Mobile platform

1. IBM Software
WebSphere
Technical White Paper
An overview of
IBM MobileFirst Platform
Build, test, integrate, deploy and manage
mobile applications
Contents
1 The IBM MobileFirst Platform
2 More efficient development
9 Optimizing user engagement
13 Securing your mobile channel
at the user, application and
device levels
17 Managing your mobile
ecosystem
The IBM MobileFirst Platform
The IBM® MobileFirst Platform is a standards-based mobile-
middleware, categorized as a Mobile Enterprise Application Platform
(MEAP) and Mobile Application Development Platform (MADP).
IBM MobileFirst Platform Foundation core value-add is the connectivity
to and extension of existing back-end systems also known as Systems
of Records (SoR) with development, user engagement, security and
management capabilities.
Track problems
that affect UX
Manage and enforce
app versions
Security
User engagement Operations
Back-end
Front-end
30%
of the value and
effort is visible
(mobile UI)
70%
of the value and
effort lies under
the surface
Short time to market
Web? Hybrid? Native?
Teamwork
Industrialize app dev
Integrate with SDLC
Ensuring continued
support in a quick-
changing landscape
Data
protection
Push
upgrades
Malware
detection
integ
User
authentication
Connect to
back-end systems
Efficient and flexible
push notifications
Offline availability
Track and use
location
B2E app distribution
Mobile apps go much deeper than the front-end User Interface

2. 2
WebSphere
Technical White PaperIBM Software
With the MobileFirst Platform, organizations can more effec-
tively address the full lifecycle of mobile app development,
delivery and on-going management.
The IBM MobileFirst Platform consists of three distinct
offerings:
●●
IBM MobileFirst Foundation to build, test, integrate,
deploy, manage and better secure web, hybrid and native
applications for desktop and mobile from standards-based
technologies and tools
●●
IBM MobileFirst App Scanning to detect code vulnerabili-
ties earlier during development
●●
IBM MobileFirst Quality Assurance to capture feedback
from users and testers with sentiment analysis and frictionless
bug reporting
DevelopObtain insight
Manage
Deploy
Instrument
Integrate
Test
Scan and certify
Operationalize
Integrated DevOps
for Mobile
Des
ign
X
The mobile application lifecycle
Application Center
Quality AssuranceApplication
Scanning
Development Continuous Delivery
Studio Console
Server Run time
Application Scanning
Detect code vulnerabilities at the
time of development
Quality Assurance
Collect beta test feedback, crashes
and analyze user sentiment
Foundation
Development, Run time, Operations,
Console and Private Store
IBM MobileFirst Platform overview
More efficient development
With MobileFirst Foundation, you can support a wide range of
development approaches from native to hybrid as well as web
approaches. Therefore, you can evaluate the best approach for
each situation, according to skills, time and functionality, with-
out being limited by a specific approach to mobile application
development.
Developers can use tools of their choice—the provided com-
mand line interface (CLI) enables integration with tools such as
Xcode, Android Studio, Xamarin, or any other development
tool developers want to use.
The MobileFirst platform also includes the IBM MobileFirst
Studio, an Eclipse-based integrated development environment
(IDE) that helps developers to conduct virtually all the coding
and integration tasks required to develop rich and engaging
applications. MobileFirst Studio is designed to augment Eclipse
tools with a wide variety of enterprise-grade features delivered
as plug-ins to streamline application development, debugging
and testing as well as to facilitate enterprise connectivity.

3. 3
WebSphere
Technical White PaperIBM Software
Mobile
web site
(browser
access)
Native
shell
enclosing
external
m.site
Pre -
packaged
HTML5
resources
HTML5 +
native UI
Mostly
native,
some
HTML5
screens
Pure
native
HybridPure web Pure native
Web-native continuum
HTML5, JS, and
CSS3 (full site
or m.site)
Quicker and
cheaper way
to mobile
•
•
• Sub-optimal
experience
HTML5, JS,
and CSS
Usually
uses
Cordova
Downloadable,
app store
presence, push
capabilities
•
•
•
• Can use native
APIs
As previous•
• + more
responsive,
available offline
Web + native
code
•
• Optimized user
experience with
native screens,
controls, and
navigation
App fully
adjusted to OS
•
• Some screens
are multiplatform
when makes
sense
•
•
•
App fully
adjusted to OS
Best attainable
user experience
Unique
development
effort per OS,
costly to maintain
Approaches for the development of mobile apps
Regardless of how you choose to develop your apps, develop-
ment complexity rises when you need to develop multiple
apps in different versions, support multiple mobile operating
systems, or enable many developers to work together on a
rich app.
●●
With the MobileFirst Foundation, developers can reduce
the development cycle by automating app tests directly on
their PC. They can reuse code across or within apps by
using templates and components. Developers can integrate
with SOAP, REST and SAP services in seconds without
writing a line of code. In addition, they can efficiently tailor
ready-to-use mobile build and test scripts to their corporate
build framework and share the resulting applications with
developers and testers.
●●
All these capabilities are available for native, hybrid and
web developers in a complete IDE or as a flexible set of
command-line tools.
●●
Developers of hybrid applications can also benefit from
greater flexibility to build Cordova-based apps, where the
IBM platform helps enable them to have control of the
portions

