********************************* AuthControl Mobile MSP Android ********************************* """""""""" Overview """""""""" This article describes functionalities, configuration and behaviour of the AuthControl Mobile MSP (AMM) application for AndroidOS platform. AMM is an application that works with PIN Online, PIN Offline and PUSH policies and can be provisioned in one single device. Expected behaviors are detailed on the functional procedures section in this article. """""""""" Features """""""""" **Request help** After provisioning the application, users can navigate to the Others info and request administrator help via email or via call. **Logging** Swivel Secure applications have now been implemented with logging which helps both users and administrators to tackle any possible issues with local and/or external integrations. **View settings** After provisioning the application, users can navigate to the Others info and check Show settings for configuration details. **PIN Online feature** PIN Online policy provisions AMM so that the OTC will always be requested by the application and Sentry Core will provide it in real time. User can request Update Codes as many times as desired. **PIN Offline feature** PIN Offline policy provisions AMM so that the 99 OTCs will be stored locally in the application and Sentry Core also has this already calculated and stored. User can navigate the OTCs and if so, the OTC index should also be part of the input for login. User can request Update Codes as many times as desired. **PUSH notification feature** PUSH policy provisions AMM so that users will receive a YES or NO notification in the application to allow (or not) login. **PIN Online + PUSH and PIN Offline + PUSH** AMM accepts a combination of PUSH and PIN policies which will be explained in more details in this document. **OATH + PUSH** AMM accepts a combination of OATH and PUSH policies which will be explained in more details in this document. Taking in consideration that this policy is not the same as OATH policy, users will not be able to provision the same provision code in different devices. This policy is restricted to one device. **Multiple Appliances and/or Users Provisioning** AMM accepts more than 1 appliance provision and different users from the same appliance. This feature allows different users with different roles to be provisioned in the same application. **External Entities** AMM accepts provision for external entities such as Google, Facebook, LinkedIn, etc. """"""""""""""""" Security Features """"""""""""""""" Swivel Secure AndroidOS applications are developed with protection against rooted devices. For Android apps, rooted devices are a particularly important security concern. Such devices have been modified to allow apps to break out of the normal security sandbox that the OS imposes. This can expose the device to many dangers, such as malware and password-stealing keyloggers. Often, users root their devices to solve some problem—like wanting a version of an app that’s not normally available for their device—without realizing the severity of these threats. In other cases, a user may not even be aware that the device is rooted and thus vulnerable. In addition to risks associated with a legitimate user operating the app in a rooted environment, such an environment can also indicate a malicious user attempting to reverse engineer the app. Attackers frequently use rooted devices to study and create tampered versions of apps, which they then fill with malware. The Open Web Application Security Project (OWASP) lists code tampering as one of the `Top 10 Mobile Risks `_ and specifically calls out root detection and response as a way to combat this risk. Not doing so, according to OWASP, can lead to reputational damage and lost profits. The above also applies to mobile devices that are on Developer Mode. """""""""""""" Requirements """""""""""""" * AuthControl Sentry 4.1.2 or higher * The Swivel virtual or hardware appliance must be reachable from the mobile phone to receive security codes * Valid certificate on the Swivel server or non SSL, but not a self signed certificate """"""""""""""""""""""""""""""""""" App Installation and Configuration """"""""""""""""""""""""""""""""""" The AMM application is available from the Apple App Store. You can click on the link below to open the App within the Apple App Store. `AuthControl Mobile MSP `_ .. image:: images/MobileAPP/AMM/Android/qr_amm_android.png :width: 104px :align: center :height: 104px :alt: alternate text **Downloading the App via the Provision Email** * When you open the App Provision email a link to the App Store will be presented. * Alternatively if you open the App Provision on the device and press Activate, you will see a button ‘Get The App’, which will also take you to the App Store. """""""""""""" Initial Steps """""""""""""" When first downloading and setting up AMM mobile application, you will be asked to grant the AMM app certain permissions. Below you find explanations for why each of these permissions is required by the app. **Camera Permission** .. image:: images/MobileAPP/AMM/Android/android_AMM1.png :width: 200px :align: center :height: 356px :alt: alternate text AMM requires camera access to a user's mobile for when the provision QR code is sent to the user. The QR code makes the provisioning quicker and smoother. **Biometrics Permission** .. image:: images/MobileAPP/AMM/Android/android_AMM2.png :width: 200px :align: center :height: 356px :alt: alternate text AMM requires biometrics and/or PIN permissions to secure information. The