introduction to ibm worklight: building and connecting cross-platform mobile apps
DESCRIPTION
TRANSCRIPT
© 2012 IBM Corporation
Mobile
Build and Connect Apps, Devices and Data:
IBM Worklight Overview
Jeremy Siewert
IBM ISV & Developer Relations: Technical Lead for Mobile
February 19, 2013
© 2013 IBM Corporation 2
Mobile
Building and connecting mobile apps has become
essential to the mobile enterprise
© 2013 IBM Corporation 3
Mobile
Key mobile development and delivery challenges
• Highly fragmented set of …
• Platforms and devices
• Languages, APIs, and tools
• Native programming models not
portable across platforms
Delivering for multiple platforms
• Higher frequency of releases
and updates
• Added pressure on teams to
deliver on time and with quality
Accelerated time to market
requirements
• Existing services typically need to
be adapted and extended for
mobile
• Enterprise wireless networks are
running out of bandwidth to
accommodate employee devices
Connecting apps and mobile users
with existing enterprise systems
• High quality user experience is a
requirement
• Quality influenced as much by
design as it is by function
Consumerization of IT and need to
deliver high quality apps
© 2013 IBM Corporation 4
Mobile
IBM’s strategy addresses client mobile initiatives
Extend & Transform Manage & Secure Build & Connect
Key Capabilities
• Strategy, planning and
implementation
• Mobile-enabled solutions
including analytics,
commerce, and social
business
• Mobile as a service
Key Capabilities
• Mobile web, hybrid and native
app development
• Enterprise data, service, and
application integration
• Enterprise wireless
networking
Key Capabilities
• Mobile lifecycle
management
• Device analytics and control
• Secure network
communications &
management
Manage mobile devices and apps
Secure my mobile business
Extend capabilities to mobile
Transform your business
Build mobile
apps
Connect & run
mobile systems
© 2013 IBM Corporation 5
Mobile
When do you need a Mobile Application Platform?
• Get up and running in minutes– extending the development and Web skills you already have
• Maximize code reuse by sharing code across multiple devices and OS variants
• Leverage existing mobile applications without rebuilding– including those built in Web, native and HTML5
• Code without limits with the flexibility to mix HTML5 with native code when needed
• Maximize productivity by leveraging any standards-based open source and third-party library
• Deepen and personalize customer engagement with access to back-end systems and server-based data mashups
• Manage the complete mobile application lifecycle (build, connect, run)
• Govern and manage mobile apps from initial provisioning to ongoing upgrades, authentication, single-sign-on, enforced app upgrades, and a mobile app feedback loop
• Communicate effectively with centralized push notification service management
• Protect data with on-device encryption of user data, SSL encryption, and secure offline access
• Control access through single sign-on and multi-factor authentication
• Secure applications with protection against reverse-engineering vulnerabilities, remote disable of applications, and enforcement of client upgrades
• Enforce compliance with regulatory mandates through secure shells that can be deployed throughout your motile portfolio.
Development: Can I scale app delivery – using existing skills and assets?
Security: Can I reduce security risk across my mobile enterprise?
Operations: Can I easily connect to data, applications and cloud services?
© 2013 IBM Corporation 6
Mobile
Scale your ability to build, manage and secure mobile apps
IBM Worklight: A Mobile Application Platform
Speed and scale time-to-value • Maximize code reuse across platforms • Leverage standards-based technologies • Deliver higher quality by mixing HTML with native
code in the same app
Connect to back-end services • Get standardized access to data, applications
and cloud services • Leverage runtime services for caching, push
notifications, authentication and service interruption
• Enterprise app store for app management • Data collection for analytics
Reduce security risk • Strong authentication framework • Encrypted offline availability • Sign apps to detect unauthorized modifications • Direct update and remote disablement
IBM Worklight leverages and extends
your investments in data, applications,
security and skills to mobile devices.