4. 4
WebSphere
Technical White PaperIBM Software
Capability Objective-C for
iOS
Java for Android C# for Windows
Phone 8
C# for Windows
8
Integration with back-end systems through adapters √ √ √ √
MobileFirst Platform Authentication Framework √ √ √ √
Development Functional testing √ √ √ -
Application version enforcement √ √ √ √
Unified push and SMS notifications √ √ √ -
Location Services √ √ - -
On-Device Encrypted JSON Store √ √ - -
Log collection for analytics √ √ - -
Remote-controlled client-side log collection √ √ - -
Pure native development
With the pure native development approach, you can create
applications that fully use the device capabilities without
any compromise on performance and user experience. Such
applications are written for a specific platform environment as
Objective-C for iOS, Java for Android for Java ME or C# for
Microsoft Windows Phone 8 and Microsoft Windows 8 and
use MobileFirst Platform capabilities through its provided
native APIs.
Command Line Interface
To help developers get a better tools experience, the CLI tool
can be used to more easily create and manage both native and
hybrid apps. The CLI enables developers to use their preferred
text editors or alternative IDEs to create mobile applications.
The CLI does not require MobileFirst Studio for most stan-
dard activities. The commands support tasks such as creating,
adding and configuring with the MobileFirst Platform API
library, adding the client-side MobileFirst Platform properties
file and conducting the build and deployment of the
MobileFirst Platform application. Adapter creation, deployment
and local testing can be conducted within the command line.
Administration of your MobileFirst Platform project can be
done from CLI or REST services, or the MobileFirst Console,
where you can more easily control the local server and observe
the logs. Command-line tools can be used on their own, or in
parallel with the MobileFirst Studio tools.
Everything that is generated by using the command-line inter-
face is compatible with MobileFirst Studio. You can also use
the CLI to integrate third-party tools such as ANT or Grunt
to create your own tool chain for automated testing, build and
deployment flows.
MobileFirst Platform native capabilities

5. 5
WebSphere
Technical White PaperIBM Software
Native-device SDK integration
MobileFirst Studio is also designed to integrate with the
software development kits (SDKs) of the mobile devices
that the MobileFirst Platform supports including Android,
iOS, Microsoft Windows 8, Microsoft Windows Phone and
Blackberry. With this integration, developers can take full
advantage of the native code capabilities, development tools,
testing and debugging mechanisms that are native to the mobile
SDKs, without leaving the development environment.
Automated mobile functional testing
To accelerate delivery cycles of mobile applications, you require
fast and effective test cycles. MobileFirst Platform software
includes integrated automated functional testing. This testing
is available for Android and iOS native, hybrid and web applica-
tions. Created for developers and testers, this capability is
designed to automate functional testing of apps that are devel-
oped with the MobileFirst Platform. First, developers or testers
record a sequence of actions on a mobile device, emulator or
simulator by using an instrumented recording-ready application
to generate a test script. Next, developers or testers edit and
enhance the script by using natural-language syntax to add veri-
fication points and other instructions. Developers and testers
can run the enhanced test script on demand on a real device,
simulator or emulator. They can view and share the results by
using a generated HTML report. Developers and testers can
test MobileFirst Platform apps more rapidly and methodically
at a reduced cost because of automated functionality testing. As
a result, developers and testers can help enable higher-quality
mobile apps.
Centralized build
The IBM MobileFirst Platform Builder is a stand-alone appli-
cation that can be more easily integrated with common
central build services, such as IBM Rational® Jazz™ Builder,
Hudson and Luntbuild. Using the centralized build functional-
ity, the different teams involved in the development, testing
and quality assurance (QA) phases can work from one common
version of the code without complex installation of dedicated
mobile environments locally. Therefore, teams can more effec-
tively enhance the collaboration and automation of the internal
application development process.
Hybrid development
Facing the constantly evolving fragmented ecosystem of mobile
devices and operating systems, application development has
become a costly, yet an unavoidable endeavor. This challenge
has led to the creation of a market for cross-platform mobile
development solutions that is rapidly growing.
Most solutions in the market today rely on limited proprietary
tools delivering lowest-common denominator based on code
cross compilation or interpretation from what you see is what
you get (WYSIWYG) tools or prepackaged apps. The result is
an unavoidable tradeoff between user experience and multiplat-
form coverage. With the MobileFirst Platform hybrid develop-
ment approach, applications can have any mix of standard
native and web code, even in the same UI views. Hybrid appli-
cations execute inside a native container and use the browser
engine to display the HTML5/JavaScript and CSS part of the
application interfaces and business logic. The native container,
based on Apache Cordova also known as PhoneGap, grants
application access to device capabilities that are not accessible
to standard web applications, such as the accelerometer, camera
and device local storage. Hybrid applications developed with
the MobileFirst Platform can be distributed through public or
private cross-platform application stores and developed either
by using the provided MobileFirst Studio CLI or IDE tools.
For example, the Mobile Browser Simulator enables advanced
debugging earlier in the development cycle to further accelerate
developments with multiple form factors preview side by side
and Apache Cordova APIs simulation.

