An overview of IBM MobileFirst Platform

An overview of IBM MobileFirst Platform Build, test, integrate, deploy and manage mobile applications Contents 1 The IBM MobileFirst Platform 2 More efficient development 9 Optimizing user engagement The IBM MobileFirst Platform The IBM MobileFirst Platform is a standards-based mobilemiddleware, categorized as a Mobile Enterprise Application Platform (MEAP) and Mobile Application Development Platform (MADP). IBM MobileFirst Platform Foundation core value-add is the connectivity to and extension of existing back-end systems also known as Systems of Records (SoR) with development, user engagement, security and management capabilities. 13 Securing your mobile channel at the user, application and device levels 17 Managing your mobile ecosystem Front-end Back-end Short time to market Web? Hybrid? Native? Teamwork Industrialize app dev Integrate with SDLC 30% of the value and effort is visible (mobile UI) 70% of the value and effort lies under the surface User engagement Connect to back-end systems Efficient and flexible push notifications Track and use location Offline availability B2E app distribution Push upgrades Security User authentication Malware detection integ Data protection Operations Manage and enforce app versions Track problems that affect UX Ensuring continued support in a quickchanging landscape Mobile apps go much deeper than the front-end User Interface

With the MobileFirst Platform, organizations can more effectively address the full lifecycle of mobile app development, delivery and on-going management. Application Scanning Quality Assurance Application Scanning Detect code vulnerabilities at the time of development Integrate Server Run time Quality Assurance Collect beta test feedback, crashes and analyze user sentiment Obtain insight Develop Studio Console Application Center Foundation Development, Run time, Operations, Console and Private Store Design Development Continuous Delivery Manage Instrument IBM MobileFirst Platform overview Deploy Operationalize Integrated DevOps for Mobile Test More efficient development With MobileFirst Foundation, you can support a wide range of development approaches from native to hybrid as well as web approaches. Therefore, you can evaluate the best approach for each situation, according to skills, time and functionality, without being limited by a specific approach to mobile application development. X Scan and certify Developers can use tools of their choice the provided command line interface (CLI) enables integration with tools such as Xcode, Android Studio, Xamarin, or any other development tool developers want to use. The mobile application lifecycle The IBM MobileFirst Platform consists of three distinct offerings: IBM MobileFirst Foundation to build, test, integrate, deploy, manage and better secure web, hybrid and native applications for desktop and mobile from standards-based technologies and tools IBM MobileFirst App Scanning to detect code vulnerabilities earlier during development IBM MobileFirst Quality Assurance to capture feedback from users and testers with sentiment analysis and frictionless bug reporting The MobileFirst platform also includes the IBM MobileFirst Studio, an Eclipse-based integrated development environment (IDE) that helps developers to conduct virtually all the coding and integration tasks required to develop rich and engaging applications. MobileFirst Studio is designed to augment Eclipse tools with a wide variety of enterprise-grade features delivered as plug-ins to streamline application development, debugging and testing as well as to facilitate enterprise connectivity. 2

Pure web Hybrid Pure native Mobile web site (browser access) Native shell enclosing external m.site Pre - packaged HTML5 resources HTML5 + native UI Mostly native, some HTML5 screens Pure native Web-native continuum HTML5, JS, and CSS3 (full site or m.site) Quicker and cheaper way to mobile Sub-optimal experience HTML5, JS, and CSS Usually uses Cordova Downloadable, app store presence, push capabilities Can use native APIs As previous + more responsive, available offline Web + native code Optimized user experience with native screens, controls, and navigation App fully adjusted to OS Some screens are multiplatform when makes sense App fully adjusted to OS Best attainable user experience Unique development effort per OS, costly to maintain Approaches for the development of mobile apps Regardless of how you choose to develop your apps, development complexity rises when you need to develop multiple apps in different versions, support multiple mobile operating systems, or enable many developers to work together on a rich app. With the MobileFirst Foundation, developers can reduce the development cycle by automating app tests directly on their PC. They can reuse code across or within apps by using templates and components. Developers can integrate with SOAP, REST and SAP services in seconds without writing a line of code. In addition, they can efficiently tailor ready-to-use mobile build and test scripts to their corporate build framework and share the resulting applications with developers and testers. All these capabilities are available for native, hybrid and web developers in a complete IDE or as a flexible set of command-line tools. Developers of hybrid applications can also benefit from greater flexibility to build Cordova-based apps, where the IBM platform helps enable them to have control of the portions 3

