****************************************
AuthControl Mobile Authenticator Android
****************************************

""""""""
Overview
""""""""

This article describes functionalities and behaviour of the AuthControl Mobile Authenticator (AMA) application for AndroidOS platform. AMA is an application that works with OATH offline policy and can be provisioned on many devices with the same provisioning code. AuthControl Mobile Authenticator (AMA) application is to constraint functionalities for OATH offline local policy only. Expected behaviors are detailed on the functional procedures section in this article.

""""""""
Features
""""""""

**Request help**
After provisioning the application, users can navigate to the Others info and request administrator help via email or via call.

**Logging**
Swivel Secure applications have now been implemented with logging which helps both users and administrators to tackle any possible issues with local and/or external integrations.

**View settings**
After provisioning the application, users can navigate to the Others info and check Show settings for configuration details.

**Multiple provisioned devices**
AMA can be provisioned with the same provision code in many different devices.


"""""""""""""""""
Security Features
"""""""""""""""""

Swivel Secure AndroidOS applications are developed with protection against rooted devices. For Android apps, rooted devices are a particularly important security concern. Such devices have been modified to allow apps to break out of the normal security sandbox that the OS imposes. This can expose the device to many dangers, such as malware and password-stealing keyloggers. Often, users root their devices to solve some problem—like wanting a version of an app that’s not normally available for their device—without realizing the severity of these threats. In other cases, a user may not even be aware that the device is rooted and thus vulnerable. 

In addition to risks associated with a legitimate user operating the app in a rooted environment, such an environment can also indicate a malicious user attempting to reverse engineer the app. Attackers frequently use rooted devices to study and create tampered versions of apps, which they then fill with malware. The Open Web Application Security Project (OWASP) lists code tampering as one of the `Top 10 Mobile Risks <https://owasp.org/www-project-mobile-top-10/>`_ and specifically calls out root detection and response as a way to combat this risk. Not doing so, according to OWASP, can lead to reputational damage and lost profits.

The above also applies to mobile devices that are on Developer Mode.

""""""""""""
Requirements
""""""""""""

* AuthControl Sentry 4.1.2 or higher
* The Swivel virtual or hardware appliance must be reachable from the mobile phone to receive security codes
* Valid certificate on the Swivel server or non SSL, but not a self signed certificate

""""""""""""""""""""""""""""""""""
App Installation and Configuration
""""""""""""""""""""""""""""""""""

The AMA application is available from the Google Play Store. You can click on the link below to open the App within the Google Play Store.

`AuthControl Mobile Authenticator <https://play.google.com/store/apps/details?id=com.ss.sama>`_.

.. image:: images/MobileAPP/AMA/Android/qr_ama_android.png
    :width: 104px
    :align: center
    :height: 104px
    :alt: alternate text

**Downloading the App via the Provision Email**

* When you open the App Provision email a link to the App Store will be presented.
* Alternatively if you open the App Provision on the device and press Activate, you will see a button ‘Get The App’, which will also take you to the App Store.

"""""""""""""
Initial Steps
"""""""""""""

When first downloading and setting up AMA mobile application, you will be asked to grant the AMA app certain permissions. Below you find explanations for why each of these permissions is required by the app.

**Camera Permission**

.. image:: images/MobileAPP/AMA/Android/camera_permission.png
    :width: 200px
    :align: center
    :height: 400px
    :alt: alternate text

AMA requires camera access to a user's mobile for when the provision QR code is sent to the user. The QR code makes the provisioning quicker and smoother.

**Biometrics Permission**

.. image:: images/MobileAPP/AMA/Android/biometric_permission.png
    :width: 200px
    :align: center
    :height: 400px
    :alt: alternate text

AMA requires biometrics and/or PIN permissions to secure information. The mobile is either corporate or carries corporate information, the phone must have the least security set up.

In order to have a fast operative and smooth experience with the application, please provide it all requested permissions.

.. image:: images/MobileAPP/AMA/Android/androidinitial.gif
    :width: 200px
    :align: center
    :height: 356px
    :alt: alternate text

"""""""""""""""""
AMA Configuration
"""""""""""""""""

**SSD Server Configuration**

This configuration is performed by Swivel Secure team on deployment. Policy for AMA is to be set as **Local** + **OATH** in the server.

**Sentry Policy Configuration**

Sentry Policy > Mobile App. Then set tag *Mobile App Local Mode* to **NO** and *Mobile App OATH Mode* to **YES**.

.. image:: images/MobileAPP/AMA/policyAMA.gif
    :align: center

Provision code with this policy setup will work **only** on AMA application. Any other policy setup will not work with AMA application.


""""""""""""""""
AMA Provisioning
""""""""""""""""

Before provisioning it's assumed that Sentry has the users, repositories, groups, transport and rights properly setup.

The provision process is not different from our previous mobile application versions. When you first open the application you will be taken to a "Let's add your first provision" screen with the button to scan QR code in the bottom.

After configuration is properly setup go to User Administration, select the desired user to be provisioned and press button *App Provision*.

.. image:: images/MobileAPP/appprovision.gif
    :align: center

An email with the provision code will arrive to the user's e-mail. **Keep or save this e-mail**. AMA application will provision as many devices as many times as needed by the user with the same provision code. If a new provision code is requested, previous provision code will be erased and all devices with the old provision should be deprovisioned by the user. Requesting new provisioning while the old provision is in place, will affect current provisioned devices and it won’t work anymore.

**Steps:**

* QR Code will launch a camera and your Apple device will ask you to grant permissions for the Swivel application to use the Camera.

.. image:: images/MobileAPP/AMA/Android/provisionandroid.gif
    :width: 200px
    :align: center
    :height: 400px
    :alt: alternate text
  
* If the user clicks on the Manual Configuration they are taken to the Manual Configuration Screen.

.. image:: images/MobileAPP/manualprovisionmail.gif
    :align: center

Your AMA is now provisioned and ready for usage.