23
Mobile Operator APIs Mobile Operator APIs Enablement, Enablement, Enablement, Enablement, Enablement, Enablement, Enablement, Enablement, E E E E E E xposure and xposure and xposure and xposure and xposure and xposure and xposure and xposure and C C C C C C reation reation reation reation reation reation reation reation Delivering Delivering Delivering Delivering Delivering Delivering Delivering Delivering Useful Useful Useful Useful Useful Useful Useful Useful Services Services Services Services Services Services Services Services SDP Global Summit SDP Global Summit SDP Global Summit SDP Global Summit SDP Global Summit SDP Global Summit SDP Global Summit SDP Global Summit 2013 2013 2013 2013 2013 2013 2013 2013 19. 9. 2013 Rome 19. 9. 2013 Rome Martin Prosek, Martin Prosek, VAS VAS Platform Platform Development Manager Development Manager Telef Telef ó ó nica Czech Republic nica Czech Republic

SDP Global Summit 2013

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: SDP Global Summit 2013

Mobile Operator APIsMobile Operator APIsEnablement, Enablement, Enablement, Enablement, Enablement, Enablement, Enablement, Enablement, EEEEEEEExposure and xposure and xposure and xposure and xposure and xposure and xposure and xposure and CCCCCCCCreationreationreationreationreationreationreationreation –––––––– Delivering Delivering Delivering Delivering Delivering Delivering Delivering Delivering UsefulUsefulUsefulUsefulUsefulUsefulUsefulUsefulServicesServicesServicesServicesServicesServicesServicesServicesSDP Global SummitSDP Global SummitSDP Global SummitSDP Global SummitSDP Global SummitSDP Global SummitSDP Global SummitSDP Global Summit 2013201320132013201320132013201319. 9. 2013 Rome19. 9. 2013 Rome

Martin Prosek, Martin Prosek, VAS VAS Platform Platform Development ManagerDevelopment ManagerTelefTelefóónica Czech Republicnica Czech Republic

Page 2: SDP Global Summit 2013

AboutAboutAboutAbout TelefTelefTelefTelefóóóónicanicanicanica Czech RepublicCzech RepublicCzech RepublicCzech Republic

� FixedFixedFixedFixed andandandand mobilemobilemobilemobile voice and data,voice and data,voice and data,voice and data, IPTVIPTVIPTVIPTV� Operated under commercial brand OOperated under commercial brand OOperated under commercial brand OOperated under commercial brand O2222

1

Page 3: SDP Global Summit 2013

IntroductionIntroductionIntroductionIntroduction

01010101 API Evolution Quick Review

02020202 Operator‘s API Offer

00003333 Effective Use

00004444 Technical Solutions

00005555 Real Life

00006666 Recommendation

� Disclaimer: The opinions of the author expressed in this document do not necessarily state or reflect those of Telefónica company

2

Page 4: SDP Global Summit 2013

EvolutionEvolutionEvolutionEvolution

� Traditionally the SDP served for Operator/Developer relations

� In principle server to server server to server server to server server to server integration

� Generally B2BB2BB2BB2B collaboration model

Operator‘s Network Operator‘s Network Developer‘sApplication

Developer‘sApplication

Page 5: SDP Global Summit 2013

EvolutionEvolutionEvolutionEvolution

� Open APIs allowed moving of part of the value chain out side of the operator

� Short-tail partners, biggest players…

� Also 3rd party applications, not only operator branded

� Still server to server server to server server to server server to server integration

� Standardization took place…

Developer‘sApplication

Developer‘sApplicationOperator‘s Network Operator‘s Network

Mobile payments in CZ

Page 6: SDP Global Summit 2013

EvolutionEvolutionEvolutionEvolution

� Smartphones allowed to have independent apps on the device

� Smartphone apps act as thickthickthickthick----weight clientsweight clientsweight clientsweight clients (native applications)*

� Developers benefit from many APIs (internal in OS or external…)

� Use clientclientclientclient----server server server server integration

� Parallel with the operator world, different APIsdifferent APIsdifferent APIsdifferent APIs

