The previous post discussed the general need for broking services to handle differences in mobile and corporate application environments. In this post we will look more closely at the security issues that mBrokers address.
Mobile applications are often written in the REST style using JSON as a format, because these mechanisms are simple, lightweight and perfect for the limited resources available to mobile devices. However, when these applications need to use corporate applications and APIs it can open a number of security holes. For starters, in the corporate SOA world integration is usually addressed through SOAP-based messages and web services. SOAP messages are usually encrypted, and there are extensive security protocols built into the web services standards specifications such as WS-Security. But the REST style of programming has little in the way of security protection; after all, REST is basically calling up URLs in a similar fashion to when you are surfing the net. This means that data may be ‘in the open’ and therefore exposed to prying eyes, and also intercepting the data and injecting malicious content is relatively easy.
The mBroker security services address these issues. For example, policies can be put in place so that sensitive information can be detected and secured, and the traffic can be scrutinized on entry to the corporate network for any injected threats or attacks. For example, content might be restricted to a small set of QueryString parameters, headers may be inspected to identify the type of data expected, and so on.
The other tricky aspect of securing enterprise mobile applications is the authentication and identity management area. As touched on in Part 1, OAuth is a loose standard providing a mechanism for delivering a level of authorization in the mobile world. In essence, resource owners authorize other services to use only that set of resources required for the task. The idea is that instead of having to log in everywhere, exposing your userid and password to different third party systems, the OAuth mechanism enables you to share a token with the service providers that restricts access. However, OAuth is quite new. OAuth was a typical web-based user-driven project which has now been developed, with OAuth 2.0, into a wider reaching standard specification. Not all of the web community are in favour of this wider direction, and the fact that OAuth 2.0 is not backward compatible with OAuth has not helped the situation at all. As a result different third party environments may not support OAuth at all or may support different levels.
Again, this is ideal territory for the mBroker. The mBroker can provide consistent OAuth implementation across all services, as well as bridging between OAuth and non-OAuth forms of authentication as required.
So mBrokers provide the mechanism to ensure that mobile enterprise applications do not compromise your corporate security goals.