IBM Software Capability Objective-C for ios Java for Android C# for Windows Phone 8 C# for Windows 8 Integration with back-end systems through adapters MobileFirst Platform Authentication Framework Development Functional testing - Application version enforcement Unified push and SMS notifications - Location Services - - On-Device Encrypted JSON Store - - Log collection for analytics - - Remote-controlled client-side log collection - - MobileFirst Platform native capabilities Pure native development With the pure native development approach, you can create applications that fully use the device capabilities without any compromise on performance and user experience. Such applications are written for a specific platform environment as Objective-C for ios, Java for Android for Java ME or C# for Microsoft Windows Phone 8 and Microsoft Windows 8 and use MobileFirst Platform capabilities through its provided native APIs. Command Line Interface To help developers get a better tools experience, the CLI tool can be used to more easily create and manage both native and hybrid apps. The CLI enables developers to use their preferred text editors or alternative IDEs to create mobile applications. The CLI does not require MobileFirst Studio for most standard activities. The commands support tasks such as creating, adding and configuring with the MobileFirst Platform API library, adding the client-side MobileFirst Platform properties file and conducting the build and deployment of the MobileFirst Platform application. Adapter creation, deployment and local testing can be conducted within the command line. Administration of your MobileFirst Platform project can be done from CLI or REST services, or the MobileFirst Console, where you can more easily control the local server and observe the logs. Command-line tools can be used on their own, or in parallel with the MobileFirst Studio tools. Everything that is generated by using the command-line interface is compatible with MobileFirst Studio. You can also use the CLI to integrate third-party tools such as ANT or Grunt to create your own tool chain for automated testing, build and deployment flows. 4

Native-device SDK integration MobileFirst Studio is also designed to integrate with the software development kits (SDKs) of the mobile devices that the MobileFirst Platform supports including Android, ios, Microsoft Windows 8, Microsoft Windows Phone and Blackberry. With this integration, developers can take full advantage of the native code capabilities, development tools, testing and debugging mechanisms that are native to the mobile SDKs, without leaving the development environment. Automated mobile functional testing To accelerate delivery cycles of mobile applications, you require fast and effective test cycles. MobileFirst Platform software includes integrated automated functional testing. This testing is available for Android and ios native, hybrid and web applications. Created for developers and testers, this capability is designed to automate functional testing of apps that are developed with the MobileFirst Platform. First, developers or testers record a sequence of actions on a mobile device, emulator or simulator by using an instrumented recording-ready application to generate a test script. Next, developers or testers edit and enhance the script by using natural-language syntax to add verification points and other instructions. Developers and testers can run the enhanced test script on demand on a real device, simulator or emulator. They can view and share the results by using a generated HTML report. Developers and testers can test MobileFirst Platform apps more rapidly and methodically at a reduced cost because of automated functionality testing. As a result, developers and testers can help enable higher-quality mobile apps. Centralized build The IBM MobileFirst Platform Builder is a stand-alone application that can be more easily integrated with common central build services, such as IBM Rational Jazz Builder, Hudson and Luntbuild. Using the centralized build functionality, the different teams involved in the development, testing and quality assurance (QA) phases can work from one common version of the code without complex installation of dedicated mobile environments locally. Therefore, teams can more effectively enhance the collaboration and automation of the internal application development process. Hybrid development Facing the constantly evolving fragmented ecosystem of mobile devices and operating systems, application development has become a costly, yet an unavoidable endeavor. This challenge has led to the creation of a market for cross-platform mobile development solutions that is rapidly growing. Most solutions in the market today rely on limited proprietary tools delivering lowest-common denominator based on code cross compilation or interpretation from what you see is what you get (WYSIWYG) tools or prepackaged apps. The result is an unavoidable tradeoff between user experience and multiplatform coverage. With the MobileFirst Platform hybrid development approach, applications can have any mix of standard native and web code, even in the same UI views. Hybrid applications execute inside a native container and use the browser engine to display the HTML5/JavaScript and CSS part of the application interfaces and business logic. The native container, based on Apache Cordova also known as PhoneGap, grants application access to device capabilities that are not accessible to standard web applications, such as the accelerometer, camera and device local storage. Hybrid applications developed with the MobileFirst Platform can be distributed through public or private cross-platform application stores and developed either by using the provided MobileFirst Studio CLI or IDE tools. For example, the Mobile Browser Simulator enables advanced debugging earlier in the development cycle to further accelerate developments with multiple form factors preview side by side and Apache Cordova APIs simulation. 5