Client Challenge
Quickly build, manage and secure mobile apps
Key Capabilities
© 2013 IBM Corporation 7
Mobile
Mobile application development models
© 2013 IBM Corporation 8
Mobile
Compatible with prominent
HTML5 libraries and tools:
App development using
native and/or familiar web
technologies:
• HTML5
• CSS3
• JavaScript
App delivery in variety
of forms:
• Mobile Web app
• Hybrid app • Native
Open, cost-effective, cross-platform app development IBM Worklight
http://youtu.be/uPFoT_MqLY4
© 2013 IBM Corporation 9
Mobile
Enterprise
Applications
Web Services
Databases
Today Application Mobilization is Complex when Unstructured
Higher infrastructure costs
Longer mobile development time
Inability to support all required device
types
Higher administrative and maintenance
costs
Overall increase in risk
Security issues due multiple points of
entry into the network
Limited or no ability to respond to
changes in devices and backend
systems
No consistency across an enterprise
portfolio
Potential Issues:
© 2013 IBM Corporation 10
Mobile
Web Services
Mobile Application Platforms help build, manage and integrate more easily
- to maximize the opportunity value of enterprise applications
Enterprise
Applications
Databases
Worklight Mobile Application Platform
© 2013 IBM Corporation 11
Mobile
Worklight Server Unified notifications, runtime skins, version
management, security, integration and delivery
Worklight Console A web-based console for real-time analytics and control
of your mobile apps and infrastructure
Worklight Studio The most complete, extensible environment with
maximum code reuse and per-device optimization
Worklight Component Overview
Worklight Runtime Components Extensive libraries and client APIs that expose and
interface with native device functionality ←
© 2013 IBM Corporation 12
Mobile
Worklight Conceptual Architecture
© 2013 IBM Corporation 13
Mobile
Worklight Studio
• Eclipse-based IDE
• Combining native and standard web
technologies in one multiplatform app
• Environment-specific optimization
• 3rd-party libraries integration
• Device SDK integration
• Back-end connectivity utilities
© 2013 IBM Corporation 14
Mobile
Create a New Mobile Application
© 2013 IBM Corporation 15
Mobile
Add Environments
Supports a variety of application types
Mobile
• iPhone
• iPad
• Android phones & tablets
• BlackBerry
• Windows Phone
Desktop
• Windows 8 desktop & tablets
• Adobe AIR
Web Applications
• Mobile web app
• Desktop Browser web page
© 2013 IBM Corporation 16
Mobile
Combine HTML5 and
native-based pages
in the same
application
Call native code from
HTML-based pages
Display HTML and
native components
together on the same
page
Single Shared Codebase
© 2013 IBM Corporation 17
Mobile
Skins
Different
Screen
Densities
Different
Screen
Sizes
Different
Input
Methods
Support
for
HTML5
• Provide support for multiple form factors in a single executable file for
devices of the same OS family
• A sub-variant of an environment
• Packaged together in one App
• Decision on which skin to use is done automatically at runtime
© 2013 IBM Corporation 18
Mobile
WYSIWYG with drag-n-drop UI construction
© 2013 IBM Corporation 19
Mobile
Incorporated Device SDKs
© 2013 IBM Corporation 20
Mobile
Preview in browser
Perform device specific tests in the Mobile Browser Simulator: supports
Cordova and Worklight client API
© 2013 IBM Corporation 21
Mobile
• Secure back-end integration
• XML-based declarative
specification
• Multi-source data mashups
• Eclipse plug-in supporting
auto-complete and
validation
• Simplified adapter testing
• Server-side debugging
• JMS, Cast Iron, Web
services and JDBC
integration
• Access to session data and
user properties
Create Adapters for Back-end Integration
© 2013 IBM Corporation 22
Mobile
Worklight Runtime Architecture
Worklight Server
Authentication
JSON Translation
Server-side
Application Code
Adapter Library
Client-side
App Resources
Direct Update
Mobile
Web Apps
Unified Push
Notifications
Sta
ts A
gg
reg
atio
n
Device Runtime
App
lication C
ode
• Cross Platform Technology
• Security and Authentication
• Back-end Data Integration
• Post-deployment control and
Diagnostics
© 2013 IBM Corporation 23
Mobile
Worklight Server • Distribution of mobile web apps
• Enterprise connectivity:
• Secure client/server connectivity
• Direct access to enterprise back-end data and transaction
capabilities
• Authentication enforcement
• Client control:
• Application version management and remote disabling
• Direct update of application code
• Unified Push Notifications
• Aggregation of usage statistics
© 2013 IBM Corporation 24
Mobile
Device Runtime Components • Framework for server integration:
• Secure server connectivity
• Authentication
• Remote disable & notification
• Push registration
• Dynamic page loading & caching (soon)
• Event reporting for analytics & audit
• Check-in with Server on Startup
• Check for updates
• Sending Statistics
• Cross-platform compatibility layer
• Runtime Skinning
• Secure encrypted storage
© 2013 IBM Corporation 25
Mobile
• Secure back-end integration
• XML-based declarative
specification
• Multi-source data mashups
• Eclipse plug-in supporting auto-
complete and validation
Back-end Integration with Adapters
Worklight Server
Adapters
• Simplified adapter testing
• Server-side debugging
• JMS, Cast Iron, HTTP and JDBC
integration
• Access to session data and user
properties
Internal Systems
Cloud
JMS
Cast Iron
JDBC
HTTP/Web Services (REST & SOAP)
Worklight
Runtime
JSON /
HTTPs
Existing Integration
Layer
© 2013 IBM Corporation 26
Mobile
Direct Update – On-device Logic
1. Web resources packaged
with app to ensure initial
offline availability
2. Web resources transferred
to app's cache storage
3. App checks for updates • On startup
• On foreground
4. Updated web resources
downloaded when
necessary
http://youtu.be/NvNzJtfub4Y
Worklight
Server
Native Shell
Pre-packaged
resources
1 Download
4 Update
web
resource
App Store
Web
resources
Cached
resources
2 Transfer
3 Check for
updates
© 2013 IBM Corporation 27
Mobile
Unified Push Notifications Architecture
Back-end
System Back-end
System
Back-end
System Back-end
System
Polling
Adapters
Message-
based
Adapters
Unified
Push API
Notificatio
n State
Database
User-
Device
Database
iOS
Dispatcher
Android
Dispatcher
BlackBerry
Dispatcher
Windows
Phone
Dispatcher
SMS
Dispatcher
Apple
Push
Servers
(APN)
Push
Servers
(C2DM)
RIM Push
Servers
Microsoft
Push
Servers
SMS/MMS
Brokers Administrative Console
Worklight
Client-side
Push
Services
Worklight
Client-side
Push
Services
Worklight
Client-side
Push
Services
Worklight
Client-side
Push
Services
iOS
Push API
Android
Push API
BlackBerry
Push API
Windows
Push API
Broker
API
© 2013 IBM Corporation 28
Mobile
Worklight Console
• Application Version Management
• Push management
• Usage reports and analytics
• Reports of custom application events
• Configurable audit log
• Administrative dashboards for:
• Deployed applications
• Installed adapters
• Push notifications
• Data export to BI enterprise systems
© 2013 IBM Corporation 29
Mobile
Dynamic Control of Deployed Apps
• Centralized control of all installed applications and adapters
• Remotely disable apps by device and version
• Customize user messages
© 2013 IBM Corporation 30
Mobile
Mobile Application Center
A cross platform private mobile application
store similar to public app stores but focused
on the needs of an organization or a team
Ease highly iterative development process
and distribution of mobile applications
Key capabilities:
Delivers distribution and management of mobile applications within a company / teams
Easy distribution of iOS and Android apps within an enterprise
Supports any mobile applications
Provides versioning and updates
Centralizes rating and feedback information
Controls who can modify or install an application
Easy to install and simple to run
© 2013 IBM Corporation 31
Mobile
Advanced Mobile
capabilities
• on-device, offline available, reliable, scalable, encrypt-able, and sync-able JSON database
• Server triggered security challenges
Application Governanc
e
• Enterprise App Store
• Native Application Governance
• Integration with IBM MDM (IBM Endpoint Manager)
Apps and Tooling
• Native libraries for iOS and Android
• jQuery tooling support
Platform
• SMS notifications
• New target devices: Windows 8, Java ME
• New integration points: JMS adapter
• Updates: iOS6,Android 4.1, Cordova 2.2
IBM Worklight
V5.0.5
New features and enhancements in IBM Worklight
v5.0.5 (released Fall 2012)
© 2013 IBM Corporation 32
Mobile
What are the other options?
Evaluation
Criteria
No Platform -
Native
Development
“Do it Yourself”
HTML5 with Open
Source Frameworks
Pre-packaged
Mobile Apps
Worklight Mobile
Application
Platform
Initial
Development Cost
Poor Excellent Excellent Excellent
Time to Market Poor Excellent Excellent Excellent
App Quality / Features Excellent
Poor Poor Excellent
Ongoing Maintenance
Cost
Poor Poor Excellent Excellent
Integrations with Back
Office Services
Excellent Poor Poor Excellent
Ability to Customize Excellent Poor Poor Excellent
Runtime Caching,
Notification Services
Poor Medium Medium
Excellent
Security and Identity
Services
Poor Poor Medium Excellent
App Governance and
Management
Poor Poor Medium Excellent
Usage Analytics Poor Poor Medium Excellent
© 2013 IBM Corporation 33
Mobile
Build, connect, manage and secure your mobile enterprise IBM Mobile Foundation
Quickly Build, Deliver, Manage and Secure Mobile Applications
in Enterprise Traditional & Cloud Environments
IBM Mobile Foundation
IBM Endpoint
Manager for
Mobile Devices
IBM WebSphere
Cast Iron
Hypervisor
Edition
IBM
Worklight
Mobile App Development Platform
Mobile Security
Connectivity
Taking Your Enterprise Mobile
App and device management
© 2013 IBM Corporation 34
Mobile
IBM provides a complete framework for mobile
IBM Mobile Foundation
Security Gateway (WebSphere DataPower,
IBM Security Access Manager) SDLC Tools (Rational Collaborative
Lifecycle Management)
WebSphere Application Server
Enterprise Apps
SOA & Connectivity (WebSphere Message Broker, WebSphere MQ (MQTT), WebSphere Services Registry and Repository)
MDM (IBM Endpoint
Manager for Mobile)
WebSphere Operational Decision Management
IBM Business Process Management
MEAP (IBM Worklight)
Elastic Caching (WebSphere eXtreme
Scale, WebSphere DataPower XC10)
Social (Lotus Connections)
Mobile Threats & Security (IBM Qradar, IBM AppScan for Mobile)
Analytics (Cognos, Coremetrics)
WebSphere Cast Iron
© 2013 IBM Corporation 35
Mobile
As an ISV, you care about
• Cost-effective development
• Leveraging your existing skills
• Short time to market
• Easy mobilization of your existing offering
• A rich user experience that drives adoption
• Collaboration of Dev, QA and test teams
• Simple integration with existing tools
• Quick update cycles and version control
• Adhering to the strictest security requirements
• Managing a growing portfolio of apps
• White-labeling and app customization
IBM Worklight delivers
• Open architecture and standard tools = short
learning curve, use of in-house skills and no
technology lock-ins
• Comprehensive integration capabilities with
back-end and cloud-based services
• Support multiple development approaches
(HTML, hybrid and native), access all device
features, transactions and high data volumes
• Collaboration tools, central build engine, and
internal distribution mechanisms
• Integration capabilities with the growing eco-
system of 3rd-party tools and frameworks
• Central management capabilities including
direct update, remote disable and reporting
• Customizable native shell for policy
enforcement and white-labeling of mobile apps
IBM Worklight – Value for ISVs/Partners
© 2013 IBM Corporation 36
Mobile
IBM Worklight and Open Source
IBM Worklight is built on open standard and extends open source software:
Apache Cordova (aka Phone Gap), JQuery, Dojo, Derby, Jetty, SQLite, MySQL,…
Main value add:
1. Advanced development environment with WYSIWYG tooling and simulators
2. Mixing native, web and local HTML in the same app
3. Improved code sharing amongst platform (optimization framework)
4. Single binary for multiple form factors (runtime skins for smartphones and tablets)
5. Mobile application management (remote app disablement, direct update)
6. Security (device & user authorization, encrypted cache, offline authentication, app authenticity testing…)
7. Analytics (who uses what & when)
8. Structured architecture with WL server as control point (data access and security)
9. Cross platform, production ready app store
10.Uniform push notification with user/device mapping management
11.Centralized management console (apps & versioning, adapters, push)
12.JSON local data store with sync (new v5.0.5)
13. IBM tested & supported SW combinations
© 2013 IBM Corporation 37
Mobile
Business Partner Programs for Mobile
Mobile App Showcase
IBM web site dedicated to showcasing Business Partners mobile apps developed on the
Worklight platform, both cross-industry and cross-function
Register your mobile apps and gain greater visibility to a wide cross section of interested
clients
IBM Business Partner Authorizations
New Mobile Sales Mastery & Technical Sales Mastery tests available to certify as a
Worklight V5.0 Authorized Reseller and participate in IBM partner incentive programs
Invest and grow your Sales and Delivery Teams Mobile skills through comprehensive
training and certification provided by IBM
Mobile Ready to Execute campaign program
A new model of campaign delivery designed and developed as a complete package for
Mobile capabilities
Use this customizable marketing collateral to generate pipeline with current clients and
potential prospects
Available now! Leverage IBM co-marketing dollars to fund Mobile campaign execution
© 2013 IBM Corporation 38
Mobile
Mobile App Showcase Overview
Your solutions become an integral part of IBM marketing programs, generating exposure with
clients, other IBM Business Partners and the IBM sales network
Leverage the pull of IBM in the mobile market
Market your solutions and capabilities to a worldwide audience
Qualify for the monthly rotating “Solution Spotlight” – your mobile app on the landing page.
Criteria:
1. Built on Worklight or Mobile Foundation
2. IBM Business Partner agreement in place
3. Member of PartnerWorld
4. Selected in the order the solutions arrive for first 6 months
Easy to use registration via the existing Global Solutions Directory on PartnerWorld
A common experience to feature and access IBM Business Partner mobile applications and solutions built on IBM Worklight and/or IBM Mobile Foundation offerings
© 2013 IBM Corporation 39
Mobile
Global Solutions Directory – Mobile App Registration
GSD entry tips to maximize exposure in the mobile showcase:
• Ensure your solution is marked for Worklight or Mobile Foundation
• Create a thorough entry, completing all fields on the submission form
• Keep your contact information current
• Include your company logo in your entries
• Refresh your solutions
What is the Global Solutions Directory (GSD)? In the context of the Global Solutions Directory, IBM uses the term solution to refer to all types of products and services provided by our Business Partners. This generalized term represents the value add of Business Partners teaming with IBM to bring solutions to our customer's business problems
Key Links: Create an entry in the Global Solutions Directory Video demonstrations: Learn how to use the Global Solutions Directory Mobile app showcase landing page
© 2013 IBM Corporation 40
Mobile
IBM Business Partner Authorizations Sales Mastery & Technical Sales Mastery tests available to certify as Worklight V5.0
Authorized Reseller. Educate your Sales and Delivery Teams & become *SVP Authorized
to resell Mobile offerings through comprehensive training and certification provided by IBM
Why team with IBM?
