Implement Mobile Data Encryption to Android & iOS Apps
Mobile TOTALDataTM Encryption is used to protect data stored within a mobile app.
This Knowledge Base article describes Appdome’s mobile TOTALDataTM Encryption feature and explains how to add it to any mobile app as part of a comprehensive mobile Data Loss Prevention (DLP) solution. With TOTALData™ Encryption, Appdome protects all three states of mobile app data; data at rest, data in transit and data in use.
We hope you find this knowledge base useful and enjoy using Appdome!
The Three States of Mobile App Data
Data at rest is mobile app data that is persistent and stored in the application sandbox. Data in transit is mobile app data sent from the app to outside servers or other app users. Data in use is any app data the mobile app temporarily stores in application memory, including Data at rest and in transit before they are sent/saved. Data at rest and Data in use encryption are enabled as part of TOTALData Encryption. Appdome’s Trusted Session enforces that Data in transit is encrypted.
About Mobile TOTALData Encryption on Appdome
Appdome is a mobile integration platform as a service (iPaaS) that allows users to add a wide variety of features, SDKs, and APIs to Android and iOS apps. Using a simple ‘click to add’ user interface, Appdome allows anyone to easily implement a Secure TOTALDataTM Encryption Container in any mobile app – instantly, no code or coding required. Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins to implement. Likewise, there is no requirement to implement encryption libraries or intercept all writing of files to the sandbox for developing Secure TOTALDataTM Encryption Container capabilities for Android or iOS apps. Using Appdome, mobile apps will have Secure TOTALDataTM Encryption Container capabilities as if they were natively coded into the app – all without writing or changing a single line of code.
Overview of Appdome’s Mobile TOTALData Encryption
Appdome offers TOTALDataTM Encryption as part of the Appdome Mobile Security Suite. Data at rest (DAR) and Data in use (in-memory) encryption can be enabled in TOTALData Encryption. Data in transit encryption can be enforced as part of the Trusted Session.
With mobile data at rest enabled, all stored data generated by the app is encrypted at runtime using industry-standard AES 256 cryptographic protocols. With mobile data in use enabled, any app data the mobile app temporarily stores in application memory, including Data at rest and in transit is encrypted before it is sent/saved. With Appdome, encryption is accomplished dynamically, without any dependencies on the data structure, databases or file structures.
Appdome users AES-CTR 256 bit encryption method which is faster when accessing partial files (i.e. when reading a buffer from a file or mapping a part of a file into memory), vs the standard AES-CBC which most Third-party SDKs and encryption libraries used (that force decrypt the whole file even when trying to read a small block within it).
Appdome’s mobile TOTALDataTM Encryption implementation does not impact app behavior. This results in a consistent and easy to implement experience, as opposed to a DIY approach which would require the mobile developer to choose encryption components from a wide variety of libraries, cipher strengths, and key stores (and then need to integrate them together).
Like all integrations on Appdome, customers can integrate just data at rest or data in use encryption, or they can combine this feature with any or all other features from Appdome’s Mobile Security Suite. They can even combine Appdome Mobile Security with multiple 3rd party SDKs and APIs, forming countless numbers of service combinations and integrations into any mobile app. On Appdome, there’s never any coding and all integrations are completed in under a minute.
Advanced Configuration Options for Mobile TOTALDataTM Encryption
Appdome also provides options for customers to exclude certain files or folders from being encrypted. There is an option to automatically exclude all media files from being encrypted. And there is another option to name specific files that you wish to be excluded from encryption. For more information about TOTALDataTM Encryption check out our blog and our troubleshooting article.
Appdome dynamically generates symmetric data encryption keys at runtime. Keys are generated by Appdome by using industry-standard AES mechanisms. Keys are never stored on the device and are derived at run-time. In addition, Appdome can factor in additional contextual information such as bundle ID, device ID, checksums, user input (passwords, tokens), and application state conditions (eg: the existence of a debugger) into the key derivation mechanism. See the diagram below.
As part of Appdome’s IDEAL account class, Appdome provides an option for customers to control parts of the key management process via an external key management system (KMS). With this option, additional external factors may be introduced for key derivation.
Like all features in the Appdome Mobile Security Suite, users can integrate this feature standalone, or combined with other mobile security features or 3rd party SDK/APIs – all of which can be integrated into any mobile app in minutes with no coding.
Prerequisites for Using Appdome’s Mobile TOTALDataTM Encryption
How to Add TOTALDataTM Encryption to Any Mobile App on Appdome
Follow these step-by-step instructions to add TOTALDataTM Encryption to Any Mobile App.
Upload a Mobile App to Your Account
From the Build tab, select Security
- Expand TOTALDataTM Encryption category
- Click on the toggle to enable Data at Rest Encryption
Appdome In-App Encryption Keys – Appdome automatically will generate AES -256 encryption keys and will store them encrypted in the app memory.
- Enable Smart Media Sharing (optional for Appdome-DEV)
- Add a list of files that will be excluded from encryption. (optional for Appdome-GO)
- Exclude Media files from encryption. (optional for Appdome-GO)
- Exclude HTML files from encryption. (optional for Appdome-GO)
- Enable the option to Encrypt In-App Preferences
Enable the option to Encrypt Strings and Resources
- Enable the feature Enclaved Keys BETA
- Expand the Encryption Management sub-category:
- Enable Smart Offline Handoff (requires Appdome-DEV)
- Specify a Designated Folder directory in the app for offline handoff to be accessible to the app user.
- Specify the Session Timeout for expiration in days of accessing the offline data.
- Enable Require Local Authentication to allow app users to unlock offline access through local authentication in face recognition, Pincode, and fingerprint.
- Enable Restore From Backup which allows a restore from backup with an encryption key that is device independent to allow migrating data. (requires Appdome-DEV)
- Use In-App generated seed for key generation (requires Appdome-DEV)
- Enable data in use encryption aka Store in Protected Memory (requires Appdome-DEV)
- Enable Smart Offline Handoff (requires Appdome-DEV)
- Enable Enclave Keys BETA
- Enable FIPS 140-2 Cryptographic Modules
- Click Build My App.
The technology behind Build My App has two major elements – (1) a microservice architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the app to the relevant code-sets needed to add MicroVPN to the mobile app in seconds.
Congratulations! You now have a mobile app fully integrated with TOTALDataTM Encryption
After Adding TOTALDataTM Encryption to a Mobile App on Appdome
After you have added TOTALDataTM Encryption to any Mobile App on Appdome, there are a few additional steps needed to complete your mobile integration project. Read this Knowledge Base article to learn what to do after you successfully Build an app. It explains both optional steps and required steps.
That is it – Enjoy Appdome with TOTALDataTM Encryption in your app!
How Do I Learn More?
If you have any questions, please send them our way at email@example.com or via the chat window on the Appdome platform.