Security Considerations Mobile Apps¶
IFS Cloud Mobile works by connecting device specific applications through to the customers IFS Cloud system and communicate with IFS Cloud using oData through IFS Cloud OData Provider. IFS Cloud Mobile Native Sync Server prepares the data that is synchronized to the device. Both IFS Cloud oData Provider and IFS Cloud Mobile Native Sync Service communicates with IFS Cloud Mobile Native Notification, which handles the push communication to the device and IFS Cloud Mobile Native Executor, which handles the mobile offline transactions.
Business logic that is specific to the mobile app runs as a projection in IFS Cloud.
Securing the device¶
Mobile apps are most often single-user apps that rely on device security to protect data. Once a device has been unlocked users can view and act on information in the mobile apps. There are exceptions to this rule; multi-user apps and apps that handle sensitive data. For these apps a password must be entered every time the app is started, but once the app is up and running it can still be accessed by anyone if the device is left unprotected.
IFS recommend that our customers adhere to best practice routines for protecting their devices. This includes but is not limited to the precautions listed below:
- The level of protection required depends on the sensitivity of the data in the particular mobile app installed on the device, but a minimum protection level would include a lock screen with pass code, pattern, finger print or equivalent lock method.
- Running any app on a rooted/jailbroken device is strongly discouraged for security reasons.
- For stronger device protection IFS recommend the use of MDM (Mobile Device Management) software.
- On Android devices, if an external SD card is used, secure it with the Android OS's file-level encryption.
- This will typically be a toggle option found in the Security menu in the Settings app, and is usually called "Encrypt SD card". Since Android transparently handles the encryption and decryption, this provides the best performance and security, and also ensures that files created locally, for example Service Reports, remain encrypted yet can be opened in another app if desired.
- IFS Cloud Mobile apps do not apply encryption to individual files since doing so causes significant performance losses and because local files cannot then be opened in another app, and therefore, the OS-based file-level encryption (i.e.: "Encrypt SD card" option) is recommended.
- Note however that this only guards against data leakage as a result of external SD card theft, so physical security of devices and mechanisms like pass code or biometrics is paramount.
There are also some further security settings that can be set per app and steered by an application parameter:
-
PIN Code Authentication
-
The application parameter PIN_AUTHENTICATION steer if you want to secure the device local database with a PIN code or not.
-
For the PIN code authentication there are also other application parameters, that steer:
- the behavior of the PIN code. You can lock or block the PIN code, after x number of wrong PIN codes attempts.
- minimum length of the PIN code.
- number of retries that can be used when attempting to enter the PIN code.
- how long the locking period should be.
- complexity of the PIN code, there a complex PIN code needs to follow a certain pattern.
-
-
Screenshots
- The application parameter ENABLE_SCREENSHOTS makes it possible to prevent screenshots to be taken using the device.
Application Distribution¶
Mobile apps are distributed through the standard channels for the different platforms; Apple App Store, Google Play and Windows Store.
User Authentication¶
Mobile app uses the same authentication mechanism as other IFS Cloud clients such as IFS Cloud Web. If IFS Cloud has been configured to use an external Open ID Connect Provider then that is what mobile app will use. For example if the system has been configured to use Azure AD then that is what mobile app will use. If multi factor authentication is required for mobile app then IFS Cloud have to be configured to use an external Open ID Connect Provider which supports multi factor authentication.
It is important to note that mobile app always uses the DEFAULT application type when authenticating the mobile app users. Please refer here for more information.
User Authorization¶
Protection of information in the IFS Cloud database rests on the same principles as if the mobile app were not there. This implies that what end users can do from IFS Cloud Web they can also do from an IFS Cloud Mobile, if enabled for the system, and what they cannot do from IFS Cloud Web they cannot do from an IFS Cloud Mobile even if the app is enabled for the system.
For mobile app dealing with sensitive data it is possible to make use of additional, app specific grants allowing customers to restrict usage of the IFS Cloud Mobile to selected personnel. This is in addition to the regular privileges required to access the functionality through IFS Cloud Web.