Upload
martin-prosek
View
64
Download
2
Embed Size (px)
DESCRIPTION
Citation preview
Mobile Operator APIsMobile Operator APIsEnablement, Enablement, Enablement, Enablement, Enablement, Enablement, Enablement, Enablement, EEEEEEEExposure and xposure and xposure and xposure and xposure and xposure and xposure and xposure and CCCCCCCCreationreationreationreationreationreationreationreation –––––––– Delivering Delivering Delivering Delivering Delivering Delivering Delivering Delivering UsefulUsefulUsefulUsefulUsefulUsefulUsefulUsefulServicesServicesServicesServicesServicesServicesServicesServicesSDP Global SummitSDP Global SummitSDP Global SummitSDP Global SummitSDP Global SummitSDP Global SummitSDP Global SummitSDP Global Summit 2013201320132013201320132013201319. 9. 2013 Rome19. 9. 2013 Rome
Martin Prosek, Martin Prosek, VAS VAS Platform Platform Development ManagerDevelopment ManagerTelefTelefóónica Czech Republicnica Czech Republic
AboutAboutAboutAbout TelefTelefTelefTelefóóóónicanicanicanica Czech RepublicCzech RepublicCzech RepublicCzech Republic
� FixedFixedFixedFixed andandandand mobilemobilemobilemobile voice and data,voice and data,voice and data,voice and data, IPTVIPTVIPTVIPTV� Operated under commercial brand OOperated under commercial brand OOperated under commercial brand OOperated under commercial brand O2222
1
IntroductionIntroductionIntroductionIntroduction
01010101 API Evolution Quick Review
02020202 Operator‘s API Offer
00003333 Effective Use
00004444 Technical Solutions
00005555 Real Life
00006666 Recommendation
� Disclaimer: The opinions of the author expressed in this document do not necessarily state or reflect those of Telefónica company
2
EvolutionEvolutionEvolutionEvolution
� Traditionally the SDP served for Operator/Developer relations
� In principle server to server server to server server to server server to server integration
� Generally B2BB2BB2BB2B collaboration model
Operator‘s Network Operator‘s Network Developer‘sApplication
Developer‘sApplication
EvolutionEvolutionEvolutionEvolution
� Open APIs allowed moving of part of the value chain out side of the operator
� Short-tail partners, biggest players…
� Also 3rd party applications, not only operator branded
� Still server to server server to server server to server server to server integration
� Standardization took place…
Developer‘sApplication
Developer‘sApplicationOperator‘s Network Operator‘s Network
Mobile payments in CZ
EvolutionEvolutionEvolutionEvolution
� Smartphones allowed to have independent apps on the device
� Smartphone apps act as thickthickthickthick----weight clientsweight clientsweight clientsweight clients (native applications)*
� Developers benefit from many APIs (internal in OS or external…)
� Use clientclientclientclient----server server server server integration
� Parallel with the operator world, different APIsdifferent APIsdifferent APIsdifferent APIs
� Collaboration model closer to B2CB2CB2CB2C
*Light-weight apps (widgets, HTML5…) are not so successful as the native yet
SmartphoneApplication
SmartphoneApplicationOperator‘s Network Operator‘s Network
EvolutionEvolutionEvolutionEvolution
� Smartphones created separated ecosystemsseparated ecosystemsseparated ecosystemsseparated ecosystems
� With their own APIs
� Operator becomes a dumb pipedumb pipedumb pipedumb pipe
SmartphoneApplication
SmartphoneApplication
SmartphoneApplication
SmartphoneApplication
APIs for Smartphone AppsAPIs for Smartphone AppsAPIs for Smartphone AppsAPIs for Smartphone Apps
� Amount apps is still growing
� Need of APIs is growing as well!
APIs for Smartphone AppsAPIs for Smartphone AppsAPIs for Smartphone AppsAPIs for Smartphone Apps
� But the need of operators APIs need of operators APIs need of operators APIs need of operators APIs like SMS, MMS, Calling, Location not not not not –smartphones have them already in the OS! Or even OTT competitors can do it better…
� What else What else What else What else could operator offer to developers?
Operator APIsOperator APIsOperator APIsOperator APIs Useful for AppsUseful for AppsUseful for AppsUseful for Apps
�Mobile Identity
� User Profile
� Payments (in-app)
� Content services (if offered by operator…)
� Unified communications (if offered by operator…)
� Customer Mobile Self-care
�…
Why Why Why Why SSSShould hould hould hould DDDDevelopers evelopers evelopers evelopers UUUUse se se se OOOOperators APIsperators APIsperators APIsperators APIs…………
� Developers do not care about operators
� If asking for something, not for APIs, rather for exceptions from FUP or free data access to their services
� What can motivate motivate motivate motivate them to use operators APIs?
• Financial incentives from operator
• Need of touch with local market (might be also regulatory condition…)
• Access to user identity and profile
• Access to payments
• … or example …
TU | GoTU | GoTU | GoTU | Go
Operator APIsOperator APIsOperator APIsOperator APIs –––– Effective UseEffective UseEffective UseEffective Use
� Better to ask what operator does need?
