calls, JSONStore and back-end system calls performance, usage information, exceptions, crashes, logs and response time, with customizable dashboards for auditing and reporting purposes. All collected data can be easily exported for further analysis by external business intelligence tools.
19
WebSphereTechnical White PaperIBM Software
Ready-to-use analytics helps address the following:
e rojects
with
oring of
ove her
s the lications
The MobileFirst Console can administer several runtimenvironments from several independent MobileFirst pdeployed to the same application server or cluster.
The MobileFirst Console includes role-based security different built-in profiles:
●● Monitor. This role includes read-only profile monitMobileFirst-deployed artifacts.
●● Operator. With this feature, you cannot add or remapplications and adapters but you can conduct all otmanagement operations
●● Deployer. This role includes the same capabilities aoperator role but also the capability of deploying appand adapters.
●● Administrator. This role includes all administrationoperations.
Operational analytics for usage insightsThe MobileFirst Platform provides an advanced operational analytics platform to automatically assemble and analyze user-adoption, device and app properties, user actions and back-end calls, JSONStore and back-end calls performance, usage information, exceptions, crashes, logs and response time. Search across logs and events collected from devices, apps and servers enable patterns and problems and platform-usage insights.
The following sources are combined into the analytics repository:
●● Interactions of any app-to-server activity; anything that is supported by the MobileFirst Platform client/server protocol, including push notification
●● Client-side logs and crashes●● Server-side logs that are captured in traditional MobileFirst
Platform log files
The IBM MobileFirst Server for analytics is provided as a WAR file for standard install and administration.
Using the MobileFirst Platform approach, developers can instrument mobile apps using the provided library for more efficient collection and streaming of information. Business leaders who optionally upgrade to the IBM Tealeaf® CX mobile platform can gain additional insight into mobile user-experience analytics. This insight includes session replays, device orientation, screen size and touch-screen interactions, to understand the behavior of mobile users for web and native applications. These insights empower organizational teams to diagnose and resolve customer struggles that can be difficult to identify and that inhibit application usability and effectiveness.
For more informationTo learn more about the IBM MobileFirst Platform, please contact your IBM representative or IBM Business Partner, or visit the following website: ibm.com/mobilefirst
Additionally, IBM Global Financing can help you acquire the software capabilities that your business needs in the most cost-effective and strategic way possible. We’ll partner with credit-qualified clients to customize a financing solution to suit your business and development goals, enable effective cash management, and improve your total cost of ownership. Fund your critical IT investment and propel your business forward with IBM Global Financing. For more information, visit: ibm.com/financing
© Copyright IBM Corporation 2014
IBM Corporation Software Group Route 100 Somers, NY 10589
Produced in the United States of America November 2014
IBM, the IBM logo, ibm.com, Cast Iron, DataPower, Jazz, Rational, Tealeaf, and Trusteer are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml
Fiberlink, MaaS360 are trademarks or registered trademarks of Fiberlink Communications Corporation, an IBM Company. Microsoft, Windows and Windows NT are trademarks of Microsoft Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
This document is current as of the initial date of publication and may be changed by IBM at any time.
It is the user’s responsibility to evaluate and verify the operation of any other products or programs with IBM products and programs.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.
The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation.
1The Upwardly Mobile Enterprise, IBM Institute for Business Value, October 2013
WSW14181-USEN-09
Please Recycle