Because developers are not dependent on an intermediary build-time or runtime layer, such as a cross-compiler or interpreter, native APIs are accessible upon release of new mobile operating system (OS) versions or third-party libraries. Furthermore, the applications web code is executed directly by the mobile browser, so developers have direct access to the HTML Document Object Model (DOM) and are free to use any JavaScript API or third-party JavaScript toolkits and frameworks. There are several ways of combining native and web code in MobileFirst Platform hybrid applications, including: Native and web code mix. With the MobileFirst Platform, you can mix virtually any set of native code with web code for different, or within the same screens or application logic. Some of the benefits include full use of native capabilities and optimized balance between code reuse and performance for user experience where needed. Pre-packaged HTML5 resources. Unlike the following approach, the web resources are not loaded from an external website at run time but are packaged within the application itself, thus enabling improved application responsiveness and off-line operations support. In addition, you can enable greater cross-reuse across delivery channels with the combined use of responsive design and MobileFirst Platform skins. Native shell application enclosing an external mobile website. With this approach, your mobile website is displayed inside the native shell provided instead of the device browser allowing application access to the device native functionality through JavaScript APIs. There are drawbacks to this approach because of downgraded user experience with subpart response time and off-line modes. Support for HTML5 MobileFirst Platform software uses a standards-based approach that enables developers to write or import code, to circumvent the debugging and maintenance limitations of proprietary interpreters or code translators. You can benefit from capabilities that include: A cleaner, more readable and consistent HTML code Visual HTML editing in Rich Page Editor; HTML5 tags and attributes are directly supported in RPE Access to rich media types including audio and video that are usually available only by way of native code Use of advanced UI components, such as data pickers, sliders and edit boxes that automatically support ellipsis and others implemented natively by the browser Use of Cascading Style Sheets 3 (CSS3) styles and CSS3-based animation to reduce application size and to improve application responsiveness Application distribution channels that go beyond the different application stores and their time-consuming and limited restrictions Support for location services Offline storage capabilities Support for third-party JavaScript toolkits and UI frameworks In addition to its support for HTML5, MobileFirst Platform software provides integration with the growing ecosystem of UI frameworks, such as Ionic, Angular or jquery Mobile. Developers can pick the JavaScript UI framework of their choice and use it to develop their application within the MobileFirst Studio. 6

Rich Page Editor (RPE) Furthermore, the MobileFirst Studio ships with a WYSIWYG drag-and-drop for UI design and development. With these editing capabilities, developers can create pure HTML or HTML and JavaScript files by dragging HTML5, JQuery and Dojo mobile components from a built-in palette to the HTML canvas. Developers can use property sheets to control HTML and CSS properties. At the same time, with these editing capabilities, developers can enable direct editing of HTML and CSS files, updating the graphical canvas to visualize almost immediately the impact of their changes. These editing capabilities are integrated with the MobileFirst Platform optimization framework, making it possible for developers to view a specific application environment or to view a specific skin. Screen templates To deliver an outstanding mobile UI experience, conformance to continuously evolving mobile patterns of behavior that are specific to each OS family is required. MobileFirst Platform software includes screen templates that automate the creation of mobile screens. The design of these screen templates is based on industry-proven methods. Developers can choose from templates in four categories including: Lists Authentication Navigation and search Configuration Each screen template can be previewed live, used as is, or further refined using any combination of web and native technologies. Optimization framework Unlike other alternative approaches, the MobileFirst Platform optimization framework enables developers to share the majority of the application code across multiple environments, without compromising platform-specific user experience or application functionality. Developers can share the common application code among multiple environments, while isolating environment-specific code in designated code branches that can overwrite or augment the commonly shared code. As a result, application logic remains consistent among the different environments, while the UI behaves natively and adheres to user expectations and the differentiated functionality and design guidelines of the device. Therefore, developers can strike the desired balance between development efficiency, application functionality and user experience. Hybrid application web portion of the code can be updated with the IBM MobileFirst Platform Direct Update mechanism. Further performance improvements with direct update are possible through differential direct update where the end users receive only the web resources that have changed between updates instead of the entire web resource package. Runtime skins You can further optimize your hybrid apps by using runtime skins. These skins are packaged with the application s executable files and are applied to the mobile app during run time. With this capability combined with responsive design techniques, it is easier to automatically adjust the application appearance and behavior to different devices from the same OS family and better manage application code complexity. Common scenarios that benefit from runtime skins include: Different screen sizes and screen densities Different input method Different support levels for HTML5 7