6. 6
WebSphere
Technical White PaperIBM Software
Because developers are not dependent on an intermediary
build-time or runtime layer, such as a cross-compiler or inter-
preter, native APIs are accessible upon release of new mobile
operating system (OS) versions or third-party libraries.
Furthermore, the applications web code is executed directly by
the mobile browser, so developers have direct access to the
HTML Document Object Model (DOM) and are free to use
any JavaScript API or third-party JavaScript toolkits and
frameworks.
There are several ways of combining native and web code
in MobileFirst Platform hybrid applications, including:
●●
Native and web code mix. With the MobileFirst Platform,
you can mix virtually any set of native code with web code
for different, or within the same screens or application logic.
Some of the benefits include full use of native capabilities and
optimized balance between code reuse and performance for
user experience where needed.
●●
Pre-packaged HTML5 resources. Unlike the following
approach, the web resources are not loaded from an external
website at run time but are packaged within the application
itself, thus enabling improved application responsiveness
and off-line operations support. In addition, you can enable
greater cross-reuse across delivery channels with the com-
bined use of responsive design and MobileFirst Platform
skins.
●●
Native shell application enclosing an external mobile
website. With this approach, your mobile website is dis-
played inside the native shell provided instead of the device
browser allowing application access to the device native
functionality through JavaScript APIs. There are drawbacks
to this approach because of downgraded user experience
with subpart response time and off-line modes.
Support for HTML5
MobileFirst Platform software uses a standards-based approach
that enables developers to write or import code, to circumvent
the debugging and maintenance limitations of proprietary
interpreters or code translators.
You can benefit from capabilities that include:
●●
A cleaner, more readable and consistent HTML code
●●
Visual HTML editing in Rich Page Editor; HTML5 tags
and attributes are directly supported in RPE
●●
Access to rich media types including audio and video that are
usually available only by way of native code
●●
Use of advanced UI components, such as data pickers, sliders
and edit boxes that automatically support ellipsis and
others—implemented natively by the browser
●●
Use of Cascading Style Sheets 3 (CSS3) styles and
CSS3-based animation to reduce application size and to
improve application responsiveness
●●
Application distribution channels that go beyond the
different application stores and their time-consuming and
limited restrictions
●●
Support for location services
●●
Offline storage capabilities
Support for third-party JavaScript toolkits and UI
frameworks
In addition to its support for HTML5, MobileFirst Platform
software provides integration with the growing ecosystem
of UI frameworks, such as Ionic, Angular or jQuery Mobile.
Developers can pick the JavaScript UI framework of their
choice and use it to develop their application within the
MobileFirst Studio.

7. 7
WebSphere
Technical White PaperIBM Software
Rich Page Editor (RPE)
Furthermore, the MobileFirst Studio ships with a WYSIWYG
drag-and-drop for UI design and development. With these
editing capabilities, developers can create pure HTML or
HTML and JavaScript files by dragging HTML5, JQuery and
Dojo mobile components from a built-in palette to the HTML
canvas. Developers can use property sheets to control HTML
and CSS properties. At the same time, with these editing capa-
bilities, developers can enable direct editing of HTML and
CSS files, updating the graphical canvas to visualize almost
immediately the impact of their changes. These editing capabil-
ities are integrated with the MobileFirst Platform optimization
framework, making it possible for developers to view a specific
application environment or to view a specific skin.
Screen templates
To deliver an outstanding mobile UI experience, conformance
to continuously evolving mobile patterns of behavior that are
specific to each OS family is required. MobileFirst Platform
software includes screen templates that automate the creation of
mobile screens. The design of these screen templates is based
on industry-proven methods.
Developers can choose from templates in four categories
including:
●●
Lists
●●
Authentication
●●
Navigation and search
●●
Configuration
Each screen template can be previewed live, used as is,
or further refined using any combination of web and native
technologies.
Optimization framework
Unlike other alternative approaches, the MobileFirst Platform
optimization framework enables developers to share the
majority of the application code across multiple environments,
without compromising platform-specific user experience or
application functionality. Developers can share the common
application code among multiple environments, while isolating
environment-specific code in designated code branches that can
overwrite or augment the commonly shared code. As a result,
application logic remains consistent among the different envi-
ronments, while the UI behaves natively and adheres to user
expectations and the differentiated functionality and design
guidelines of the device. Therefore, developers can strike the
desired balance between development efficiency, application
functionality and user experience. Hybrid application web
portion of the code can be updated with the IBM MobileFirst
Platform Direct Update mechanism. Further performance
improvements with direct update are possible through differen-
tial direct update where the end users receive only the web
resources that have changed between updates instead of the
entire web resource package.
Runtime skins
You can further optimize your hybrid apps by using runtime
skins. These skins are packaged with the application’s executable
files and are applied to the mobile app during run time. With
this capability combined with responsive design techniques,
it is easier to automatically adjust the application appearance
and behavior to different devices from the same OS family and
better manage application code complexity.
Common scenarios that benefit from runtime skins
include:
●●
Different screen sizes and screen densities
●●
Different input method
●●
Different support levels for HTML5

