We4IT lcty 2013 - captain mobility - mobile domino applications offline capability and security

© 2013 IBM Corporation

Mobile Domino Applications – Offline Capability and Security

Matthew Fyleman | Product / Project Manager - We4IT

2 © 2013 IBM Corporation

Please note:

IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.


Agenda

Why is Offline Persistence Important?

Offline Persistence and HTML 5.0

Synchronisation and REST APIs

Security Considerations

Securing Offline Data

An Easier Way ...

Q & A


Welcome and Introductions

Matthew Fyleman─ Senior Product / Project Manager: We4IT GmbH.

– 20 years of Lotus Notes / Domino Development Experience– Recently focused entirely on XPages development– Working on We4IT's XPages framework – Aveedo– Also on Offline capabilities for docLinkr


Agenda






An Easier Way ...

Q & A


Increasing Demand for Mobile Applications

Smartphones and Tablets

commonplace

Awareness that application access

on smart devices is possible

Initially a mix of mobile browser and

native applications

Native applications often worked

offline ...


The Importance of Offline Persistence In most cases, connected access only is acceptable Some application data is useful to have

offline:─ Who uses the contacts app on their phone for

more than just dialling?─ What about a sales rep.?

Despite provider claims coverage is not universal:

─ No coverage─ Canyoning in cities─ Mandatory shutdown of wireless connections

(planes*, hospitals)

Until recently offline persistence was only possible in native applications Titanium Studio, PhoneGap etc. make native applications for multiple device

platforms easier But there is now another option ...


Agenda






An Easier Way ...

Q & A


HTML 5 and Web SQL

HTML 5 has Web SQL and offline storage management features

If you are competent with HTML, JavaScript and Web 2.0 technologies it is

reasonably straightforward.

Simple example can be found at this address:

─ http://tutorials.html5rocks.com/en/tutorials/webdatabase/todo/

But …

http://tutorials.html5rocks.com/en/tutorials/webdatabase/todo/


Current HTML 5 Issues

The bulk of HTML 5 is established and usable in most browsers, including

mobile

However, the standard is unlikely to be ratified before 2014 (?!!)

Implementation is inconsistent across browsers

─ Mostly minor inconsistencies, but in particular -

Storage and Web SQL currently only work under Chrome So for the moment native is still the easiest way to go ...


Agenda






An Easier Way ...

Q & A


Synchronicity

Setting up an offline database is relatively simple

The tricky bit is the synchronisation with the online

storage

We've been here before …

Notes' replication engine was actually an

afterthought!

A short REST ...


RESTful Services

Representational State Transfer – Roy Fielding, see wikipedia article:

─ http://en.wikipedia.org/wiki/Representational_state_transfer

Not a standard!

Simpler than other protocols (e.g. SOAP), yet still scalable

Uses URI's for calls

Asynchronous and stateless


Some RESTful Thoughts ...

Plan your API – it makes implementation much simpler

Version it – but avoid providing a general pointer to latest

Document it – nothing slows adoption like the lack of documentation

In Domino, make use of XAgents:

─ See XAgents – Web Agents Xpages Style at Wissel.Net

─ http://www.wissel.net/blog/d6plinks/shwl-7mgfbn

Not a tutorial but take a look at:

─ BP204 Take a REST and put your data to work with APIs

─ Craig Schumann - Inner Ring Solutions

─ http://www.innerringsolutions.com/downloads/Connect2013/B

P204.pdf


Final Synchronisation Thoughts

Write a generic synchronisation engine:

─ Javascript Library client side

─ XAgent server side (in Java!)

Engine will be driven from client:

─ Must push (send to server)

─ Pull (receive from server)

─ Be Asynchronous but allow data to be chunked

Decide how to deal with conflicts

You will still need to design each offline version separately

─ (Unless you want to construct a formula interpreter!)


Agenda






An Easier Way ...

Q & A


They're Out To Get You ...

Data on a mobile device is inherently insecure

─ Even in sandbox environments like Good Technology

Lost or Stolen phones are an issue – but most thieves

would not know the value of the data

Weakest link is the user

Rule #1: If data is really that sensitive, don't put it on a

mobile device!

Rule #2: If you support a BYOD environment (and

even if you don't) put a mobile data policy in place:

─ Otherwise you might be sued!

─ Examples available on the web


Agenda






An Easier Way ...

Q & A


Security on the Move

Synchronisation security (online)

─ Authentication (HTTP, SSL, LTPA)

─ Authorisation (OAuth)

─ Interesting article:– http://www.darkreading.com/security/client-

security/232500640/the-future-of-web-authentication.html

Storage Security (offline)─ Do NOT rely on device-memory storage to keep data secure

(DropBox!)

─ Most important to encrypt sensitive data, particularly, but not

exclusively, for removable storage

─ There are JS encryption libraries out there but not particularly robust

─ Always keep in mind Rule #1 on the previous slide!


Agenda






An Easier Way ...

Q & A


Why Go To All That Trouble?

Several Moderately Complex Applications?

Need to enable them all for mobile?

Want offline cabability for some/all?

docLinkr


Summary Offline capability for mobile applications is desirable

─ And in some cases essential!

HTML 5 will make this simpler, but it is not quite there yet

Use RESTful services and XAgents for Synchronisation

The User is the weakest link in the security chain – remember

Rule #1

Mobile security centers on Authentication, Authorisation and

Encryption

There are easier ways of doing things!


Q & A


Legal disclaimer

© IBM Corporation 2013. All Rights Reserved.The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

Documents

We4IT lcty 2013 - captain mobility - mobile domino applications offline capability and security