The shell approach When different teams having varying degrees of expertise work on common mobile projects, the MobileFirst Platform shell approach can help separate concerns among teams. An external shell is a customizable container that provides JavaScript access to the native capabilities of the device. A dedicated expert team works on one or multiple shells for branding, security configurations, audits and authentication frameworks. Using such shell structure forces hybrid inner applications to automatically comply with its built-in policies as data access restriction, use of certain APIs and different branding. With the corporate policies enforced by the shell, the inner applications can be more easily built by departmental development teams using well-known web technologies. Such teams are only required to focus on the user interface and business logic. Desktop and mobile website development In this model, the application that executes the device s browser can be made platform independent and requires no installation, with simple access through a URL or bookmark. The downside is support for connected mode only, sub-part user experience with potentially response time and no access to the device functions such as camera or contact list. Aspects of each development approach With the MobileFirst Platform, you can select the most appropriate development approach fitting your application context and objectives. Selecting the best development approach must be the first step of your application project. The major aspects of the supported development approaches to help you decide which one best fits your needs include the following: Comparison of mobile development approaches Aspect Mobile website development Native shell, external mobile website Prepackaged HTML5 resources Mixing web and native in code and UI Pure native development Easy to learn Easiest Easiest Medium Harder Hardest Application performance Slowest Moderate Good Fastest Fastest Device knowledge required None Some Some Some A lot Development lifecycle - build, test, deploy Application portability to other platforms Shortest Shortest Medium Medium Longest Highest High High Medium None Support for native device functionality Some Most Most All All Distribution with built-in mechanisms No No Yes Yes Yes Ability to write extensions to device capabilities No No Yes Yes Yes 8

Optimizing user engagement Users value apps that help them complete tasks such as ordering takeout, hailing a taxi, or making a restaurant reservation. To deliver this type of transactions, you require mobile application integration with existing back-end services and data. out unneeded parts of large payloads from legacy services targeted at the traditional web channel. Furthermore, adapters can enable server-side service composition to reduce the number of requests to optimize application response time over slow mobile network. Standardized back-end access with adapters The MobileFirst Platform enables mobile apps back-end connectivity over HTTP, JMS, SAP, Unstructured Supplementary Service Data (USSD) and SQL and you can further optimize connectivity by using IBM Integration Bus or IBM Cast Iron. The MobileFirst Platform adapter architecture is designed to promote a decoupling of integration logic, which is hosted on the server side from the mobile application logic. As a result, with this IBM architecture, you can manage back-end services and mobile-apps-distinct evolution timelines. Moreover, mobile apps often have to connect to services that were built long before mobile was in existence, which poses challenges in both data delivery and service security for the mobile channel. The MobileFirst Platform is designed to deliver ready-to-use data transformation capabilities to the JSON format to optimize payloads size and response time for the mobile applications. For instance, adapters can easily filter In terms of integration security, the MobileFirst Platform provides mobile-specific and fine-grained security controls that can be wrapped around legacy services. In addition, the MobileFirst Platform acts as a strong control point, enabling overview and management of mobile activities. This platform also includes built-in analytics for user actions and device and application properties with possible extension to monitor and act upon unusual usage patterns that might result from fraudulent repackaged apps. Integration is the driver for the level of interaction many users expect from their mobile apps and the MobileFirst Platform provides a robust set of integration capabilities. With these features, you can use existing enterprise investment, optimize data delivery to sustain user interactions over unstable mobile networks and help reduce development cost by providing zerocode integration paths. In addition, you can improve organizational insight into user experience through analytics. Automated services discovery for SOAP and SAP Generation of adapters for the discovery of SOAP automated services 9