8. 8
WebSphere
Technical White PaperIBM Software
The shell approach
When different teams having varying degrees of expertise work
on common mobile projects, the MobileFirst Platform shell
approach can help separate concerns among teams. An external
shell is a customizable container that provides JavaScript access
to the native capabilities of the device. A dedicated expert team
works on one or multiple shells for branding, security configu-
rations, audits and authentication frameworks. Using such
shell structure forces hybrid inner applications to automatically
comply with its built-in policies as data access restriction, use of
certain APIs and different branding.
With the corporate policies enforced by the shell, the inner
applications can be more easily built by departmental develop-
ment teams using well-known web technologies. Such teams
are only required to focus on the user interface and business
logic.
Desktop and mobile website development
In this model, the application that executes the device’s browser
can be made platform independent and requires no installation,
with simple access through a URL or bookmark. The downside
is support for connected mode only, sub-part user experience
with potentially response time and no access to the device
functions such as camera or contact list.
Aspects of each development approach
With the MobileFirst Platform, you can select the most appro-
priate development approach fitting your application context
and objectives. Selecting the best development approach must
be the first step of your application project.
The major aspects of the supported development approaches to help you decide which one best fits your needs include
the following:
Comparison of mobile development approaches
Aspect Mobile website
development
Native shell, external
mobile website
Prepackaged
HTML5 resources
Mixing web and
native in code and UI
Pure native
development
Easy to learn Easiest Easiest Medium Harder Hardest
Application performance Slowest Moderate Good Fastest Fastest
Device knowledge required None Some Some Some A lot
Development lifecycle -
build, test, deploy
Shortest Shortest Medium Medium Longest
Application
portability to other platforms
Highest High High Medium None
Support for native device functionality Some Most Most All All
Distribution with built-in mechanisms No No Yes Yes Yes
Ability to write extensions
to device capabilities
No No Yes Yes Yes

9. 9
WebSphere
Technical White PaperIBM Software
Optimizing user engagement
Users value apps that help them complete tasks such as
ordering takeout, hailing a taxi, or making a restaurant reserva-
tion. To deliver this type of transactions, you require mobile
application integration with existing back-end services and data.
Standardized back-end access with adapters
The MobileFirst Platform enables mobile apps back-end con-
nectivity over HTTP, JMS, SAP, Unstructured Supplementary
Service Data (USSD) and SQL and you can further optimize
connectivity by using IBM Integration Bus or IBM Cast Iron®.
The MobileFirst Platform adapter architecture is designed to
promote a decoupling of integration logic, which is hosted on
the server side from the mobile application logic. As a result,
with this IBM architecture, you can manage back-end services
and mobile-apps-distinct evolution timelines.
Moreover, mobile apps often have to connect to services that
were built long before mobile was in existence, which poses
challenges in both data delivery and service security for the
mobile channel. The MobileFirst Platform is designed to
deliver ready-to-use data transformation capabilities to the
JSON format to optimize payloads size and response time for
the mobile applications. For instance, adapters can easily filter
out unneeded parts of large payloads from legacy services tar-
geted at the traditional web channel. Furthermore, adapters can
enable server-side service composition to reduce the number of
requests to optimize application response time over slow mobile
network.
In terms of integration security, the MobileFirst Platform pro-
vides mobile-specific and fine-grained security controls that can
be wrapped around legacy services. In addition, the MobileFirst
Platform acts as a strong control point, enabling overview and
management of mobile activities. This platform also includes
built-in analytics for user actions and device and application
properties with possible extension to monitor and act upon
unusual usage patterns that might result from fraudulent
repackaged apps.
Integration is the driver for the level of interaction many users
expect from their mobile apps and the MobileFirst Platform
provides a robust set of integration capabilities. With these
features, you can use existing enterprise investment, optimize
data delivery to sustain user interactions over unstable mobile
networks and help reduce development cost by providing zero-
code integration paths. In addition, you can improve organiza-
tional insight into user experience through analytics.
Automated services discovery for SOAP and SAP
Generation of adapters for the discovery of SOAP automated services

10. 10
WebSphere
Technical White PaperIBM Software
With the MobileFirst Platform, you can further expedite the
creation of mobile apps that call SAP NetWeaver Gateway
and SOAP-based web services described by Web Services
Description Language (WSDL). With the MobileFirst
Platform services discovery wizard, developers can specify
the back-end services called from the mobile app and generate
application specific adapters for web, hybrid, or native app
with near-zero coding. Further, developers can place them in
the proper mobile app project folder.
Unified push notification and SMS
There are many differentiated characteristics of mobile apps but
perhaps none more so than the notion of anywhere, anytime
engagement. The MobileFirst Platform provides a unified API
to send push notifications and SMS from the server to mobile
apps, helping developers to more easily manage mobile plat-
form fragmentation. In addition, they can develop a single set
of logic to send push notifications across their target platforms.
The MobileFirst Platform provides the ability to send broadcast
notification to all devices and targeted messages to a specific set
of users, a specific device or a specific user. By using the device
specific capabilities, the MobileFirst Platform also supports
interactive push notifications for iOS8, Android L heads up
notification and silent notifications for iOS7 onwards.
Location services
If push notifications deliver the means for engagement,
location services deliver the ability to engage in context. The
MobileFirst Platform is designed to help engage users based
on their location by providing end-to-end services for detect-
ing, transmitting and consuming location-based events in
back-end business processes, decision management systems
and analytics systems.
Polling
Adapters
Back-end
System
Back-end
System
Message-
based
Adapters
Unified
Push API
Notification
State
Database
User
Device
Database
iOS
Dispatcher
Android
Dispatcher
Windows
Phone
Dispatcher
SMS
Dispatcher
Apple Push
Servers
(APN)
Google
Push
Servers
(GCM)
Microsoft
Push
Servers
SMS/MMS
Brokers
Administrative Console
Notification statistics, SMS subscription control
Worklight
Client-side
Push Services
iOS
Push API
Android
Push API
Windows
Push API
Broker
API
Optional 2-way SMS
Worklight
Client-side
Push Services
Worklight
Client-side
Push Services
Unified Push Notifications

