Appmobi Security Kit

Appmobi provides Mobile Application Data Encryption and User Authentication out of the box – securing enterprise mobile applications with 3 levels of security

Level 1 : App Level Shared Key

  • This is a base Level 1 security, where data is encrypted using a single key for single app and for all the devices.
  • The server will generate AES keys which are encrypted with RSA keys.
  • On initialization, mobile app needs to send Device ID & an app name to the server to get the RSA & AES keys.
  • On server Live update bundle is encrypted using AES app shared key and mobile app will decrypt this live update bundle using the same app shared key.
  • Push message data is encrypted/decrypted using this app shared key (RSA keys).
  • Key size is 4096 bits which is randomly generated.
  • On the server, keys will be stored in XML format to the database, whereas on device keys will be stored in the application local storage securely. e.g. On iPhone, keys will be stored into the keychain.

Level 2 : App Level Shared Key + Device Level Shared Key

  • This is the Level 2 security, where data is encrypted using device shared key(public key) and decrypted using device private key.
  • The server will generate AES keys which are encrypted with RSA keys called App shared keys. Mobile app will get this App shared key on initialization.
  • On server, live update bundle is encrypted using this App shared key whereas mobile app will decrypt this live update bundle using the same app shared key.
  • Device will generate RSA public-private keys and share public key with server on app initialization. Server will store this device specific public key which is use to encrypt the data(push message). Device will decrypt received encrypted data using own private key.
  • Key size is 4096 bits which is randomly generated.
  • On the server, keys will be stored in XML format to the database, whereas on device keys will be stored in the application local storage securely. e.g. On iPhone, keys will be stored into the keychain.

Level 3 : App Level Shared Key + Device Level Shared Key + User Authentication

  • This is the Level 3 security, which is same as Level 2 security, but with an exception that user needs to authenticate with the LDAP server OR OAuth
  • LDAP: App developer needs to configure LDAP server credentials while creating the app. Also need to set device token session timeout.
  • Once user authenticate with LDAP server, a session is created with timeout mentioned on the interface. On encountering of expired token, user need to authenticate again. This type of security won’t let users to use the App unless he/she uses valid credentials.
  • OAuth is an open standard for authorization. OAuth provides client applications a ‘secure delegated access’ to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials.
  • Appmobi security platform integrated Google and Facebook OAuth providers. Developer need to select which provider (s)he wants to integrate for the application. You can find OAuth integration documentation here Quickstart Guide for OAuth Integration