With the MobileFirst Platform, you can further expedite the creation of mobile apps that call SAP NetWeaver Gateway and SOAP-based web services described by Web Services Description Language (WSDL). With the MobileFirst Platform services discovery wizard, developers can specify the back-end services called from the mobile app and generate application specific adapters for web, hybrid, or native app with near-zero coding. Further, developers can place them in the proper mobile app project folder. Unified push notification and SMS There are many differentiated characteristics of mobile apps but perhaps none more so than the notion of anywhere, anytime engagement. The MobileFirst Platform provides a unified API to send push notifications and SMS from the server to mobile apps, helping developers to more easily manage mobile platform fragmentation. In addition, they can develop a single set of logic to send push notifications across their target platforms. The MobileFirst Platform provides the ability to send broadcast notification to all devices and targeted messages to a specific set of users, a specific device or a specific user. By using the device specific capabilities, the MobileFirst Platform also supports interactive push notifications for ios8, Android L heads up notification and silent notifications for ios7 onwards. Location services If push notifications deliver the means for engagement, location services deliver the ability to engage in context. The MobileFirst Platform is designed to help engage users based on their location by providing end-to-end services for detecting, transmitting and consuming location-based events in back-end business processes, decision management systems and analytics systems. Back-end System Back-end System Polling Adapters Messagebased Adapters Unified Push API Notification State Database User Device Database ios Dispatcher Android Dispatcher Windows Phone Dispatcher SMS Dispatcher ios Push API Android Push API Windows Push API Broker API Apple Push Servers (APN) Google Push Servers (GCM) Microsoft Push Servers SMS/MMS Brokers Worklight Client-side Push Services Worklight Client-side Push Services Worklight Client-side Push Services Administrative Console Notification statistics, SMS subscription control Optional 2-way SMS Unified Push Notifications 10

Traditional approaches constantly poll device GPS or triangulate and then send the resulting position to the back-end systems for decision-making. Whereas, the MobileFirst Platform delivers a location services framework that helps optimize development time, battery and network usage. Device Run time Worklight Server Application code Adapter code Set acquisition policy and triggers Transmit events Trigger callbacks Set event handlers Get device context Set app context Event callbacks Device location API Worklight device run time Events Device context Server location API Worklight server run time Log activities and event with device and app contexts Analytics and reporting MobileFirst Platform geo-services architecture Telco forwards this to a USSD gateway HTTP/S Worklight responds to the gateway request with the USSD menu options (configurable) USSD Gateway Worklight Adapter Mobile User dials USSD short code e.g. *123# Gateway maps the short code to a known URL provided by the enterprise and creates the USSD session Enterprise backend Enterprise MobileFirst Platform USSD architecture overview 11

IBM MobileFirst Platform Foundation location services provide both client-side and server-side services that deliver: Points of interest and geo-fences definition and a more efficient, policy-based controlled acquisition of GPS, triangulation and Wi-Fi coordinates to save battery, whether the application is executing in the background or foreground Events generation for action triggering based on location changes as when crossing a geo-fence and server-side logic to enable meaningful reaction to important geo events More efficient communication with back-end systems and batch sends to optimize network use Unified server-side API that enables developers to consume location events on the server and take action to facilitate enterprise systems integration into patterns of intelligent user engagement The benefits of MobileFirst Platform location services are twofold to the organization. First, developers do not have to worry about efficient location data collection and transmission for the client because they can use MobileFirst Platform services. Second, developers can build one set of locationenriched engagement logic on the server and apply that logic to their mobile apps throughout platforms. This IBM platform s location services help people at organizations more efficiently understand where app users are and more importantly execute business logic based on this contextual understanding. Indoor location using ibeacons You can engage users based on their proximity to an enterprise beacon by delivering location-relevant messages, information, promotions and so on. The MobileFirst Platform provides REST APIs to register and manage the beacons on the server side. Similar to outdoor location triggers, the admin team creates triggers that are activated when a user is nearby enterprise beacons. Developers can retrieve a list of beacons and triggers by calling a WL Server API in an adapter Unstructured Supplementary Service Data USSD provides a cost-effective alternative to mobile apps in emerging markets where feature phones as opposed to smartphones are still fairly common and data networks unreliable. USSD is a protocol used by GSM cellular telephones to send text messages between a mobile phone and an application program in the network. USSD establishes a real-time session between the mobile phone and the application that handles the service. The MobileFirst Platform is able to: Accept incoming requests from a USSD gateway and map the USSD short codes as a user entering *123# to the corresponding MobileFirst Platform adapters Construct and respond with USSD menu options Call corresponding back-end services through the MobileFirst Platform adapters The IBM MobileFirst Application Center cross-platform private app store The MobileFirst Application Center enables teams to set up an enterprise cross-platform private application store to help govern the distribution and management of pre-release and production-ready mobile applications. This MobileFirst private app store can manage MobileFirst and non-mobilefirst-based applications, including apps from public app store. Administrators can make the most of existing authentication frameworks, including ACL and LDAP, to manage app distribution by department, job function, geography and other schema. Employees who access the MobileFirst Application Center from their mobile devices will only see the mobile apps that they are allowed to download and can rate apps and provide feedback to help future enhancements. 12