11. 11
WebSphere
Technical White PaperIBM Software
Traditional approaches constantly poll device GPS or triangulate and then send the resulting position to the back-end systems for
decision-making. Whereas, the MobileFirst Platform delivers a location services framework that helps optimize development time,
battery and network usage.
MobileFirst Platform geo-services architecture
MobileFirst Platform USSD architecture overview
Device Run time
Application code
Device location API Server location API
Worklight device run time Worklight server run time
Analytics and reporting
Set acquisition
policy and triggers
Transmit events
Log activities and
event with device
and app contexts
Events
Device context
Set event handlers
Get device context
Set app context
Trigger callbacks Event callbacks
Adapter code
Worklight Server
Enterprise
backend
Worklight
HTTP/S
USSD
Gateway
Mobile User dials
USSD short code
e.g. *123#
Telco forwards
this to a USSD
gateway
Gateway maps the
short code to a known
URL provided by the
enterprise and creates
the USSD session
Worklight responds
to the gateway request
with the USSD menu
options (configurable)
Enterprise
Adapter

12. 12
WebSphere
Technical White PaperIBM Software
IBM MobileFirst Platform Foundation location services
provide both client-side and server-side services that
deliver:
●●
Points of interest and geo-fences definition and a more
efficient, policy-based controlled acquisition of GPS,
triangulation and Wi-Fi coordinates to save battery, whether
the application is executing in the background or foreground
●●
Events generation for action triggering based on location
changes as when crossing a geo-fence and server-side logic to
enable meaningful reaction to important geo events
●●
More efficient communication with back-end systems and
batch sends to optimize network use
●●
Unified server-side API that enables developers to consume
location events on the server and take action to facilitate
enterprise systems integration into patterns of intelligent
user engagement
The benefits of MobileFirst Platform location services are
twofold to the organization. First, developers do not have to
worry about efficient location data collection and transmission
for the client because they can use MobileFirst Platform
services. Second, developers can build one set of location-
enriched engagement logic on the server and apply that logic
to their mobile apps throughout platforms. This IBM platform’s
location services help people at organizations more efficiently
understand where app users are and more importantly execute
business logic based on this contextual understanding.
Indoor location using iBeacons
You can engage users based on their proximity to an enterprise
beacon by delivering location-relevant messages, information,
promotions and so on. The MobileFirst Platform provides
REST APIs to register and manage the beacons on the server
side. Similar to outdoor location triggers, the admin team
creates triggers that are activated when a user is nearby
enterprise beacons. Developers can retrieve a list of beacons
and triggers by calling a WL Server API in an adapter
Unstructured Supplementary Service Data
USSD provides a cost-effective alternative to mobile apps in
emerging markets where feature phones as opposed to smart-
phones are still fairly common and data networks unreliable.
USSD is a protocol used by GSM cellular telephones to send
text messages between a mobile phone and an application
program in the network. USSD establishes a real-time session
between the mobile phone and the application that handles the
service.
The MobileFirst Platform is able to:
●●
Accept incoming requests from a USSD gateway and map
the USSD short codes as a user entering *123# to the
corresponding MobileFirst Platform adapters
●●
Construct and respond with USSD menu options
●●
Call corresponding back-end services through the
MobileFirst Platform adapters
The IBM MobileFirst Application Center
cross-platform private app store
The MobileFirst Application Center enables teams to set up
an enterprise cross-platform private application store to help
govern the distribution and management of pre-release and
production-ready mobile applications. This MobileFirst private
app store can manage MobileFirst and non-MobileFirst-based
applications, including apps from public app store.
Administrators can make the most of existing authentication
frameworks, including ACL and LDAP, to manage app distri-
bution by department, job function, geography and other
schema. Employees who access the MobileFirst Application
Center from their mobile devices will only see the mobile
apps that they are allowed to download and can rate apps and
provide feedback to help future enhancements.

