Flavors of Mobile Security/SSO for Mobile Web Apps, Native/Hybrid Apps, MAM & MDM

I recently came across quite a few customer use cases which require mobile security/Single-Sign-On (SSO). While it may sound generic, there's a lot more to it.

This post intends to provide some clarity around the various security use cases for mobile apps possible & the high level solution approach using Oracle IDM -

1) Security for Mobile Web Applications (Invoked from a mobile browser)

This is no different from invoking a web application on a desktop or a laptop. Would use Oracle Access Manager(OAM) based SSO alongwith OHS+Webgate.

2) Security for Native/Hybrid mobile applications on personal devices 

(Leveraging existing IDM Platform)

This can be achieved using OAM Mobile & Social Services (OAMMS) which has support for Android and iOS platforms. For other platforms (like Windows) OAM Mobile OAuth Services (along with REST calls) within OAM can be leveraged. Mobile applications implemented using REST and supporting OAuth  makes mobile app security technology agnostic (similar to what SAML does to federation).

Image Courtesy : Oracle PM Team Blog

3) Security for Native/Hybrid mobile applications on corporate owned devices 

(MDM or Mobile Device Management)

This feature is currently not available in the Oracle IDM World, but would be available in Oracle Mobile Security Suite (OMSS) in the upcoming 11gR2 PS3 (11.1.2.3).

4) Security for Native/Hybrid mobile applications on personal devices (BYOD concept) 

(MAM or Mobile Application Management)

This can be implemented using OMSS. The concept uses a Secure Mobile Workspace within the personal device which silos all corporate communications using an App Tunnel. The concept is explained in detailed at my blog on OMSS here.

Image Courtesy : Oracle Document

What is Oracle Mobile Application Framework (MAF) ?

 Oracle Mobile Application Framework (MAF) was launched on June 30 , 2014. 

It is Oracle's latest mobile platform to develop hybrid mobile applications(which run on device and are built using web technologies like Java/ADF) and can be deployed to iOS & Android platforms.

It is basically an extension of ADF Mobile with a few additional features -

• Ability to develop using multiple IDE Tools like Eclipse(OEPE*) besides Jdeveloper.
• Additional AMX* components (totally 80 now) to develop mobile applications & provide a rich look & feel.
• Newly suppported ADF DVT* components like Sunburst & Timeline.[Demos]
• Supoort for Apache Cordova Plugins .
• Support for O-Auth & web-SSO for Security.
• Complete integration with Oracle Mobile Security Suite (OMSS) which is a part of Oracle IDM.
• Available Jdeveloper 12.1.3 onwards.
• Migration of existing ADF Mobile Applications is easy , just open application in new Jdeveloper !
• Licensing for Oracle MAF is now seperate ( per user per app or unlimited users per app).
• Higher reusability using Feature Archives (FARs) & custom components.
• Support for HTML5 and Javscript development.

Architecture ( Source : Oracle )

Resources

Announcement

Datasheet

Introduction video & videos for developers (by Grant Ronald)

Demos

Certification Matrix

Glossary
*  DVT - Data Visualization Components (Graphs/Charts etc)
*  OEPE - Oracle Enterprise Pack for Eclipse
*  AMX - ADF Mobile XML