For development teams, the MobileFirst Application Center provides a more convenient way to distribute pre-release software to developers and testers. Feedback can be organized by device and by version to quickly isolate and resolve defects, whether those defects are device-specific or version-specific. The MobileFirst Application Center is designed to also integrate with software-build processes to automate the distribution of the latest releases to project teams, helping to accelerate the develop-test-debug cycle. The MobileFirst Application Center provides: Administrators with improved governance over the distribution of mobile apps throughout the enterprise, including app hosted on public app stores; Employees with easier access to the latest apps that are needed by their departments or job function and that are optimized for their device; Developers with an easier way to distribute mobile builds and to elicit feedback from members of development and test teams The MobileFirst Application Center is designed to manage native or hybrid applications for the Google Android platform, the Apple ios platform, the Microsoft Windows Phone 8 platform, Microsoft Windows 8 and the BlackBerry OS 6 and OS 7 platform. Securing your mobile channel at the user, application and device levels Security is a clear priority for executives at organizations embarking on mobile implementations but it proves to be challenging. Up to 53 percent of enterprises report that they struggle to implement effective end-to-end mobile security measures. 1 A key characteristic of the MobileFirst Platform security framework is its delegation to the existing security infrastructure to foster reuse and security standardization across delivery channels. IBM MobileFirst Server is designed to integrate more seamlessly as a presentation tier into the existing enterprise infrastructure while supporting custom extensions to integrate with virtually any security mechanism. The IBM MobileFirst Foundation security framework provides a wire protocol that enables the combination of challenges and responses of multiple security checks during a single request-and-response round trip. With this IBM security framework, the number of client and server round trips can be reduced and the application logic from the security checks implementation can be separated. The MobileFirst Platform facilitates stronger implementation of security measures at the user, data, application and device levels: The MobileFirst Platform provides an open userauthentication framework to help you integrate your mobile apps with existing enterprise or third-party security systems. The MobileFirst Platform enables the basic authentication approach that uses the username and password. But the MobileFirst Platform also enables more complex schemes such as certificate-based authentication and multifactor authentication protocols with one-time passcodes, step-up authentication procedures and more. A typical example of multifactor authentication is the combination of device, application and user authentication. You can also integrate the MobileFirst Platform with existing enterprise certificate authority such as X509 Public Key Infrastructures (PKI) certificate creation back-end, to pass requests for the creation of certificates and use resulting certificates. Resulting X509 certificates stored on the devices help deliver enhanced user experience by streamlining user authentication steps as removing login and password steps for a particular app on a given device. X509 certificate creation software is provided if you do not already have one deployed. The MobileFirst Platform is also designed to support off-line authentication, single sign on (SSO) capabilities for multiple mobile apps to participate in a globally authenticated session. 13

The MobileFirst Platform helps more effectively secure data on the device with the JSON Store AES-256 encryption. You can further secure data on the device and in transit with the use of optional libraries to make them FIPS 140-2 compliant. You can protect applications against repackaging attacks with app authentication by ensuring that mobile apps that connect to the MobileFirst Platform environment are known and trusted. With the MobileFirst Platform, you can also support integration with third-party jailbreak and malware detection libraries. These capabilities are complemented with the MobileFirst Platform direct update to automatically propagate updates of web portions of the hybrid mobile apps, thus helping to ensure latest security patches are deployed to users. To protect against malicious changes to direct update, the MobileFirst Platform provides direct update authenticity verification, where the authenticity of the direct update package is verified before it is installed on the end user s device. The MobileFirst Platform also provides device provisioning capabilities which enable control over which device can access corporate back-end systems. In addition to all of these capabilities, this IBM platform provides management controls through standard Java EE security controlled for role-based access to UI console, analytics console, CLI and REST APIs used for the automation of tasks. They help administrators to mitigate risk in the face of unknown app vulnerabilities and recently lost devices. Furthermore, administrators can more quickly change access rules with fine-grained management of user or device or application triplets with disablement of all or given apps for all or given users or devices. Protect data on the device Proactively enforce security updates Encrypted cache / DB Offline authentication Secure challengeresponse on startup App authenticity testing Jailbreak and malware detection Remote disable Direct update Mobile platform as a trust factor Authentication integration framework Data protection realms Coupling device id with user id Proven platform security SSL with server identity verification Code obfuscation Streamline corporate security approval processes Provide robust authentication and authorization to secure users Protect from known application security threats MobileFirst Platform Security Framework 14