13. 13
WebSphere
Technical White PaperIBM Software
For development teams, the MobileFirst Application Center
provides a more convenient way to distribute pre-release soft-
ware to developers and testers. Feedback can be organized by
device and by version to quickly isolate and resolve defects,
whether those defects are device-specific or version-specific.
The MobileFirst Application Center is designed to also inte-
grate with software-build processes to automate the distribution
of the latest releases to project teams, helping to accelerate the
develop-test-debug cycle.
The MobileFirst Application Center provides:
●●
Administrators with improved governance over the distribu-
tion of mobile apps throughout the enterprise, including app
hosted on public app stores;
●●
Employees with easier access to the latest apps that are
needed by their departments or job function and that are
optimized for their device;
●●
Developers with an easier way to distribute mobile builds
and to elicit feedback from members of development and
test teams
The MobileFirst Application Center is designed to manage
native or hybrid applications for the Google Android platform,
the Apple iOS platform, the Microsoft Windows Phone 8 plat-
form, Microsoft Windows 8 and the BlackBerry OS 6 and
OS 7 platform.
Securing your mobile channel at the user,
application and device levels
Security is a clear priority for executives at organizations
embarking on mobile implementations but it proves to be
challenging. Up to 53 percent of enterprises report that they
struggle to implement effective end-to-end mobile security
measures.1
A key characteristic of the MobileFirst Platform security frame-
work is its delegation to the existing security infrastructure to
foster reuse and security standardization across delivery chan-
nels. IBM MobileFirst Server is designed to integrate more
seamlessly as a presentation tier into the existing enterprise
infrastructure while supporting custom extensions to integrate
with virtually any security mechanism. The IBM MobileFirst
Foundation security framework provides a wire protocol that
enables the combination of challenges and responses of multiple
security checks during a single request-and-response round trip.
With this IBM security framework, the number of client and
server round trips can be reduced and the application logic
from the security checks implementation can be separated.
The MobileFirst Platform facilitates stronger
implementation of security measures at the user, data,
application and device levels:
●●
The MobileFirst Platform provides an open user-
authentication framework to help you integrate your mobile
apps with existing enterprise or third-party security systems.
The MobileFirst Platform enables the basic authentication
approach that uses the username and password. But the
MobileFirst Platform also enables more complex schemes
such as certificate-based authentication and multifactor
authentication protocols with one-time passcodes, step-up
authentication procedures and more. A typical example of
multifactor authentication is the combination of device,
application and user authentication. You can also integrate
the MobileFirst Platform with existing enterprise certificate
authority such as X509 Public Key Infrastructures (PKI)
certificate creation back-end, to pass requests for the creation
of certificates and use resulting certificates. Resulting X509
certificates stored on the devices help deliver enhanced user
experience by streamlining user authentication steps as
removing login and password steps for a particular app on a
given device. X509 certificate creation software is provided
if you do not already have one deployed. The MobileFirst
Platform is also designed to support off-line authentication,
single sign on (SSO) capabilities for multiple mobile apps to
participate in a globally authenticated session.

14. 14
WebSphere
Technical White PaperIBM Software
●●
The MobileFirst Platform helps more effectively secure data
on the device with the JSON Store AES-256 encryption. You
can further secure data on the device and in transit with the
use of optional libraries to make them FIPS 140-2 compliant.
●●
You can protect applications against repackaging attacks with
app authentication by ensuring that mobile apps that connect
to the MobileFirst Platform environment are known and
trusted. With the MobileFirst Platform, you can also support
integration with third-party jailbreak and malware detection
libraries. These capabilities are complemented with the
MobileFirst Platform direct update to automatically propa-
gate updates of web portions of the hybrid mobile apps,
thus helping to ensure latest security patches are deployed
to users.
●●
To protect against malicious changes to direct update, the
MobileFirst Platform provides direct update authenticity
verification, where the authenticity of the direct update
package is verified before it is installed on the end user’s
device.
●●
The MobileFirst Platform also provides device provisioning
capabilities which enable control over which device can access
corporate back-end systems.
●●
In addition to all of these capabilities, this IBM platform
provides management controls through standard Java EE
security controlled for role-based access to UI console,
analytics console, CLI and REST APIs used for the automa-
tion of tasks. They help administrators to mitigate risk in the
face of unknown app vulnerabilities and recently lost devices.
Furthermore, administrators can more quickly change access
rules with fine-grained management of user or device or
application triplets with disablement of all or given apps for
all or given users or devices.
Proactively enforce
security updates
Remote
disable
Direct
update
Provide robust authentication
and authorization to secure users
Authentication
integration
framework
Data
protection
realms
Coupling
device id
with user id
Streamline corporate
security approval
processes
Mobile
platform as
a trust factor
Protect from known
application security threats
Code
obfuscation
SSL with
server identity
verification
Proven
platform
security
Jailbreak
and malware
detection
App
authenticity
testing
Protect data on the device
Encrypted
cache / DB
Offline
authentication
Secure
challenge-
response on
startup
MobileFirst Platform Security Framework