• IBM Software Business Partners have a wide range of profit opportunities including cross sell, influence, resell and bundled solution resell to leverage the high growth market of mobile:
• *Software Value Plus - Global program for SW resellers / influencers provides incentives for Business Partner opportunity identification and progression with earnings opportunities from 5% to 50%+
• Industry and Capability Authorization provides recognition for expertise in providing client solutions, based on key IBM Software products, such as Mobile and other high growth solution areas Earnings opportunity from 20% to 30%
• Application Specific License (ASL) agreements - Resell model for lightly embedded and bundled mobile solution offerings where Partners earn via discount on product sales for both initial sales and annual renewals
Building Worklight Technical skills: VW501 Introduction to IBM Worklight V5 for Mobile Application Development & Deployment (self-paced)
WU-VU503 Mobile Application Development and Deployment with IBM Worklight V5 (Instructor-led)
ZU503 Mobile Application Development and Deployment with IBM Worklight V5 (5-days self-paced)
ZU370 Introduction to HTML5 and JavaScript Programming
ZU371 Developing Mobile Web Applications with Dojo
Advanced Worklight 5.0 Worklight Hands-On Enablement Workshop for Business Partners
Become an Authorized Reseller via Certification: Sales : IBM Mobile Worklight Sales Mastery v1 M660 - or - WebSphere Sales Mastery v5
Technical: IBM Mobile Worklight Technical Mastery v1 N31 - or – Any of these Software/WebSphere Core technical test
Tips & Techniques to pass Mastery test: WebSphere Sales Mastery v5 - tips and techniques for success
(PartnerWorld Id Required)
© 2013 IBM Corporation 41
Mobile
IBM Business Partner Co-Marketing Program Leverage co-marketing funds and Mobile campaign tools to grow your business
Mobile Ready to Execute Campaign Core Messaging for Business Partner Clients:
• Gain faster time-to-value with unified development across deployment models
• Universal connectivity to streamline multiplatform development, deployment, and information delivery for
mobile, web, and cloud
• Securely integrate information and applications between mobile computing and traditional IT
• Automate service delivery to improve economics, reduce risk, and accelerate innovation
• Enhance business process with mobility and uncover new business models across the mobile lifecycle
The IBM Co-marketing Center is the one-stop to maximize co-marketing
investment with IBM:
Apply for IBM co-marketing funds, if eligible, to help fund your campaign execution
Use Mobile “Ready to Execute" campaign materials that can be customized easily for
your unique requirements: A new model of campaign delivery in which IBM has designed and developed a campaign as a
complete package for Mobile capabilities
Available to IBM Business Partners to use to generate pipeline with your current clients and
potential prospects
The campaign includes multi-touch emails, telemarketing scripts, web marketing guidance and
compelling customer offers (e.g. white papers, videos, etc.)
© 2013 IBM Corporation 42
Mobile
Upcoming IBM Mobile Event Presence
• Mobile World Congress, February 25-28 in Barcelona, Spain.
• IBM will be announcing exciting new mobile capabilities for the enterprise
• On Monday, February 25th there will be a 1/2 day Conference "Business. In Motion: Speeding Innovation
and Extending Reach Securely with IBM Mobile." For more information click here
• If you can't join us in Barcelona, please register and plan to attend to our "Live from Mobile World Congress"
broadcast on Thursday February 28, 2013.
• IBM PartnerWorld Leadership Conference, February 25-28 in Las Vegas, NV
• Robert LeBlanc, Senior Vice President, Middleware Software, will be speaking at the General Session
Keynote on the topic: Middleware & Cloud Strategy: IBM Middleware and cloud strategy and strategic
capabilities (cloud, mobile, big data, security).
• IBM will host an IBM Mini Solution EXPO Showcase for Mobile Enterprise. Click here for more information
• Pulse 2013 in Las Vegas, NV from March 3-6
• Marie Wieck will be presenting the Mobile Enterprise Stream kick-off on Monday March 4th from 10 - 11 AM
around Speeding Innovation and Extending the Reach with Mobile Enterprise.
• Mobile will be the focus of many tracks, birds of the feather sessions, and meet the experts sessions.
• Don't forget to visit the IBM Mobile Booth to view our key assets around the IBM Mobile Story and demo
some of our exciting capabilities. Click here for more information
• South by Southwest Interactive Festival in Austin, TX from March 8-17
• IBM will be showcasing IBM Mobile & Social Business capabilities as well as introduce resources to the
start-up community . Click here for more information
© 2013 IBM Corporation 43
Mobile
Next Steps for Partners
Get specific, prescriptive guidance and resources
IBM PartnerWorld Roadmap for Mobile:
http://ibm.biz/BdxrgB
Download the free Worklight Developer Edition
IBM Worklight Developer Edition download:
http://www.ibm.com/developerworks/mobile/worklight.html
Expand your knowledge and interact with IBM SMEs
IBM tech talk series for Mobile:
http://www.ibm.com/developerworks/mobile/mobile-techtalks/
Learn about upcoming IBM Mobile announcements
Register for our "Live from Mobile World Congress" broadcast on Thursday February 28,
2013.