� Operator needs own apps own apps own apps own apps to keep the presence on devicepresence on devicepresence on devicepresence on device!
Customer Mobile SelfCustomer Mobile SelfCustomer Mobile SelfCustomer Mobile Self----care APIscare APIscare APIscare APIs
� The APIs enable
• Service settings reading, changing
• Service ordering
• Service management (e.g. voicemail…)
• Loyalty programme
� Ideal candidate to keep presence on the smartphone
� APIs can be used directly by the app
� Mobile identity can be utilized to speed the sign-in
� Different from traditional server-to-server APIs
� Direct access to operator‘s API
� Open from Internet
� Very specific for each operator
� No well established standards for exposal of these APIs yet
Technical SolutionTechnical SolutionTechnical SolutionTechnical Solution
OperatorOperator
AppApp
AppApp
AppApp
InternetInternetInternetInternet
Technical SolutionTechnical SolutionTechnical SolutionTechnical Solution –––– Protocols Protocols Protocols Protocols
� Use of SSL is common
� REST and JSON are dominant*
REST call examples
GET /UserProfile/v01/HomeLocation/420602749374 HTTP /1.1
POST /Payment/UNICA/REST/v2/reservedPayments HTTP/1 .1
JSON example{
"userId": "acr:23002abcd420602123456","description": "Birds Space Premium In-app Payment","Amount": 46.42,"totalAmount": 56.63,"taxAmount": "10.21","currency": "CZK","referenceCode": "ref1234ABCD","merchantId": "1234567""channel": "D2B","productId": "123456789012345","productClass": "DigitalGood","itemId": "https://play.google.com/store/apps/detai ls?id=com.auvio.birdsspace.premium","orderId": "7392947363","merchantInfo": „Auvio Ltd., [email protected] ","revenueSharePercent": 5.00,"timestamp": "2013-04-05T14:30:12.043Z"
}}
*Even simpler APIs can be used (HTTP GET and Content-type text/plain…)
Technical Solution Technical Solution Technical Solution Technical Solution –––– Mandatory FunctionsMandatory FunctionsMandatory FunctionsMandatory Functions
� SSL encryption
� Enhanced authentication (user, app, OTP support…)
� Intrusion detection
� High performance (1000 TPS and more)
� Light-weight processing
� Throttling
� Flexibility (API development time in hours)
� Governance
Technical Solution Technical Solution Technical Solution Technical Solution –––– AuthenticationAuthenticationAuthenticationAuthentication
� The authentication model is extended
� Authenticate app (developer)
• by some pre-shared key embedded in the app (API parameter, User Agent string, client SSL certificate etc.)
� Authenticate user (identity)
• NW based authentication (MSISDN)
• For WiFi accesses
› Username/password authentication
› One-time Password over SMS
› Client SSL certificate
› Even federated login (e.g. using Facebook account)
Technical Solution Technical Solution Technical Solution Technical Solution –––– Security RisksSecurity RisksSecurity RisksSecurity Risks
� It is free internet – not operator‘s network!
� DDoS attacks to the API are possible
� Attempts to hack the API must be expected
� Anyone can reverse engineer the app and fake the credentials – identity theft
� Even worse case – trojan horse apps
� Embed security checks into the app
� Monitor app usage
� Use proven web technologies – WAF, IDS, SIEM…
Technical Solution Technical Solution Technical Solution Technical Solution –––– Authorization by UserAuthorization by UserAuthorization by UserAuthorization by User
� When opening any API for public useopening any API for public useopening any API for public useopening any API for public useamongst app developers new issue would appear
� Application can do almost anything on the back-ground without informing the user
� Operators should not forget that they are responsible for everything that might be done to the customer
� Operators have right to authorize every request from the partner or the application
� Well suited is oAuth
Orchestrati
on
Orchestrati
on
Access SecurityAccess Security
EnablersEnablers
NW
ESB
NW
ESB
API GWAPI GW
Smartph.
Apps
Smartph.
Apps
Svr-side
Apps
Svr-side
Apps
Browsing
GW
Browsing
GW
IT
ESB
IT
ESB
Technical Solution Technical Solution Technical Solution Technical Solution –––– TEF CZ Framework TEF CZ Framework TEF CZ Framework TEF CZ Framework
� Lego-like approach
� Even when the applications are made exclusively for the operator the developers tend to use connection to their own backend
� They are reasoning that their approach is better:• Cheaper development
• Better performance
• Shielding against API changes
• Guaraned operation
• …
� Operator has to find good counter-arguments…
AppApp API B-EAPI B-E OperatorOperator
Real Life Real Life Real Life Real Life –––– Disobedient DeveloperDisobedient DeveloperDisobedient DeveloperDisobedient Developer‘‘‘‘ssss…………
21
Advantages and OpportunitiesAdvantages and OpportunitiesAdvantages and OpportunitiesAdvantages and Opportunities
�For operators
• User SDP for proven success case
• Open the APIs for free use by developers
�For standardization bodies
• Propose standard
�For vendors
• Offer ready-made solutions, even including SDKs
Thank you.Thank you.