15. 15
WebSphere
Technical White PaperIBM Software
Mechanism Benefit Details
On-device
encrypted storage
Help protect sensitive information from malware
attacks and device theft
●●
●●
●●
Uses AES256 and PCKS #5-generated encryption keys for
storing app-generated information on the device
Enables offline user authentication
Implemented in JavaScript that is highly obfuscated, with
optional native performance enhancements
Direct update Take action to help ensure timely propagation of
updated hybrid app versions to the entire install base
●●
New versions of the code can be distributed without requiring
the manual update of the application and are applicable to
web resources
Remote disable Enforce timely adoption of critical security updates to
the entire install base
●●
Server-side console enables configuration of allowed app versions.
Administrator can ask users to install security updates to the
native code.
Authentication
framework
Help reduce overall cost and complexity of integration
with authentication infrastructure
●●
●●
●●
●●
●●
●●
Server-side architecture designed for integration with back-end
authentication infrastructure based on Java Authentication and
Authorization Service (JAAS) concepts, with authentication realms
Specify one SSL per HTTP adapter for enhanced flexibility
and security
Ready-to-implement integration with Kerberos, NTLM,
Basic and Digest authentication
Ability to encrypt server-to-server SOAP communication with X509
certificates, following the Web Services Security (WSS) standard
Client-side framework for asynchronous login requests on session
expiration
X509 certificates support
Server-side
safeguards
Help prevent SQL injection and help protect against
cross-site request forgery (XSRF)
●●
●●
Prepared-statement enforcement
Validation of submitted data against session cookie
Enterprise SSO
integration
Use existing enterprise authentication facilities and
user credentials and enable employee-owned
devices
●●
●●
●●
Client-side mechanism obtains and encrypts user credentials, sends
to the server with requests
Encryption incorporates user-supplied PIN, server-side secret
and device ID
Credentials cannot be retrieved from lost or stolen device

16. 16
WebSphere
Technical White PaperIBM Software
Mechanism Benefit Details
Device SSO ●●
Enables a mobile user to authenticate one time to ●●
Upon successful login, the authentication state is saved in the
integration
●●
●●
●●
gain access to multiple mobile applications from a
single device
Mobile users get a more-seamless experience
without having to explicitly log in to each
application
Enterprise teams can integrate authentication
services under a single umbrella, streamlining
governance and reducing help-desk costs that
are related to password resets and security
Developers can help eliminate redundant
development effort; they are no longer required
to build authentication into each application
independently
●●
database and used for validations in subsequent sessions
from the same device
No credentials are stored in the on-device database; only the state
of the authentication is stored, for improved security
Virtual private ●●
Enable delivery and operation of mobile apps for ●●
Client-side and server-side frameworks act as secure socket layer
network (VPN) employee-owned devices or device types that are (SSL)-based VPN
alternative
●●
not allowed on the corporate network
Enable delivery when installation of VPN client on
mobile devices is not possible or when such
installation is complicated to manage
●●
●●
●●
Network access control and policies are preconfigured in the
client-side framework layer
Network access and security measures are updated using
server-side framework
On-device encrypted storage to help prevent compromise of
sensitive data
These capabilities are essential, but business leaders realize that
delivering secure mobile apps is about more than securing the
run time; security must be embedded into the development
and app lifecycle management process. With MobileFirst
Application Scanning, you can conduct a static code analysis
of a mobile app, both native and web content, to detect
potential vulnerabilities earlier during the development cycle
for data leakage, sensitive information exposure, high-risk API
usage and more. This analysis can be an automated part of an
organization’s continuous integration and build strategy and it
can be run on demand as well. Static code analysis for mobile
apps is an important part of raising an organization’s overall
security posture. With MobileFirst Application Scanning this
analysis is made easier to institutionalize as part of the mobile
app lifecycle.

17. 17
WebSphere
Technical White PaperIBM Software
The MobileFirst Platform also integrates with:
●●
IBM MaaS360® from IBM Fiberlink® to help support
BYOD strategies with full device control through policies,
app containerization and app security as copy and paste
prevention
●●
IBM Trusteer® to deliver a context-driven risk assessment
and advanced malware and jailbreak detection
●●
IBM DataPower® for scalable security enforcement points
(PEP), traffic management, message validation, transport
level communications protection and rate limitation through
policies
●●
ISAM for risk-based access (RBA) and single sign-on (SSO)
using LTPA token, HTTP header, or OAuth
Clearly, security is an imperative for companies delivering
mobile apps and it goes deeper than security measures
employed for traditional web applications. The MobileFirst
Platform provides a more comprehensive set of and integration
with security-focused capabilities that help address both devel-
opment and runtime concerns. Security officers and developers
can use these capabilities to enhance their mobile security
posture without spending considerable upfront and ongoing
resources to match with what the MobileFirst Platform
provides right off the shelf.
The MobileFirst Platform does not warrant that systems and
products are immune from the malicious or illegal conduct of
any party.
Managing your mobile ecosystem
Unlike web application where you are in full control of the
experience and versioning where users get the sanctioned
version when connecting, mobile applications are a different
challenge, with binaries executing on end-users devices,
traditionally outside of your control. The MobileFirst Platform
is designed to provide means to claim back control with its
Mobile Application Management (MAM) capabilities while
maintaining a higher level of insights with operational analytics.
Enterprises can hardcode the MobileFirst server address in the
client application in which case all the users connect to the
same server. An alternative will be for enterprises to distribute
a single application to multiple groups of users and each user
group connects to a locally hosted MobileFirst server. The
MobileFirst Platform provides APIs to dynamically change
the MobileFirst server address.
The MobileFirst Console
The MobileFirst Console is a web-based user interface, also
available through REST services, Ant tasks or CLI tools to
more seamlessly integrate with your automation system of
choice. The MobileFirst Console is dedicated to the ongoing
administration of the MobileFirst Server and its deployed apps,
adapters and push-notification services whether in development
or production.