� Collaboration model closer to B2CB2CB2CB2C

*Light-weight apps (widgets, HTML5…) are not so successful as the native yet

SmartphoneApplication

SmartphoneApplicationOperator‘s Network Operator‘s Network

Page 7: SDP Global Summit 2013

EvolutionEvolutionEvolutionEvolution

� Smartphones created separated ecosystemsseparated ecosystemsseparated ecosystemsseparated ecosystems

� With their own APIs

� Operator becomes a dumb pipedumb pipedumb pipedumb pipe

SmartphoneApplication

SmartphoneApplication

SmartphoneApplication

SmartphoneApplication

Page 8: SDP Global Summit 2013

APIs for Smartphone AppsAPIs for Smartphone AppsAPIs for Smartphone AppsAPIs for Smartphone Apps

� Amount apps is still growing

� Need of APIs is growing as well!

Page 9: SDP Global Summit 2013

APIs for Smartphone AppsAPIs for Smartphone AppsAPIs for Smartphone AppsAPIs for Smartphone Apps

� But the need of operators APIs need of operators APIs need of operators APIs need of operators APIs like SMS, MMS, Calling, Location not not not not –smartphones have them already in the OS! Or even OTT competitors can do it better…

� What else What else What else What else could operator offer to developers?

Page 10: SDP Global Summit 2013

Operator APIsOperator APIsOperator APIsOperator APIs Useful for AppsUseful for AppsUseful for AppsUseful for Apps

�Mobile Identity

� User Profile

� Payments (in-app)

� Content services (if offered by operator…)

� Unified communications (if offered by operator…)

� Customer Mobile Self-care

�…

Page 11: SDP Global Summit 2013

Why Why Why Why SSSShould hould hould hould DDDDevelopers evelopers evelopers evelopers UUUUse se se se OOOOperators APIsperators APIsperators APIsperators APIs…………

� Developers do not care about operators

� If asking for something, not for APIs, rather for exceptions from FUP or free data access to their services

� What can motivate motivate motivate motivate them to use operators APIs?

• Financial incentives from operator

• Need of touch with local market (might be also regulatory condition…)

• Access to user identity and profile

• Access to payments

• … or example …

TU | GoTU | GoTU | GoTU | Go

Page 12: SDP Global Summit 2013

Operator APIsOperator APIsOperator APIsOperator APIs –––– Effective UseEffective UseEffective UseEffective Use

� Better to ask what operator does need?

� Operator needs own apps own apps own apps own apps to keep the presence on devicepresence on devicepresence on devicepresence on device!

Page 13: SDP Global Summit 2013

Customer Mobile SelfCustomer Mobile SelfCustomer Mobile SelfCustomer Mobile Self----care APIscare APIscare APIscare APIs

� The APIs enable

• Service settings reading, changing

• Service ordering

• Service management (e.g. voicemail…)

• Loyalty programme

� Ideal candidate to keep presence on the smartphone

� APIs can be used directly by the app

� Mobile identity can be utilized to speed the sign-in

Page 14: SDP Global Summit 2013

� Different from traditional server-to-server APIs

� Direct access to operator‘s API

� Open from Internet

� Very specific for each operator

� No well established standards for exposal of these APIs yet

Technical SolutionTechnical SolutionTechnical SolutionTechnical Solution

OperatorOperator

AppApp

AppApp

AppApp

InternetInternetInternetInternet

Page 15: SDP Global Summit 2013

Technical SolutionTechnical SolutionTechnical SolutionTechnical Solution –––– Protocols Protocols Protocols Protocols

