Apps

Monkton, Inc.

The heart of Rebar are mobile apps. Rebar organizes mobile apps as Apps and Bundles. For instance, Facebook itself within Rebar would be an app. Under Facebook you would add the Android and iOS version as App Bundles. This enables your organization to define security for the apps themselves at a general level and then customize them based on the individual targeted App Bundle.

Organizations could deploy App Bundles as singular Apps, that is a management decision and there is nothing prohibiting that design decision.

Listing

The Apps screen will present you with a listing of mobile apps the organization has defined. These apps will be listed and will display the state of the app. Apps have two general states: publish state and availablity.

The App Listing screen provides three main functions

  • Listing of apps in the Rebar Hub
  • Add App function to provision a new app
  • Upload Configuration to upload an app from another environment

Add App

The Add App functionality enables provisioning of new mobile apps within the Rebar Hub. Add App will direct you to the Add App screen that allows you to enter the information. Please scroll to the Add App functionality down below for more information.

Upload Configuration

When migrating apps to new environments, it is useful to have an easy mechanism to do so. When viewing Modify App you can perform the Export Configuration button. This will download a JSON file that contains all the relevant information for the app.

To upload the configuration on the App Listing screen:

  1. Tap the Upload Configuration button
  2. Select the app configuration JSON file from your local computer
  3. Tap Upload Configuration to upload the app
  4. The modal dialog will disappear and the listing of apps will refresh

If the app or any portion of the app exists, the Rebar Hub will notify you that the app or bundles already exist within the Rebar Hub.

Published/Availabiltiy

The App Listing functionality also displays the state of the app. Apps have two main states, Published and Availability.

Published indicates if the app is available for use. Apps can be in two states:

  • Unpublished (Default for new apps) - meaning the app is unavailable
  • Published - meaning the app can be used

Availability indicates who the app is available to. Apps can be in one of two Availability states:

  • Restricted - meaning only groups can be assigned the app to use
  • Everyone - everyone with access to Rebar apps can access the app

Add

To add a new app within the Rebar Hub, the Add App provides the means to add the root app that will contain the App Bundles.

  1. Input the name of the app
  2. Input the description of the
  3. Tap Save and the Rebar Hub will create the App and will redirect you to the Modify App screen

Modify

Modify App is the way to manage a mobile app that you have configured within the Rebar Hub. Modify App allows you to do multiple things to manage the app. From the modify portal you can:

  • Modify the meta data on the app
  • Configure the Security Configuration for the app
  • Manage the published state of the app
  • Manage the availability of the app
  • Export configuration
  • Delete App
  • App Bundles
  • App Groups

Details - Name/Description/Identifier

The high level details of the app are the name, description, and the Rebar Hub generated identifier for the app.

  • The name of the app - a quick description of the app
  • The description of the app - a more describe explanation of what the app is
  • App Identifier - this is generated internally by the Rebar Hub. This value can be used in invoking the Rebar Hub API

To update the app metadata you can easily:

  1. Input the name of the app
  2. Input the description of the App
  3. Tap Save and the Rebar Hub will update the app

It will take a period of time for the Rebar API cache to reload the changes made to apps. This typically takes approximately about a minute.

Security Configuration

The security configuration for apps drives how the app is secured within the Rebar Hub. The security configuration can additionally be customized at the App Bundle level if the specific apps need specific customization.

There are three main sections for the Security Configuration:

  • App Authentication and Authorization
  • Passcode Configuration
  • Data in Transit Management

App Authentication and Authorization

App Authentication and Authorization controls how users authenticate, authorize, and interact with the Rebar Hub. This includes a variety of options:

App Authentication and Authorization - App Login Duration

App Login Duration is an important part of app security. Rebar apps have a concept of “Authentication Tokens” to perform authentication between Rebar apps and the Rebar Hub. These tokens tie a user, on an app, to a device and provide cryptographic means to authenticate sessions.

Token Duration indicates how long a user can stay logged into a mobile app. For instance, an sensitive app may want the user to be forced to login to the app once a week. This can be configured through this setting. Other apps may allow for users to be logged in indefinitely or any of the options.

Note When users are forced to log off, they will lose all data within the app.

Additionally, when PKI is used, the users authentication tokens will be limited to when the PKI certificate expires.

App Authentication and Authorization - Enforce AAL2

A core part of aligning to standards is aligning to NIST AAL standards for identity. AAL2 enforcement is not recommended for your applications. The requirements of NIST will force users to be logged out and forced to reauthenticate after a period of 30 minutes. For 99% of use cases this is not congruent with mobile apps and mobile app security.

Note For government customers, we strongly suggest a POA&M to cover not enabling this setting.

App Authentication and Authorization - OID Targeting

With PKI authentication, Rebar has the ability to do OID targeting for mobile apps. Within PIV certificates, attributes can be assigned to the certificates for users.

For instance, perhaps pilots should be the only users to access an “Electronic Flight Bag” app. When issuing the users PKI certificate, an OID could be injected into the certificate indicating the users is a pilot. From there, that OID value can be set in the OID Targeting field.

Multiple OID Targeting values can be provided in a comma delimited fashion.

App Authentication and Authorization - Allowed Authentication Options

Rebar supports multiple authentication options, some are more secure than others. There are two options for limiting authentication:

  • Username/Password
  • PKI

Disabling both will render the app unable to authenticate users.