18. 18
WebSphere
Technical White PaperIBM Software
Supports multiple
versions on the
same platform
Device specific
versions are
uncoupled
Worklight console app management
Main management tasks include:
●●
Deployment of mobile applications and adapters
●●
Fine-grained management of users, devices and applications
●●
Black listing given devices when lost and managing their
provisioning, preventing access to given users when role
changed or managing multiple versions of the same
application
●●
Remotely disabling applications by version and
mobile-operating-system type
●●
Management of notification messages on application startup
when installation of new application version is requested
●●
Control and monitor push-notification services, event sources
and related applications.
●●
Troubleshooting and problem determination with server-
initiated client log collection for given devices, apps and users
Automated collection of user-adoption, device and app
properties, user actions and back-end calls, JSONStore and
back-end system calls performance, usage information,
exceptions, crashes, logs and response time, with customizable
dashboards for auditing and reporting purposes. All collected
data can be easily exported for further analysis by external
business intelligence tools.

19. 19
WebSphere
Technical White PaperIBM Software
Ready-to-use analytics helps address the following:
e
rojects
with
oring of
ove
her
s the
lications
The MobileFirst Console can administer several runtim
environments from several independent MobileFirst p
deployed to the same application server or cluster.
The MobileFirst Console includes role-based security
different built-in profiles:
●●
Monitor. This role includes read-only profile monit
MobileFirst-deployed artifacts.
●●
Operator. With this feature, you cannot add or rem
applications and adapters but you can conduct all ot
management operations
●●
Deployer. This role includes the same capabilities a
operator role but also the capability of deploying app
and adapters.
●●
Administrator. This role includes all administration
operations.
Operational analytics for usage insights
The MobileFirst Platform provides an advanced operational
analytics platform to automatically assemble and analyze
user-adoption, device and app properties, user actions and
back-end calls, JSONStore and back-end calls performance,
usage information, exceptions, crashes, logs and response time.
Search across logs and events collected from devices, apps and
servers enable patterns and problems and platform-usage
insights.
The following sources are combined into the analytics
repository:
●● Interactions of any app-to-server activity; anything that is
supported by the MobileFirst Platform client/server protocol,
including push notification
●●
Client-side logs and crashes
●●
Server-side logs that are captured in traditional MobileFirst
Platform log files
The IBM MobileFirst Server for analytics is provided as a
WAR file for standard install and administration.
Using the MobileFirst Platform approach, developers can
instrument mobile apps using the provided library for more
efficient collection and streaming of information. Business
leaders who optionally upgrade to the IBM Tealeaf® CX
mobile platform can gain additional insight into mobile
user-experience analytics. This insight includes session replays,
device orientation, screen size and touch-screen interactions,
to understand the behavior of mobile users for web and native
applications. These insights empower organizational teams to
diagnose and resolve customer struggles that can be difficult to
identify and that inhibit application usability and effectiveness.
For more information
To learn more about the IBM MobileFirst Platform, please
contact your IBM representative or IBM Business Partner,
or visit the following website: ibm.com/mobilefirst
Additionally, IBM Global Financing can help you acquire
the software capabilities that your business needs in the most
cost-effective and strategic way possible. We’ll partner with
credit-qualified clients to customize a financing solution to
suit your business and development goals, enable effective cash
management, and improve your total cost of ownership. Fund
your critical IT investment and propel your business forward
with IBM Global Financing. For more information, visit:
ibm.com/financing

20. © Copyright IBM Corporation 2014
IBM Corporation
Software Group
Route 100
Somers, NY 10589
Produced in the United States of America
November 2014
IBM, the IBM logo, ibm.com, Cast Iron, DataPower, Jazz, Rational,
Tealeaf, and Trusteer are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current
list of IBM trademarks is available on the web at “Copyright and trademark
information” at ibm.com/legal/copytrade.shtml
Fiberlink, MaaS360 are trademarks or registered trademarks of Fiberlink
Communications Corporation, an IBM Company. Microsoft, Windows
and Windows NT are trademarks of Microsoft Corporation in the United
States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
This document is current as of the initial date of publication and may be
changed by IBM at any time.
It is the user’s responsibility to evaluate and verify the operation of any
other products or programs with IBM products and programs.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED
“AS IS” WITHOUT ANY WARRANTY, EXPRESS OR
IMPLIED, INCLUDING WITHOUT ANY WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND ANY WARRANTY OR CONDITION OF
NON-INFRINGEMENT. IBM products are warranted according to the
terms and conditions of the agreements under which they are provided.
The client is responsible for ensuring compliance with laws and regulations
applicable to it. IBM does not provide legal advice or represent or warrant
that its services or products will ensure that the client is in compliance with
any law or regulation.
1
The Upwardly Mobile Enterprise, IBM Institute for Business Value,
October 2013
WSW14181-USEN-09
Please Recycle