� Use of SSL is common

� REST and JSON are dominant*

REST call examples

GET /UserProfile/v01/HomeLocation/420602749374 HTTP /1.1

POST /Payment/UNICA/REST/v2/reservedPayments HTTP/1 .1

JSON example{

"userId": "acr:23002abcd420602123456","description": "Birds Space Premium In-app Payment","Amount": 46.42,"totalAmount": 56.63,"taxAmount": "10.21","currency": "CZK","referenceCode": "ref1234ABCD","merchantId": "1234567""channel": "D2B","productId": "123456789012345","productClass": "DigitalGood","itemId": "https://play.google.com/store/apps/detai ls?id=com.auvio.birdsspace.premium","orderId": "7392947363","merchantInfo": „Auvio Ltd., [email protected] ","revenueSharePercent": 5.00,"timestamp": "2013-04-05T14:30:12.043Z"

}}

*Even simpler APIs can be used (HTTP GET and Content-type text/plain…)

Page 16: SDP Global Summit 2013

Technical Solution Technical Solution Technical Solution Technical Solution –––– Mandatory FunctionsMandatory FunctionsMandatory FunctionsMandatory Functions

� SSL encryption

� Enhanced authentication (user, app, OTP support…)

� Intrusion detection

� High performance (1000 TPS and more)

� Light-weight processing

� Throttling

� Flexibility (API development time in hours)

� Governance

Page 17: SDP Global Summit 2013

Technical Solution Technical Solution Technical Solution Technical Solution –––– AuthenticationAuthenticationAuthenticationAuthentication

� The authentication model is extended

� Authenticate app (developer)

• by some pre-shared key embedded in the app (API parameter, User Agent string, client SSL certificate etc.)

� Authenticate user (identity)

• NW based authentication (MSISDN)

• For WiFi accesses

› Username/password authentication

› One-time Password over SMS

› Client SSL certificate

› Even federated login (e.g. using Facebook account)

Page 18: SDP Global Summit 2013

Technical Solution Technical Solution Technical Solution Technical Solution –––– Security RisksSecurity RisksSecurity RisksSecurity Risks

� It is free internet – not operator‘s network!

� DDoS attacks to the API are possible

� Attempts to hack the API must be expected

� Anyone can reverse engineer the app and fake the credentials – identity theft

� Even worse case – trojan horse apps

� Embed security checks into the app

� Monitor app usage

� Use proven web technologies – WAF, IDS, SIEM…

Page 19: SDP Global Summit 2013

Technical Solution Technical Solution Technical Solution Technical Solution –––– Authorization by UserAuthorization by UserAuthorization by UserAuthorization by User

� When opening any API for public useopening any API for public useopening any API for public useopening any API for public useamongst app developers new issue would appear

� Application can do almost anything on the back-ground without informing the user

� Operators should not forget that they are responsible for everything that might be done to the customer

� Operators have right to authorize every request from the partner or the application

� Well suited is oAuth

Page 20: SDP Global Summit 2013

Orchestrati

on

Orchestrati

on

Access SecurityAccess Security

EnablersEnablers

NW

ESB

NW

ESB

API GWAPI GW

Smartph.

Apps

Smartph.

Apps

Svr-side

Apps

Svr-side

Apps

Browsing

GW

Browsing

GW

IT

ESB

IT

ESB

Technical Solution Technical Solution Technical Solution Technical Solution –––– TEF CZ Framework TEF CZ Framework TEF CZ Framework TEF CZ Framework

� Lego-like approach

Page 21: SDP Global Summit 2013

� Even when the applications are made exclusively for the operator the developers tend to use connection to their own backend

� They are reasoning that their approach is better:• Cheaper development

• Better performance

• Shielding against API changes

• Guaraned operation

• …

� Operator has to find good counter-arguments…

AppApp API B-EAPI B-E OperatorOperator

Real Life Real Life Real Life Real Life –––– Disobedient DeveloperDisobedient DeveloperDisobedient DeveloperDisobedient Developer‘‘‘‘ssss…………

Page 22: SDP Global Summit 2013

21

Advantages and OpportunitiesAdvantages and OpportunitiesAdvantages and OpportunitiesAdvantages and Opportunities

�For operators

• User SDP for proven success case

• Open the APIs for free use by developers

�For standardization bodies

• Propose standard

�For vendors

• Offer ready-made solutions, even including SDKs

Page 23: SDP Global Summit 2013

Thank you.Thank you.