Mobile application security

WEBCON Publisher Mobile form
Facebooktwitterpinterestlinkedinmail
Applies to version 2016.1.x; Author: Bartłomiej Spyrka

Currently, every defined profile in the mobile application has to be protected by a PIN or a password. This approach is not always convenient and it often does not comply with corporate security policy, which may require more adequate data and application protection.

The functionality described here will let the application user decide on the method of securing the entire application and individual profiles. Additionally, this change also enables the administrator to have global control over the process and enforce an appropriate level of application security.

 

Configuring the security of the environment

The security parameter found in fresh WEBCON BPS installations, or in installations updated to version 2016.1.3, is set to “Defined by user” by default. This value can be changed by an authorized administrator with access to WEBCON BPS Designer Studio.

There are 3 possible levels of security that can be set. They are found under:

System Configuration -> Global Parameters -> Required level of mobile application protection.

Fig .1 – Configuration of mobile application security

 

The following table contains a brief overview of the specific options. Examples of use can be seen further in the article.

 

Available configuration options:

Protection level

Behavior

  
0 – User
  • Users voluntarily set up application security (PIN)
  • Users voluntarily set up profile security (password)
1 – PIN
  • Enforces setting a PIN in the application
  • PIN applies to securing the entire application (not only the profile)
  • Forcing the use of PIN blocks the ability of manually unlocking it via application configuration
  • After resuming application from sleep mode, PIN must be provided
  • After 3 incorrect PIN entries, application configuration is cleared (restored to default settings)
2 – Profile password
  • Works per profile
  • Demands profile password on every log-in

_

Mobile application configuration

Adjustments in the user interface of the mobile application are an important element of this new feature. In the configuration menu – for each platform – there is an extra screen divided into the configuration of the application (currently associated with PIN security), and configuration of the profile itself.

Fig. 2 – New application settings screen.

 

It is worth mentioning, that securing an application with a PIN can assume various states and behaviors towards different environment setups / user profiles. Several of these combinations are shown in the table below.

 

Examples of the use of profiles and different security measures:

Description

 Level of security in BPS

Effects on the user

Case I – application has one defined profile
Profile 1

0 – User
  • Ability to voluntarily set a PIN
  • Ability to set a password that is required on every log in attempt

Case II – application has two defined profiles

Profile 1

0 – User
  • First attempt to log on to Profile 2 will trigger a screen where the user will need to configure PIN (unless it was set already) (Fig. 3)
  • In the application configuration, PIN will be set permanently to ‘YES’, and will be grayed out (without the possibility of changing this from application level) (Fig. 4)
  • Possible to change PIN at any given moment.
  • PIN required after resuming the application after prolonged inactivity.
  • Possibility to set password requirement on every attempt to log in

Profile 2

1 – PIN

Case III – application has a profile with forced password security

Profile 1

2 – profile password
  • Possible to voluntarily set PIN
  • Application requires password on every log in attempt

Case IV– application has defined 2 profiles (PIN + password)

Profile 1

1 – PIN
  • First attempt to log on to Profile 2 will trigger a screen where the user will need to configure PIN (unless it was set already) (Fig. 3)
  • In the application configuration, PIN will be set permanently to ‘YES’, and will be grayed out (without the possibility of changing this from application level) (Fig. 4)
  • Possibility to change PIN at any given moment, regardless of the profile on which the user is logged in.
  • PIN required after resuming the application after prolonged inactivity.
  • Possibility to set password requirement on every log in attempt on Profile 1.
  • Forced (by the application) to enter the password on every log in attempt on Profile 2.

Profile 2

2 – profile password


Fig 3. PIN entry screen

_

Fig 4. PIN security blocked to edit from application level

 

Removing PIN from application

The mobile application has the ability to delete a PIN that was set earlier. This functionality is available only when there is no profile on the device that would have a forced PIN setting. In this case, you need to go into the configuration, uncheck “PIN security” and confirm the configuration. After this, the settings PIN will be cleared.

Fig 5. Clearing PIN code in mobile application

 

Leave a Reply

Your email address will not be published. Required fields are marked *