OpenSAP Mobile1 Week 06 Enterprise Security Concept Outlook

Week 6 Unit 1:Mobile Security

© 2013 SAP AG. All rights reserved. 2Public

Mobile SecurityMobile Introduces Additional Risks for Enterprise Data

Mobile (enterprise) applicationsAccess enterprise data and functionsStore sensitive data (login or businessdata)Run in an untrusted environment

Mobile devicesAre carried aroundLost or stolenOffer a unique combination of dataprocessing and communication capabilities

Mobile usersMerge personal and corporate data(BYOD)Tend to accept security popups


Mobile SecuritySome Threats

Malicious apps on device

Man-in-the-middle attacks

Eavesdropping

Denial-of-service attacks

Conclusion:

Need to take security seriously andestablish protection mechanisms!


Mobile SecurityEnterprise Security Means Protecting All Layers

On deviceApply vendor-specific securitymechanismsLeverage Mobile Device ManagementProtect enterprise applications

Network infrastructureSecure communication using HTTPSMulti-layered defense against threats likedenial of service

Back endAuthenticate usersCheck authorizationsValidate incoming data

Back-End Server

SAP Mobile PlatformSAP NetWeaver Gateway

Mobile App

Application Code

Application Code

OData


Mobile SecurityProtecting the Back End

Authenticate usersVarious options, such as basicauthentication, X.509, OAuth 2.0,SAML 2.0

Check authorizationsUse back-end authorization concept

Validate incoming dataValidate OData request based onmetadataProtection against injection attacksVirus check of binariesXSRF protection

Back-End Server


Mobile App

Application Code

Application Code

OData


Mobile SecurityProtecting via Network Infrastructure

Secure communicationUse HTTPSRely on defaults and trusted librariesNo certificate dialogs

Multi-layered defenseNo direct access to the back endProtect the back end against denial ofserviceReverse proxy of VPN accessAuthenticate/validate requests on networkedge

Back-End Server


Mobile App

Application Code

Application Code

OData


Mobile SecurityProtecting On Device

Apply vendor-specific securitymechanisms

App sandboxKeychains

Leverage Mobile Device Management

Protect enterprise applicationsEncrypt sensitive dataProtect access to the application

Back-End Server


Mobile App

Application Code

Application Code

OData

Thank you

Contact information:

[email protected]


© 2013 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation orwarranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothingherein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and other countries.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.







Week 6 Unit 2:Protecting Enterprise Applications


Protecting Enterprise ApplicationsEnhancement 1: Securely Store Back-End Credentials

Most mobile applications need to storesome sort of sensitive data.

We will extend the Android applicationto securely store back-end credentials.

In our example: username and password ofSAP NetWeaver GatewayCould also be X.509 certificate or anaccess token


Protecting Enterprise ApplicationsEnhancement 1: Implement a Secure Store with Data Vault

SAP Mobile Platform Data VaultSecurely stores secrets on deviceStandalone libraryDelivered with SAP’s mobile SDKAES 256-bit key encryptionCan be locked/unlocked with a passcodeIs deleted after a configurable number offailed login attemptsTimeout mechanism


Protecting Enterprise ApplicationsEnhancement 2: Protect Access to the Application

Sensitive data and functionscan be accessed when theapplication is resumed frombackground.

We will extend the Androidapplication to protectaccess.


Protecting Enterprise ApplicationsEnhancement 2: Typical Life Cycle of a Native Mobile Application

Native mobile applications in“suspended” mode keep living inthe background.

Usually closed only if the device runsout of resourcesMeans they might be open for weeksPotential source of sensitive dataleakage

Installed

Started

Running

Suspended

Closed

User launchesanother application

Low memoryLow battery


User navigatesback to theapplication


Protecting Enterprise ApplicationsEnhancement 2: Protect Access with the Application Passcode

(Mobile) application passcodeUse the data vault passcode asapplication passcode.Lock the data vault when app issuspended or closed.Prompt the user when starting/resumingthe application.Unlock vault and application withapplication passcode.Delete vault in case of too many failedattempts.