Mechanism Benefit Details On-device Help protect sensitive information from malware Uses AES256 and PCKS #5-generated encryption keys for encrypted storage attacks and device theft storing app-generated information on the device Enables offline user authentication Implemented in JavaScript that is highly obfuscated, with optional native performance enhancements Direct update Take action to help ensure timely propagation of New versions of the code can be distributed without requiring updated hybrid app versions to the entire install base the manual update of the application and are applicable to web resources Remote disable Enforce timely adoption of critical security updates to Server-side console enables configuration of allowed app versions. the entire install base Administrator can ask users to install security updates to the native code. Authentication Help reduce overall cost and complexity of integration Server-side architecture designed for integration with back-end framework with authentication infrastructure authentication infrastructure based on Java Authentication and Authorization Service (JAAS) concepts, with authentication realms Specify one SSL per HTTP adapter for enhanced flexibility and security Ready-to-implement integration with Kerberos, NTLM, Basic and Digest authentication Ability to encrypt server-to-server SOAP communication with X509 certificates, following the Web Services Security (WSS) standard Client-side framework for asynchronous login requests on session expiration X509 certificates support Server-side Help prevent SQL injection and help protect against Prepared-statement enforcement safeguards cross-site request forgery (XSRF) Validation of submitted data against session cookie Enterprise SSO integration Use existing enterprise authentication facilities and user credentials and enable employee-owned devices Client-side mechanism obtains and encrypts user credentials, sends to the server with requests Encryption incorporates user-supplied PIN, server-side secret and device ID Credentials cannot be retrieved from lost or stolen device 15

Mechanism Benefit Details Device SSO Enables a mobile user to authenticate one time to Upon successful login, the authentication state is saved in the integration gain access to multiple mobile applications from a database and used for validations in subsequent sessions single device from the same device Mobile users get a more-seamless experience without having to explicitly log in to each application Enterprise teams can integrate authentication services under a single umbrella, streamlining governance and reducing help-desk costs that are related to password resets and security Developers can help eliminate redundant development effort; they are no longer required to build authentication into each application independently No credentials are stored in the on-device database; only the state of the authentication is stored, for improved security Virtual private Enable delivery and operation of mobile apps for Client-side and server-side frameworks act as secure socket layer network (VPN) employee-owned devices or device types that are (SSL)-based VPN alternative not allowed on the corporate network Enable delivery when installation of VPN client on mobile devices is not possible or when such installation is complicated to manage Network access control and policies are preconfigured in the client-side framework layer Network access and security measures are updated using server-side framework On-device encrypted storage to help prevent compromise of sensitive data These capabilities are essential, but business leaders realize that delivering secure mobile apps is about more than securing the run time; security must be embedded into the development and app lifecycle management process. With MobileFirst Application Scanning, you can conduct a static code analysis of a mobile app, both native and web content, to detect potential vulnerabilities earlier during the development cycle for data leakage, sensitive information exposure, high-risk API usage and more. This analysis can be an automated part of an organization s continuous integration and build strategy and it can be run on demand as well. Static code analysis for mobile apps is an important part of raising an organization s overall security posture. With MobileFirst Application Scanning this analysis is made easier to institutionalize as part of the mobile app lifecycle. 16

The MobileFirst Platform also integrates with: IBM MaaS360 from IBM Fiberlink to help support BYOD strategies with full device control through policies, app containerization and app security as copy and paste prevention IBM Trusteer to deliver a context-driven risk assessment and advanced malware and jailbreak detection IBM DataPower for scalable security enforcement points (PEP), traffic management, message validation, transport level communications protection and rate limitation through policies ISAM for risk-based access (RBA) and single sign-on (SSO) using LTPA token, HTTP header, or OAuth Clearly, security is an imperative for companies delivering mobile apps and it goes deeper than security measures employed for traditional web applications. The MobileFirst Platform provides a more comprehensive set of and integration with security-focused capabilities that help address both development and runtime concerns. Security officers and developers can use these capabilities to enhance their mobile security posture without spending considerable upfront and ongoing resources to match with what the MobileFirst Platform provides right off the shelf. The MobileFirst Platform does not warrant that systems and products are immune from the malicious or illegal conduct of any party. Managing your mobile ecosystem Unlike web application where you are in full control of the experience and versioning where users get the sanctioned version when connecting, mobile applications are a different challenge, with binaries executing on end-users devices, traditionally outside of your control. The MobileFirst Platform is designed to provide means to claim back control with its Mobile Application Management (MAM) capabilities while maintaining a higher level of insights with operational analytics. Enterprises can hardcode the MobileFirst server address in the client application in which case all the users connect to the same server. An alternative will be for enterprises to distribute a single application to multiple groups of users and each user group connects to a locally hosted MobileFirst server. The MobileFirst Platform provides APIs to dynamically change the MobileFirst server address. The MobileFirst Console The MobileFirst Console is a web-based user interface, also available through REST services, Ant tasks or CLI tools to more seamlessly integrate with your automation system of choice. The MobileFirst Console is dedicated to the ongoing administration of the MobileFirst Server and its deployed apps, adapters and push-notification services whether in development or production. 17