mobile is either corporate or carries corporate information, the phone must have the least security set up. **Notification Permission** .. image:: images/MobileAPP/AMM/Android/android_AMM3.png :width: 200px :align: center :height: 356px :alt: alternate text AMM requires notification permission to work with PUSH notifications and alert users that use this functionality as part of their MFA configuration. .. image:: images/MobileAPP/AMM/Android/android_AMM4.png :width: 200px :align: center :height: 356px :alt: alternate text In order to have a fast operative and smooth experience with the application, please provide it all requested permissions. """""""""""""""""""""""""""""" AMM Configuration PIN + PUSH """""""""""""""""""""""""""""" **SSD Server Configuration for PIN + PUSH** This configuration is performed by Swivel Secure team on deployment. Policy for AMM is to be set as **PIN** + **PUSH** (if PUSH is required) in the server. **Sentry Policy Configuration** Sentry Policy > Mobile App. Then set tag *Mobile App Local Mode* to **YES** and *Mobile App OATH Mode* to **NO**. .. image:: images/MobileAPP/AMM/policyAMM.gif :align: center **Group Creation and Messaging Configuration** This configuration is related to the PUSH notification. Please read and follow these instructions carefully in order to have PUSH working properly in your AMM application. Create a group in *Repository > Groups* for users that will provision AMM application: .. image:: images/MobileAPP/AMM/groupAMM.gif Create a messaging configuration to be used by the group created in the above step. The class name is *com.swiveltechnologies.pinsafe.server.transport.PNATransport*. Set *Destination Attribute* to *platformandpushid*. After finishing with the queue configuration, open the **PNA_AMM** that is now displayed under the *Messaging* menu and select *AndroidOS App Version* and *Android key* to Version 6 AMM: .. image:: images/MobileAPP/AMM/queueAMM.gif Before provisioning ensure all users that will be provisioned with AMM are included in the group created for AMM PUSH notification: .. image:: images/MobileAPP/AMM/usersAMM.gif """""""""""""""""""""""""""""" AMM Configuration OATH + PUSH """""""""""""""""""""""""""""" **SSD Server Configuration for OATH + PUSH** This configuration is performed by Swivel Secure team on deployment. Policy for AMM is to be set as **OATH** + **PUSH** (if PUSH is required) in the server. **Sentry Policy Configuration** Sentry Policy > Mobile App. Then set tag *Mobile App Local Mode* to **NO** and *Mobile App OATH Mode* to **YES**. .. image:: images/MobileAPP/AMM/policyAMMoath.gif :align: center **Group Creation and Messaging Configuration** This configuration is related to the PUSH notification. Please read and follow these instructions carefully in order to have PUSH working properly in your AMM application. Create a group in *Repository > Groups* for users that will provision AMM application: .. image:: images/MobileAPP/AMM/groupAMM.gif Create a messaging configuration to be used by the group created in the above step. The class name is *com.swiveltechnologies.pinsafe.server.transport.PNATransport*. Set *Destination Attribute* to *platformandpushid*. After finishing with the queue configuration, open the **PNA_AMM** that is now displayed under the *Messaging* menu and select *AndroidOS App Version* and *Android key* to Version 6 AMM: .. image:: images/MobileAPP/AMM/queueAMM.gif Before provisioning ensure all users that will be provisioned with AMM are included in the group created for AMM PUSH notification: .. image:: images/MobileAPP/AMM/usersAMM.gif """"""""""""""""" AMM Provisioning """"""""""""""""" Before provisioning it's assumed that Sentry has the users, repositories, groups, transport and rights properly setup. The provision process is not different from our previous mobile application versions. When you first open the application you will be taken to a "Let's add your first provision" screen with the button to scan QR code in the bottom. After configuration is properly setup go to User Administration, select the desired user to be provisioned and press button *App Provision*. .. image:: images/MobileAPP/AMM/Android/appprovisionamm.gif :align: center An email with the provision code will arrive to the user's e-mail. AMM application will provision only one device with the provision code. If a new provision code is requested, previous provision code will be erased and the device with the old provision should be deprovisioned by the user. Requesting new provisioning while the old provision is in place, will affect current provisioned devices and it won’t work anymore. Proceed with a new provisioning process if applicable. **Steps:** * QR Code will launch a camera and your Apple device will ask you to grant permissions for the Swivel application to use the Camera. .. image:: images/MobileAPP/AMM/Android/provisioningAndroidOS_AMM.gif :width: 200px :align: center :height: 433px :alt: alternate text * If the user clicks on the Manual Configuration they are taken to the Manual Configuration Screen. .. image:: images/MobileAPP/manualprovisionmail.gif :align: center Your AMM is now provisioned and ready for usage. """""""""""""""""""""" Additional Information """""""""""""""""""""" In addition, users can edit and customise the name of the different appliances provisioned on AMM. This feature allows users to find the needed OTC faster. Below a video with an example changing the appliance name tag. .. image:: images/MobileAPP/AMM/tagediting.gif :width: 200px :align: center :height: 433px :alt: alternate text