Installed

Started

Running

Suspended

Closed

User launchesanother application



User navigatesback to theapplication

Unlock data vault

Unlockdata vault

Lockdata vault


Protecting Enterprise ApplicationsEnhancement 1 + 2: User Interface (UI) Changes and Flow

UI for loginInitial login: Enhanced login view to setthe application passcodeData vault login: New view to enterapplication passcode

FlowOn initial application launch:

– Trigger initial login view.– Create data vault and store credentials.– Access application.When application is started or resumed:

– Trigger “data vault login”.– Unlock data vault with application passcode.– Access application.When application is closed or suspended:

– Lock data vault.

Initial Login Data Vault Login

Thank you


[email protected]














Week 6 Unit 3:Introduction to MAF LogonComponent


Introduction to MAF Logon ComponentAbout SAP Mobile App Framework

SAP Mobile App FrameworkExtensibility framework + set of reusablecomponentsPart of SAP’s SDKBuilds on mobile operating systemservices and lower-level SAP MobilePlatform client librariesAvailable on iOS and Android.

Build native mobile applicationsmore efficiently


Introduction to MAF Logon ComponentSAP Mobile App Framework: Functional Scope

ExtensibilityExtend screens (for example, add,remove, or rearrange fields) viaconfigurationChange the flow or add actionsNo need to recompile

“Skinnable” UI componentsEnables enterprise branding (style, color,images)Primitive: button, label, list, and so onCompound: Calendar, settings, log, logonNo need to recompile

Helper componentsLocale-aware formatters (for addresses,phone numbers, currencies)Logon Component


Introduction to MAF Logon ComponentMain Features of MAF Logon Component

Secure data store (data vault)

Application passcode handling

Password policy handling viaSAP Mobile Platform

Timeout mechanism

Registration process

Integration with mobile devicemanagement (SAP Afaria)

Various authentication and singlesign-on mechanisms

Auto-detection of server landscapes


Introduction to MAF Logon ComponentSteps to Add MAF Logon Component to an Application

Add SAP Mobile App Frameworklibraries and resources

Implement LoginActivityonCreate(): Instantiate Logon Componentand call the login view.Implement LogonListener interface tolisten to login result.OnLogonFinished(): Check for success,set up communication, and triggerapplication’s main activity.

OptionalAdapt login views.Access data vault included inLogonComponent to store furtherapplication secrets.

Thank you


[email protected]














Week 6 Unit 4:Mobile Device Management withSAP Afaria


Mobile Device Management with SAP AfariaFeatures Along the Device Life Cycle

Enrollment portal (EUSSP)Configure devicesAssign to groupsDeploy apps by roleConfigure and enroll ine-mailConfigure wifi and VPNaccess

Remote lockRemote wipeAccess violation lockDisable device, network,application and e-mailaccess

Track assetsMaintain/modify configurationMonitor hardware, software,and packagesApp notifications and updatesTelco expense managementLocation trackingEnforce security policiesMonitor/track securityviolationsCompliance activity loggingAccess control

Monitor hardware, software,and packagesManage roaming and carrierMonitor complianceLocation trackingDrilldown by data element

Thank you


[email protected]














Week 6 Unit 5:Wrap-Up and Outlook


Wrap-Up and OutlookThe Journey So Far

Build an integrated mobile applicationusing enterprise tools

Enterprise requirements are quiteextensive

Mobile platform tools help developersfulfill enterprise requirements

Build services to suit the conceptualmodel of the mobile application

There is more than 1 way to build amobile solution

Security is key for the enterprise

Introduction to Mobile SolutionDevelopment for the Enterprise


Wrap-Up and OutlookLearn More About SAP Education

SAP EducationClassroom training at authorized SAPtraining centersVirtual Live ClassroomsE-LearningCertification

SAP Community Network (SCN)Engagement between SAP and ourcustomers & partners– Blogs– Documents– Discussions/Questions

SAP Developer CenterResources for developing software based onSAP technology


Wrap-Up and OutlookThe Journey Continues

On-premise version of SAP MobilePlatform

App Builder, SAP‘s next gen UIdevelopment environment

Kapsel, Phone Gap Plug-Ins for theEnterprise

New OData SDKs supporting ODatawith offline and cached transactions

Thank you


[email protected]