Supports multiple versions on the same platform Device specific versions are uncoupled Worklight console app management Main management tasks include: Deployment of mobile applications and adapters Fine-grained management of users, devices and applications Black listing given devices when lost and managing their provisioning, preventing access to given users when role changed or managing multiple versions of the same application Remotely disabling applications by version and mobile-operating-system type Management of notification messages on application startup when installation of new application version is requested Control and monitor push-notification services, event sources and related applications. Troubleshooting and problem determination with serverinitiated client log collection for given devices, apps and users Automated collection of user-adoption, device and app properties, user actions and back-end calls, JSONStore and back-end system calls performance, usage information, exceptions, crashes, logs and response time, with customizable dashboards for auditing and reporting purposes. All collected data can be easily exported for further analysis by external business intelligence tools. 18

Ready-to-use analytics helps address the following: The MobileFirst Console can administer several runtime environments from several independent MobileFirst projects deployed to the same application server or cluster. The MobileFirst Console includes role-based security different built-in profiles: with Monitor. This role includes read-only profile monitoring of MobileFirst-deployed artifacts. Operator. With this feature, you cannot add or remove applications and adapters but you can conduct all other management operations Deployer. This role includes the same capabilities as the operator role but also the capability of deploying applications and adapters. Administrator. This role includes all administration operations. Operational analytics for usage insights The MobileFirst Platform provides an advanced operational analytics platform to automatically assemble and analyze user-adoption, device and app properties, user actions and back-end calls, JSONStore and back-end calls performance, usage information, exceptions, crashes, logs and response time. Search across logs and events collected from devices, apps and servers enable patterns and problems and platform-usage insights. The following sources are combined into the analytics repository: Interactions of any app-to-server activity; anything that is supported by the MobileFirst Platform client/server protocol, including push notification Client-side logs and crashes Server-side logs that are captured in traditional MobileFirst Platform log files The IBM MobileFirst Server for analytics is provided as a WAR file for standard install and administration. Using the MobileFirst Platform approach, developers can instrument mobile apps using the provided library for more efficient collection and streaming of information. Business leaders who optionally upgrade to the IBM Tealeaf CX mobile platform can gain additional insight into mobile user-experience analytics. This insight includes session replays, device orientation, screen size and touch-screen interactions, to understand the behavior of mobile users for web and native applications. These insights empower organizational teams to diagnose and resolve customer struggles that can be difficult to identify and that inhibit application usability and effectiveness. For more information To learn more about the IBM MobileFirst Platform, please contact your IBM representative or IBM Business Partner, or visit the following website: ibm.com/mobilefirst Additionally, IBM Global Financing can help you acquire the software capabilities that your business needs in the most cost-effective and strategic way possible. We ll partner with credit-qualified clients to customize a financing solution to suit your business and development goals, enable effective cash management, and improve your total cost of ownership. Fund your critical IT investment and propel your business forward with IBM Global Financing. For more information, visit: ibm.com/financing 19

Copyright IBM Corporation 2014 IBM Corporation Software Group Route 100 Somers, NY 10589 Produced in the United States of America November 2014 IBM, the IBM logo, ibm.com, Cast Iron, DataPower, Jazz, Rational, Tealeaf, and Trusteer are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at Copyright and trademark information at ibm.com/legal/copytrade.shtml Fiberlink, MaaS360 are trademarks or registered trademarks of Fiberlink Communications Corporation, an IBM Company. Microsoft, Windows and Windows NT are trademarks of Microsoft Corporation in the United States, other countries, or both. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. This document is current as of the initial date of publication and may be changed by IBM at any time. It is the user s responsibility to evaluate and verify the operation of any other products or programs with IBM products and programs. THE INFORMATION IN THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation. 1 The Upwardly Mobile Enterprise, IBM Institute for Business Value, October 2013 Please Recycle WSW14181-USEN-09