The Combined Power of IBM API Connect and IBM MobileFirst Foundation for Mobile Security

A key contributor to Digital Transformation success is creating customized and personalized digital experiences that delight users, and engage them with your brand. To fuel digital transformation, you’ll likely start with exposing your business services & data through APIs to developers – internal, partner, or third party, so that they can build innovative Mobile, Web, or IoT applications that enable digital business. Then, once you launch your applications, you’ll likely shift focus to an equally critical challenge – optimizing the user experience for your users through continuous iteration, measurement & improvement.

In order to embark on this journey of digital transformation, and do it with the speed you need to be competitive or to push the innovation frontier, you’ll need to arm yourself with the right tools. IBM provides a compelling & complete set of tools to help you address both challenges involved in developing digital apps. With IBM API Connect, you can extend your backend services to be consumable for developers building applications, and with MobileFirst Foundation, you can continuously iterate on & optimize the user experience, leveraging those same APIs you exposed through API Connect.

Let’s take a look at some important aspects of digital apps that can be accelerated with the help of IBM API Connect & IBM MobileFirst Foundation.

Mobile Security

When exposing Enterprise data & services as APIs, it’s pretty obvious that you’d want to protect those endpoints to block hackers or unauthorized users from accessing sensitive data, or attacking enterprise systems. API Connect (running on IBM Data Power) provides comprehensive API security capabilities, such as applying OATH2 based user authentication to govern access to your APIs. But still there is the issue of how you want to allow your users to authenticate in mobile apps. When you think about mobile apps, and how to create an optimal user experience, you realize that there are several possible ways a user can authenticate – such as with Touch ID on a phone, or with a pin code on a watch. And for each interface type, one is probably more convenient than another other. Here’s where MobileFirst Foundation can help you. When API calls go through the MobileFirst Foundation Server, MobileFirst Foundation identifies which channel the request was made from, and knows how to trigger the authentication method appropriate for that channel. What’s more, MobileFirst Foundation provides the infrastructure, including an SDK, that makes it very easy to implement the security logic for all these different authentication methods to work. And, when the requests go through the MobileFirst server, you also get analytics on which apps, platforms, and channels are calling into your APIs, so you can make decisions about where to focus your development efforts.

In the world of mobile apps, there are also many innovative approaches to authentication that are geared towards achieving an optimal balance between user experience in the app & security needs. Take for example a mobile travel app that allows you to view the details of your reservation, and also checkout & pay for your stay. For the action of paying for a hotel stay, you might want to require a high level of security, to prevent fraud. Let’s say you want the user to prove who they are with both a user name + password combination, and with a one-time-passcode that they receive via SMS, using their mobile phone number as an additional identifier. To address this, you might choose to require a user name – password, and an SMS one time passcode every time a user logs into the app. But it would probably be more convenient for the user if they could log into the app with just a user name – password, and only need to provide a one time SMS code when they try to pay for their stay. This is called step-up authentication.

MobileFirst Foundation on-prem or Mobile Foundation service makes it very simple for you to implement step-up authentication, as well as other types of advanced security behaviors, like multi-factor authentication, & SSO between apps, aimed at providing a convenient user experience, while still meeting security needs. These methods would otherwise typically be quite complex to develop, since they are stateful behaviors, and because they require developers to have specialized expertise in mobile security. Worth emphasizing also that this topic goes beyond protecting individual APIs, and describes the security behavior in the context of the entire app, or even set of apps.

Till now we discussed user authentication, but another important aspect of digital app security is how to protect access to your APIs from malicious apps, or stolen or lost devices. Here IBM MobileFirst Foundation adds unique protections, including checking that apps trying to connect into your backend are authentic, before allowing access (ie haven’t been altered & repackaged by hackers), and the ability to blacklist stolen or lost devices so that apps on those devices cannot connect into your Enterprise. More than that, with MobileFirst Foundation you can block old versions of your app from accessing your backends, if for example, you discovered security holes in older versions, which you have since fixed in newer versions. And MobileFirst Foundation has a very nice feature called Direct Update, which enables you to deploy changes on the fly to mobile apps (specifically to the web resources) if you need to fix critical security issues in your existing versions, without going though another publishing cycle.

Finally, where mobile apps are involved, there is also the issue of how to protect customer or enterprise data when it is stored on the mobile device (for example for offline access, or so the app is more responsive). Or when it is in transit between the mobile device & the backend. Data can be stolen if a user’s device gets into someone else’s hands, and can be hijacked in transit when it is sent over the network to the backend. MobileFirst Foundation provides you with enterprise grade encrypted on device storage, and also has a unique Certificate Pinning feature, which you can use to ensure that data is sent from a mobile device only to a trusted server, and not to an imposter server.

Okay, so, if you are as excited about these comprehensive security capabilities as we are, you’ll be glad to learn that if you choose to leverage IBM API Connect & IBM MobileFirst Foundation together, for their combined power, we’ve also made it very easy for you to leverage them together. We have developed a new seamless & integrated experience to apply API & App protections together in your digital app projects.

For more information, check out our documentation on API Connect & MobileFirst Foundation Security Integration.

Inclusive terminology note: The Mobile First Platform team is making changes to support the IBM® initiative to replace racially biased and other discriminatory language in our code and content with more inclusive language. While IBM values the use of inclusive language, terms that are outside of IBM's direct influence are sometimes required for the sake of maintaining user understanding. As other industry leaders join IBM in embracing the use of inclusive language, IBM will continue to update the documentation to reflect those changes.
Last modified on May 07, 2018