Securing IS webservices for Mobiles

Hi All,

We have an application in MWS that is hosted on IIS through an iFrame that provides a customer with some account information.

A company has created an iPhone application that pretty much takes the users credentials, from the iPhone, and passes it via the application developers site through to the IIS iFrame path /my/App/Path/?username=&password=.

It then scrapes the response and passes it back to the iPhone in a JSON format.

The architecture we have is:

IIS on https (DMZ) ← ARR → MWS (8.0.2) on https ← WS → IS (8.0.2) <-> DB

                                ^

|

V

  OpenLDAP for authentication

My questions to the experts are as follows:

  1. If we are to have a mobile application that is on iTunes/Android Market (publicly available), how can we secure the IS layer to avoid someone generating applications that aren’t official to use the webservice?
  2. Do we have support for 2/3 legged OAuth on the IS layer?
  3. Maybe generate some registration process for the installation of the application to capture device specific details and add it to some sort of white list? Almost like a banking application where you verify by sending sms with a code

Now we can easily install certificates on IS and set up another in the DMZ with remote invoke capabilities, but it’s to just protect against someone decompiling the application and working out the WS endpoint URL.

Any help/pointers on how best to proceed would be much appreciated; even if we have some documentation on best practices would be handy.

Regards,

Aditya Gollakota

Integration Consultant | Software AG | www.softwareag.com

M: +61 405 033 951 | E: aditya.gollakota@softwareag.com

ContactCard

Aditya,

A Policy Gateway or Policy Enforcement Point (Layer 7 SecureSpan) could help in this scenario as we can use the transport to check application type/name, session details, etc. for the service consumer and attempt to put some smarts around the caller after they have authenticated to some IDMS prior to calling the service end point.

Thanks & Regards,

Nino Ugonotti

From: Gollakota, Aditya
Sent: Tuesday, 28 February 2012 2:22 PM
To: Ask_Mobile_Community; RnD-wM-Security-SWAT; Ugonotti, Nino
Cc: Ask_wM_ProfessionalServices; Ask_wM_GlobalServices
Subject: Securing IS webservices for Mobiles
Importance: High

Hi All,

We have an application in MWS that is hosted on IIS through an iFrame that provides a customer with some account information.

A company has created an iPhone application that pretty much takes the users credentials, from the iPhone, and passes it via the application developers site through to the IIS iFrame path /my/App/Path/?username=&password=.

It then scrapes the response and passes it back to the iPhone in a JSON format.

The architecture we have is:

IIS on https (DMZ) ← ARR → MWS (8.0.2) on https ← WS → IS (8.0.2) <-> DB

                                ^

|

V

  OpenLDAP for authentication

My questions to the experts are as follows:

  1. If we are to have a mobile application that is on iTunes/Android Market (publicly available), how can we secure the IS layer to avoid someone generating applications that aren’t official to use the webservice?
  2. Do we have support for 2/3 legged OAuth on the IS layer?
  3. Maybe generate some registration process for the installation of the application to capture device specific details and add it to some sort of white list? Almost like a banking application where you verify by sending sms with a code

Now we can easily install certificates on IS and set up another in the DMZ with remote invoke capabilities, but it’s to just protect against someone decompiling the application and working out the WS endpoint URL.

Any help/pointers on how best to proceed would be much appreciated; even if we have some documentation on best practices would be handy.

Regards,

Aditya Gollakota

Integration Consultant | Software AG | www.softwareag.com

M: +61 405 033 951 | E: aditya.gollakota@softwareag.com

ContactCard

Also, Apple allows companies to have non-public app stores. For that kind of application this is definitely the way to go.

Hi Aditya,

We are introducing a new product called “wM Mobile Gateway” to solve the problem you have. It will be part of webMethods 9.0.

Regards,

Sachin