Application access to Unwired Platform runtime is tightly controlled: before a user can access a mobile application, he or she must provide a passcode; before the application can access the runtime, the application must be registered and provisioned with required connections and security configurations.
Applications that do not require tight security can use anonymous access. Anonymous access applications can be run without a specific user name/authorization code or code/password.
1. Encrypting Device Data
Encrypting all data on the device client requires multiple techniques.
2. Registering Applications, Devices, and Users
Before any application can access the runtime, the user, device, and application must be identified by first registering with Unwired Server and pairing them with a device and user entry. Only when all three entities are known, can subscriptions can be made or data synchronized.
3. Locking and Unlocking a Subscription
(Not applicable to Online Data Proxy) Create a subscription template to lock or unlock a subscription. A subscription determines what data set the device user receives upon
synchronization and how frequently the synchronization can occur. Lock the subscription to prevent modification to the template and control the synchronization frequency 4. Locking and Unlocking Application Connections
Lock or unlock connections to control which users are allowed to synchronize data.
Locking an application connection is an effective way to disable a specific user without making changes to the security profile configuration to which he or she belongs. Locking an application connection blocks delivery of generated data notifications to the
replication-based synchronization clients.
Encrypting Device Data
Encrypting all data on the device client requires multiple techniques.
Some Unwired Platform components do not support encryption. Review this table to see which components can enable this security feature.
Component Implementation Notes
Device data Sybase recommends full device encryption with Afaria. See the Afaria documentation for details.
Device client database (Not applicable to Online Data Proxy) A
<pack-age>DB.generateEncryptionKey() method in the Object API for MBO packages should always be used during application initialization. It computes a random AES-256 bit en-cryption key used to encrypt the client database. The enen-cryption key is stored in the data vault.
Data vault The DataVault APIs provide a secure way to persist and encrypt data on the device. The data vault uses AES-256 symmetric en-cryption of all its contents. The AES key is computed as a hash of the passcode provided and a "salt" value that can be supplied by the device application developer, or automatically generated through the API.
Registering Applications, Devices, and Users
Before any application can access the runtime, the user, device, and application must be identified by first registering with Unwired Server and pairing them with a device and user entry. Only when all three entities are known, can subscriptions can be made or data synchronized.
In Sybase Control Center, Platform administrators set up an application connection template for applications. Part of this template includes a property that enables automatic registration.
• When automatic registration is enabled, a device user need only provide valid Sybase Unwired Platform credentials that are defined as part of the security configuration. If the application connection template specifies a logical role, the user must have a physical role that maps to the logical role in order to access the application.
• When automatic registration is disabled, the platform administrator must provide the user a user name and passcode out-of-band. This is the passcode initially required by login screens to access the application for the first time, and expires within a predetermined time period (72 hours, by default).
Note: Choose to use automatic registrations carefully, especially if there are multiple application connection templates for the same application. The combined criteria of the application ID and security configuration used by the device application trigger a search for a matching template that is used to complete the automatic registration. However, if the security configuration is not sent by the device application, and the server finds multiple templates, registration fails.
See also
• Locking and Unlocking a Subscription on page 127 Registering Application Connections
Devices can be registered using either an activation code during the registration of the device or application, or to allow automatic registration.
When a package is deployed, an application connection template is automatically created. As long as the user is able to authenticate to the security configuration associated with the application, they are registered. If the application connection template specifies a logical role, the user must have a physical role that maps to the logical role to access the application. If automatic registration is disabled, the administrator must generate an activation code. For details, see Mobile Application Life Cycle and search for Manual Connection Registration with Activation Codes.
1. Select the application connection template, and click Properties.
2. Navigate to the Application Settings tab and set the Automatic Registration Enabled property to True or False. If True, no activation code is required.
Defining Applications
Applications are recognized by Unwired Server by the properties that define them.
Administrators define applications with a unique application ID and other key application properties, such as domain, packages, security configuration, and connection templates.
An application cannot register a connection unless a definition has been created for it. If your development team has not yet set these application properties, administrators must do so before the application connection can be registered.
Locking and Unlocking a Subscription
(Not applicable to Online Data Proxy) Create a subscription template to lock or unlock a subscription. A subscription determines what data set the device user receives upon
synchronization and how frequently the synchronization can occur. Lock the subscription to prevent modification to the template and control the synchronization frequency
1. In the left navigation pane, expand the Packages folder and select the replication-based package to configure.
2. In the right administration pane, click the Subscriptions tab.
3. From the menu bar, select Templates, then click New.
4. Select Admin Lock to prevent device users from modifying the push synchronization state or sync interval value configured in the subscription. If the admin lock is disabled, the device client user can change these properties, and these changes take effect the next time the client user synchronizes the package to which the subscription applies.
See also
• Registering Applications, Devices, and Users on page 126