3 Administering SAP BusinessObjects Mobile for Android
3.10 Understanding the Security Implementation in the Application
3.10.1 Features of the Application Password
The application password acts as a source of input for encryption of user data, where other users cannot decrypt the data without this input.
Here are some features of the Mobile for Android application password:
● The application password is not enabled in the application, until users add a connection to the BI platform server that is application password enabled by the administrator. When users attempt to log on to this connection, the application forces them to enter an application password (as user specific or personal information is not displayed on the device until a connection has been created).
If users have not created a single connection, but want to enable the application password, they can do this by using the application's Settings screen.
Note
The behavior described above applies if the user has performed a fresh installation of the application. If a user has upgraded the existing installation with a newer version of the application from the Play store, server connections will already exist in the application, and so the application password will remain enabled.
● The following lines of code in the clientsettings.properties file on the Mobile server help you to customize the password settings in the application:
savePassword=true offlineStorage=true offlineStorage.ttl=365 offlineStorage.appPwd=true
If you set savePassword=true, the Save Password option appears in the application's Connection settings screen. Otherwise, it does not appear for the user.
offlinestorage.appPwd=true indicates that application password is stored in the local memory of the device (in the same way as BI documents) once it has been set and is removed only when the user chooses to reset the application data or has permission to disable the Use Application password option from the client application.
3.10.2 Support for 2 Factor Authentication
Ensure that you have implemented one of the following scenarios on your Web application server (Where you have installed the SAP BusinessObjects Mobile server):
When users add connections to the SAP Mobile server (with one of the above mentioned security deployments) using the SAP BusinessObjects Mobile (for Android) application on their devices, they see a security interface requiring authentication. The following sections explain the three scenarios listed above.
a. Basic Authentication
1. On the application's "Settings" screen, users add a connection to the CMS with basic authentication deployed on it. (As an administrator, you provide the application users with specific server details.)
2. When the new connection in the "Connections" screen is chosen, the application displays the "Authentication" dialog box, prompting the user to enter his/her credentials.
3. The user is logged on to the connection and can browse the BI documents available on the server.
b. Form-Based Authentication
1. On the application's "Settings" screen, users add a connection to the CMS with form-based authentication deployed on it. (As an administrator, you provide the application users with the specific server details.) 2. When new connection is chosen in the "Connections" screen, the application displays a form, prompting the
user to provide additional information.
Note
The form fields can be customized on the Web application server and UI features such as company logo can be included in the form. The form configured on the Web application server is displayed in the same way as in the application on the device.
3. The user is logged in to the connection, and can browse the BI documents available on the server.
c. Certificate-Based Authentication
Pre-requisite: Ensure that the *.p12 extension certificate is installed on the user's device.
1. On the application's "Settings" screen, users add a connection to the CMS having certificate- based
authentication deployed on it. (As an administrator, you provide the application users with the specific server details.)
2. When you choose the new connection in the "Connections" screen, the application displays a dialog box stating that the connection requires a certificate.
○ If no certificates are installed: select Install and choose a certificate. The selected certificate is installed:
○ If you want to install a new certificate and use it for authentication: Select Install and choose a certificate. The selected certificate is installed. The user selects this new installed certificate from the list:
4. The user is logged on to the connection, and can browse the BI documents on the server.
Note
1. Installed certificates can be removed from the application by choosing Clear Data > Remove Certificates on the device's"Settings" screen.
2. The application also supports basic authentication and certificate based authentication for hyperlink objects.
3.10.3 Understanding the User Data Protection and Privacy
Parameters
User data is data or information that is specific to an individual user. This includes downloaded reports and the user's application logon credentials. To guarantee the security of user data, SAP BusinessObjects Mobile implements certain security measures.
These include the following:
● Users have the option of saving their password for a connection in the application. In the default
configuration, this option is disabled (savePassword=false). However, if a user enables the Save Password
option while configuring the connection on his or her device, the password is encrypted using the FIPS compliant AES algorithm.
● If users do not choose to save their password, they are prompted for it whenever they access the application, regardless of whether they are in online or offline mode.
● In the default configuration for the application, the option to download and view documents locally on the device is disabled. (offlineStorage=false). Users can only access the documents available on the server in online mode.
Depending on the prevailing requirements, the administrator can enable this option in the server configuration file.
● If offline storage of documents is enabled, there is a "Time to Live" parameter in the server configuration file, with a default value of 365 days (offlineStorage.ttl=365). This means that the downloaded documents expire after 365 days and are automatically removed from the device's local memory.
● For Web Intelligence documents containing private or confidential data, you can secure the documents by assigning them to a "Confidential" category in the document designing tool. A secure document can be accessed by users only while connected to the Mobile server. Once users log off from the server, the secure document is deleted from the device memory.
The parameters (savePassword, offlineStorage and offlineStorage.ttl) explained above can be found in the following file on the Mobile server:
[<Web_app_server> Home directory]\webapps\MobileBIService\WEB-INF \ClientSettings.properties
Depending on your specific security requirements, you can change the values of these parameters in the
ClientSettings.properties file.
Note
For more information about the security measures implemented in the application and in the mobile system landscape, see the SAP BusinessObjects Mobile System Security Guide available at at the SAP Help portal: