Friday, February 28, 2014

Offline Apps: Don’t Forget the Security

Often when discussing the challenge of creating offline mobile apps we jump right to the issue of the synchronization business logic. Let today’s discussion serve as a reminder that offline mode presents important security considerations that must be planned for by the developer as well.

The Magic xpa Application Platform is among the elite class of application platforms that now provides capabilities for offline applications. 

Nevertheless, intentional effort is required to assure that proper and unique security measures are taken to protect offline apps and their data.  Offline security requires technical implementation measures, but beyond this it requires that developers apply business logic to the architecture and workflow of an application to make it secure. Even the most secure application platform can be misused to create insecure apps, so be careful to approach offline business app logic very carefully. 

Security may indeed be the most significant challenge for offline access to web services as opposed to using pure cloud services, because while the same network, server and application security concerns apply, offline access also requires storage on the device.  Therefore, malware, lost and stolen devices, and BYOD can all put your organization at risk of losing data held offline. Malware could access the local storage, lost or stolen devices could fall into the hands of data thieves, and a disgruntled user with their own device could seek to divulge the contents of their local storage after leaving the organization.

As with any mobile security challenge, this requires security to be built in to the business processes on several layers, from the device to the application and the user, as appropriate for the data being stored.  Securing devices is typically achieved through software measures such as user authentication and encryption while modern mobile device management (MDM) vendors provide tools external to the apps themselves like geofencing, remote wiping and device tracking to provide extra security and control over the device.Magic Software now offers a Mobile Device Management (MDM) platform to accompany its well known Magic xpa Application Platform and Magic xpi Integration Platform.

MDM and mobile application management (MAM) tools as well as modern application platforms help secure the applications, in particular providing the organization with the ability to view and manage who can access which applications, where, when and on which devices.  Finally, the data itself can be secured by requiring user authentication.  A combination of these layers should be used according to the data being stored.

For Magic xpa applications that require user authentication, user credentials should be securely stored on the client, to allow for operation without server authentication. To ensure validity, such credentials should be re-checked when connected.

When using integrated security with Magic xpa Application Platform, the user logon details and security credentials are automatically kept encrypted in the client cache. When running the application without connecting to the server, the last logon details (including rights) are used. Note that when running the application without connecting to the server, the logon dialog box will not appear. The logon credentials will be automatically synchronized on initial connection and on subsequent connected application startups.

Developers of offline apps have the tools they need, so don’t forget the security.