© 2013 IBM Corporation 44
Mobile
Thank You
© 2013 IBM Corporation 45
Mobile
IBM Worklight Advanced Features
© 2013 IBM Corporation 46
Mobile
Skin Creation
• Skins are created using the Worklight Skin Wizard
• Directories adjacent to the environment directory
• Containing HTML/CSS/JS
© 2013 IBM Corporation 47
Mobile
Example Mobile Skin on Android
© 2013 IBM Corporation 48
Mobile
Example Mobile Skin on iPad
© 2013 IBM Corporation 49
Mobile
Data Collection and Analytics
© 2013 IBM Corporation 50
Mobile
Flexible Push Notification Framework
Multiple users logging into the same app
Multiple apps using the same event source
Multiple event sources used in the same
app
One application multiple devices
© 2013 IBM Corporation 51
Mobile
Mobile Security Objectives
Protect data on the device
• Malware, Jail breaking
• Offline access
• Device theft
• Phishing, repackaging
Streamline Corporate security approval processes
• Complex
• Time-consuming
Enforce security updates
• Be proactive: can’t rely on users getting the latest software update on their own
Provide robust authentication and authorization
• Existing authentication infrastructure
• Passwords are more vulnerable
Protect from the “classic” threats to the application security
• Hacking
• Eavesdropping
• Man-in-the-middle
© 2013 IBM Corporation 52
Mobile
Worklight: Security by Design
Enforcing security updates
Remote disable
Direct update
Providing robust authentication and
authorization
Authentication integration framework
Data protection
realms
Coupling device id with
user id
Streamlining Corporate security
processes
Mobile platform as a trust factor
Application Security
Code obfuscation
SSL with server
identity verification
Proven platform security
Jailbreak and malware detection
App authenticity
testing
Protecting data on the device and in transit
Encrypted offline cache
Offline authentication
Secure connectivity
Integration point with VPN solutions (i.e. IBM Mobile Connect)
Integration point with MDM solutions (i.e. IBM Endpoint Manager for Mobile)
Integration point with User Security solutions
(i.e. IBM Access Manager for Mobile)
© 2013 IBM Corporation 53
Mobile
Authentication Concepts and Entities
• Worklight entities, such as applications and adapter procedures, can
be protected from unauthorized access
• Entities are protected by authentication realms
• An authentication realm defines the process to be used to
authenticate users
• Each authentication realm consists of:
• Authenticator – client + server components which are used to
collect credentials (e.g. login form).
• Login Module – server component that receives credentials from
the authenticator, validates them and builds the user identity
object
• The same authentication realm can be used to protect several
resources
© 2013 IBM Corporation 54
Mobile
Authentication Concepts and Entities
When a request is made to the protected entity, Worklight checks whether
the session is already authenticated. If not, Worklight automatically
triggers a process of verifying the user’s identity
Unauthenticated request tries to access the protected application, or invokes a protected adapter procedure
Authenticator is invoked automatically. User credentials (e.g., username and password) are collected on the client-end and sent to a server
Login module receives collected credentials, validates them and builds user identity in case validation passes
The original request is handled
© 2013 IBM Corporation 55
Mobile
What is the Encrypted Cache?
The encrypted cache is a mechanism for
storing sensitive data on the client side
The encrypted cache is implemented using
HTML5 local storage technology which
allows data to be saved locally and
retrieved on subsequent application
use / re-launch
Data is encrypted with a combination of user-
provided key and server-retrieved randomly
generated token which makes it more secure
Data is stored using key-value pairs
© 2013 IBM Corporation 56
Mobile
Enforcing security updates
Enforcing
security
updates
Remote
disable
Direct
update
Remote Disable: shut down specific versions of a downloadable app, providing users with link to update
Direct Update: automatically send new versions of the locally-cached HTML/JS resources to installed apps
Can’t rely on users getting the latest
software update on their own
© 2013 IBM Corporation 57
Mobile
Mobile security measures
Mechanism Benefits Details
Encrypted offline
cache
• Protect against stealing
sensitive information via
malware, stolen devices
• Uses AES256 and PCKS #5 for on-device encrypted storage of app-
generated data, with random server-generated numbers for high security
• Allows user authentication when server is offline
• Implemented in JS (highly obfuscated) with optional native performance
enhancements
SSL identity
verification for AJAX
• Protect against man-in-the-
middle attacks
• Client-side AJAX framework automatically verifies IBM Worklight-server
credentials
Client code
attestation
• Prevent impersonation by
phishing apps
• Protect apps from manipulation
by malware
• Challenge-response based mechanism for proving client-application
identity
• Uses tamper-resistant self-inspecting code
Remote code
updates
• Ensure timely propagation of
critical security updates to
entire install base
• New versions of the code can be distributed without requiring update of
the app (currently JS/HTML)
Remote disable of
specific versions
• Ensure timely propagation of
critical security updates to
entire install base
• Server-side console allows configuration of allowed app versions.
