********************************* AuthControl Mobile Sentry Android ********************************* """""""" Overview """""""" This article describes functionalities, configuration and behaviour of the AuthControl Mobile Sentry (AMS) application for AndroidOS platform. AMS is an application that works with PIN Online, PIN Offline, OATH online and PUSH policies and can be provisioned in one single device. Expected behaviors are detailed on the functional procedures section in this article. """""""" Features """""""" **Request help** After provisioning the application, users can navigate to the Others info and request administrator help via email or via call. **Logging** Swivel Secure applications have now been implemented with logging which helps both users and administrators to tackle any possible issues with local and/or external integrations. **View settings** After provisioning the application, users can navigate to the Others info and check Show settings for configuration details. **PIN Online feature** PIN Online policy provisions AMS so that the OTC will always be requested by the application and Sentry Core will provide it in real time. User can request Update Codes as many times as desired. **PIN Offline feature** PIN Offline policy provisions AMS so that the 99 OTCs will be stored locally in the application and Sentry Core also has this already calculated and stored. User can navigate the OTCs and if so, the OTC index should also be part of the input for login. User can request Update Codes as many times as desired. **PUSH notification feature** PUSH policy provisions AMS so that users will receive a YES or NO notification in the application to allow (or not) login. **PIN Online + PUSH and PIN Offline + PUSH** AMS accepts a combination of PUSH and PIN policies which will be explained in more details in this document. **OATH online feature** OATH online policy for authentication. (NEW!) """"""""""""""""" Security Features """"""""""""""""" Swivel Secure AndroidOS applications are developed with protection against rooted devices. For Android apps, rooted devices are a particularly important security concern. Such devices have been modified to allow apps to break out of the normal security sandbox that the OS imposes. This can expose the device to many dangers, such as malware and password-stealing keyloggers. Often, users root their devices to solve some problem—like wanting a version of an app that’s not normally available for their device—without realizing the severity of these threats. In other cases, a user may not even be aware that the device is rooted and thus vulnerable. In addition to risks associated with a legitimate user operating the app in a rooted environment, such an environment can also indicate a malicious user attempting to reverse engineer the app. Attackers frequently use rooted devices to study and create tampered versions of apps, which they then fill with malware. The Open Web Application Security Project (OWASP) lists code tampering as one of the `Top 10 Mobile Risks `_ and specifically calls out root detection and response as a way to combat this risk. Not doing so, according to OWASP, can lead to reputational damage and lost profits. The above also applies to mobile devices that are on Developer Mode. """""""""""" Requirements """""""""""" * AuthControl Sentry 4.1.2 or higher * The Swivel virtual or hardware appliance must be reachable from the mobile phone to receive security codes * Valid certificate on the Swivel server or non SSL, but not a self signed certificate """"""""""""""""""""""""""""""""""" App Installation and Configuration """"""""""""""""""""""""""""""""""" The AMS application is available from the Apple App Store. You can click on the link below to open the App within the Apple App Store. `AuthControl Mobile Sentry `_ .. image:: images/MobileAPP/AMS/Android/qr_ams_android.png :width: 104px :align: center :height: 104px :alt: alternate text **Downloading the App via the Provision Email** * When you open the App Provision email a link to the App Store will be presented. * Alternatively if you open the App Provision on the device and press Activate, you will see a button ‘Get The App’, which will also take you to the App Store. """""""""""""" Initial Steps """""""""""""" When first downloading and setting up AMS mobile application, you will be asked to grant the AMS app certain permissions. Below you find explanations for why each of these permissions is required by the app. **Camera Permission** .. image:: images/MobileAPP/AMS/Android/android_AMS1.png :width: 200px :align: center :height: 356px :alt: alternate text AMS requires camera access to a user's mobile for when the provision QR code is sent to the user. The QR code makes the provisioning quicker and smoother. **Biometrics Permission** .. image:: images/MobileAPP/AMS/Android/androidOS_AMS2.png :width: 200px :align: center :height: 356px :alt: alternate text AMS requires biometrics and/or PIN permissions to secure information. The mobile is either corporate or carries corporate information, the phone must have the least security set up. **Notification Permission** .. image:: images/MobileAPP/AMS/Android/androidOS_AMS3.png :width: 200px :align: center :height: 356px :alt: alternate text AMS requires notification permission to work with PUSH notifications and alert users that use this functionality as part of their MFA configuration. .. image:: images/MobileAPP/AMS/Android/androidOS_AMS4.png :width: 200px :align: center :height: 356px :alt: alternate text In order to have a fast operative and smooth experience with the application, please provide it all requested permissions. """""""""""""""""" AMS Configuration """""""""""""""""" **SSD Server Configuration** This configuration is performed by Swivel Secure team on deployment. Policy for AMS is to be set as **PIN** + **PUSH** (if PUSH is required) or **OATH online** in the server. **Sentry Policy Configuration for PIN** Sentry Policy > Mobile App. Then set tag *Mobile App Local Mode* to **YES** and *Mobile App OATH Mode* to **NO**. .. image:: images/MobileAPP/AMS/policyAMS.gif :align: center **Sentry Policy Configuration for OATH online** Sentry Policy > Mobile App. Then set tag *Mobile App Local Mode* to **NO** and *Mobile App OATH Mode* to **YES**. .. image:: images/MobileAPP/AMS/policyOathOnline.gif :align: center **Group Creation and Messaging Configuration** This configuration is related to the PUSH notification. Please read and follow these instructions carefully in order to have PUSH working properly in your AMS application. Create a group in *Repository > Groups* for users that will provision AMS application: .. image:: images/MobileAPP/AMS/groupAMS.gif Create a messaging configuration to be used by the group created in the above step. The class name is *com.swiveltechnologies.pinsafe.server.transport.PNATransport*. Set *Destination Attribute* to *platformandpushid*. After finishing with the queue configuration, open the **PNA_AMS** that is now displayed under the *Messaging* menu and select *AndroidOS App Version* and *Android key* to Version 6 AMS: .. image:: images/MobileAPP/AMS/queueAMS.gif Before provisioning ensure all users that will be provisioned with AMS are included in the group created for AMS PUSH notification: .. image:: images/MobileAPP/AMS/usersAMS.gif """"""""""""""""" AMS Provisioning """"""""""""""""" Before provisioning it's assumed that Sentry has the users, repositories, groups, transport and rights properly setup. The provision process is not different from our previous mobile application versions. When you first open the application you will be taken to a "Let's add your first provision" screen with the button to scan QR code in the bottom. After configuration is properly setup go to User Administration, select the desired user to be provisioned and press button *App Provision*. .. image:: images/MobileAPP/appprovision.gif :align: center An email with the provision code will arrive to the user's e-mail. AMS application will provision only one device with the provision code. If a new provision code is requested, previous provision code will be erased and the device with the old provision should be deprovisioned by the user. Requesting new provisioning while the old provision is in place, will affect current provisioned devices and it won’t work anymore. Proceed with a new provisioning process if applicable. **Steps:** * QR Code will launch a camera and your Apple device will ask you to grant permissions for the Swivel application to use the Camera. .. image:: images/MobileAPP/AMS/Android/provisioningAndroidOS_ams.gif :width: 200px :align: center :height: 433px :alt: alternate text * If the user clicks on the Manual Configuration they are taken to the Manual Configuration Screen. .. image:: images/MobileAPP/manualprovisionmail.gif :align: center Your AMS is now provisioned and ready for usage.