Administrator can force users to install security updates to the native
code
Authentication
process framework
• Lower the cost and complexity
of robust integration with the
authentication infrastructure
• Server-side architecture for integration with back-end authentication
infrastructure based on JAAS, with Authentication realms
• Client-side framework for asynchronous login requests on session
expiration
Server-side
safeguards
• Prevention of SQL injection
• XSRF protection
• Prepared-statement enforcement
• Validation of submitted data against session cookie
Device identification • Prevent account-hijacking • Safely report device ID to the server
• Identifying a user with specific devices
© 2013 IBM Corporation 58
Mobile
Mobile security measures - Continued
Mechanism Benefits Details
Enterprise SSO
integration
• Leverage existing enterprise
authentication facilities and user
credentials
• Enable employee-owned
devices
• Client side mechanism obtains and encrypts user credentials, sends to
the server with requests
• Encryption incorporates user-supplied PIN, Server-side secret and DID
• Credentials cannot be retrieved from lost or stolen device
VPN alternative
• Enable the secure delivery and
operation of mobile applications
for employee owned devices or
device types not allowed on the
corporate network
• Enable the secure delivery in
cases where the installation of
VPN client on mobile devices is
not possible or complicated to
manage
• Client side and server side framework act as SSL based VPN
• Network access control and policies pre-configured in the client side
framework layer
• Network access and security measures updated using server side
framework
• On device encrypted storage to prevent compromise of sensitive data
© 2013 IBM Corporation 59
Mobile
Mobile Application Center
A cross platform private mobile application
store similar to public app stores but focused
on the needs of an organization or a team
Ease highly iterative development process
and distribution of mobile applications
Key capabilities:
Delivers distribution and management of mobile applications within a company / teams
Easy distribution of iOS and Android apps within a team
Supports any mobile applications
Provides versioning and updates
Centralizes rating and feedback information
Controls who can modify or install an application
Easy to install and simple to run
© 2013 IBM Corporation 60
Mobile
Log into the Worklight Application Center
© 2013 IBM Corporation 61
Mobile
Add an application
© 2013 IBM Corporation 62
Mobile
Download the application on the device
© 2013 IBM Corporation 63
Mobile
Provide feedback and/or switch back
© 2013 IBM Corporation 64
Mobile
Display the feedback from the App Center
© 2013 IBM Corporation 65
Mobile
Architecture of the Shell-based Application
Architecture
• The Shell consists of native and web code
• Inner app consists of web code only
Native access
• The Shell provides JavaScript access to native device capabilities
Sandbox
• The Shell can restrict inner apps from accessing unsanctioned native and JavaScript functions
Customization
• The Shell can include custom native and web libraries and APIs, branding resources, authentication, and integration components
• API restrictions are also customizable
Diversity
• Company may distribute multiple shells for different trust levels, authentication types, corporate departments, etc.
Customizable Native Shell Code
Device APIs
Mobile Browser
Customizable
Web Shell Code
Inner
Application
Web Code
© 2013 IBM Corporation 66
Mobile
The Shell-based Application
Shell Team
• Security configurations
and audits
• Authentication
• Mobile expertise
Inner App Team
• Business logic
• Develop the UI
• Data integration
Reducing the barriers of mobile development, making it ubiquitous
across the organization, by compartmentalizing skill-sets and
responsibilities
Distributed App
• Shell fed by repository
• Shell fused with app
• Shell packaged with
directory
App
Stores
Server
App
Stores