When these settings are changed, this does cause a user to be logged off the app. Future authentications will either be successful for fail based on the configuration of the app to authenticate the users.

Passcode Configuration

Rebar enables a variety of means to secure data on the application. From users being forced to enter passcodes to enter the app to leveraging the dedicated security components (DSC) of mobile devices (SEP for iOS and TEE for Android) to store secrets.

There are 5 options for securing data on the device:

  • No passcode - this will require no passcode to be entered into the application. This is the least secure option as data could be cached on devices with no device passcode* Require App Passcode - this will require the user to enter a passcode into the app for any access to the app
  • Require App Passcode Unless SEP/TEE - if the device has a DSC, the DSC will be leveraged to encrypt secrets to decrypt data within the app
  • App Passcode Optional with Device Passcode - if the device itself has a passcode, the user is prompted if they would like to decide to enter a passcode
  • App Passcode Optional - allows the user to decide if they would like a passcode within the app

When selecting an option for a passcode, the administrator can define the app passcode policy.

  • Passcode Timeout - how long until the app will force the user to re-authenticate with the app after exiting the app. Immediate is strongly discouraged if users maybe using other apps
  • Min Length - the minimum length of the passcode itself
  • Numbers - the number of numbers required in the passcode
  • Special - the number of special characters required in the passcode
  • Upper - the number of upper case characters required in the passcode
  • Lower - the number of lower case characters required in the passcode

Data in Transit Management

This is a configuration to allow Rebar to interact directly with external service. Rebar originally only allowed for apps to interact with the Rebar API. Now Rebar enables apps to pull data directly from external sources.

Within the Rebar SDK, developers can invoke the Rebar Data in Transit tooling to generate a “Validation Token” - this Validation Token can then be passed to third party web service calls. This Validation Token can be passed via the third party web service to the Rebar API to validate the token.

At this time, the Data in Transit management enables apps to interact with S3 buckets in AWS GovCloud.

Custom developed backend Web Services can return either signed or unsigned requests and the Rebar SDK can download the files directly.

The benefit of this is that this removes compute cycles for the Rebar Hub.

The Rebar Hub will proactively perform SSL Pinning and certificate validation of the downloaded content. Developers do not need to embed the Pinned SSL certificates into the app configuration. The Rebar Hub itself will provide them to the app automatically.

App Published State

App Published State indicates if the app is available for use. Apps can be in two states:

  • Unpublished (Default for new apps) - meaning the app is unavailable
  • Published - meaning the app can be used

To change the App Published State, tap Published: App Published/Published: App Unpublished

App Availablity State (Grid to show which groups)

App Availability State indicates who the app is available to. Apps can be in one of two Availability states:

  • Restricted - (Default for new apps) meaning only groups can be assigned the app to use
  • Everyone - everyone with access to Rebar apps can access the app

To change the App Availability State, tap Availability: Restricted/Availability: Everyone

When availability is set to Restricted the Group Access for App grid at the bottom of the screen will become available. This will indicate which groups have been granted access to the app. To add an app to a group, navigate to the group and select the app as having access.

Export Configuration

To migrate between environments the Rebar Hub allows for the app configuration to be exported to be uploaded to the App Listing screen.

Tapping Export Configuration will automatically download and provide a JSON file that can be saved locally and uploaded elsewhere.

When importing to a new environment, if the Rebar Hub determines that the app and bundles may already exist in the Rebar Hub, it will present an error.

Delete App

Deleting an app will delete the App, its bundles, and all associated metadata. This cannot be undone.

To delete the app, tap the Delete App button. This will prompt the confirmation modal.

If you wish to delete the app, follow the on screen prompt and confirm the delete.

App Bundles

App bundles list the bundles that have been configured for this app. As noted before, Apps are a hierarchical entity. The top level app can contain several App Bundles below it. App bundles will be listed here.

Here you will also find the functionality to add a new App Bundle under this app. Tap the Add App Bundle to be presented the screen to add a new App Bundle.

App Groups

When an app availability is set to Restricted the App Groups will display on the Modify App screen. Here the Groups that have been delegated access to the apps will be listed.

This grid does not provide a means to add Groups to the availability, but it does provide a means to remove existing groups.

To remove a group from the App Groups listing, tap the Remove Group button. There is no confirmation for this action.

Add Bundle

After tapping Add Bundle from the Modify App screen the Add Bundle screen will be presented. This screen enables the administrator to define a new Bundle for the App.

At the core a new bundle requires a few fields, these fields are:

  • Bundle ID
  • URL Scheme
  • OS

To create a new Bundle, enter the following:

  1. Input the Bundle ID from the app, this would be the bundle ID from the iOS app or the package name for the Android app
  2. Input URL scheme, this is optional
  3. Select the OS this app is deployed for
  4. Tap Save and the Rebar Hub will create the App Bundle and will redirect you to the Modify App Bundle screen

Bundles Modify

Modify Bundle is the way to manage a mobile app bundle that you have configured within the Rebar Hub. Modify App Bundle allows you to do multiple things to manage the app bundle. From the modify portal you can:

  • Modify the meta data on the app bundle
  • Configure the Security Configuration for the app bundle
  • Manage the published state of the app bundle
  • Manage the availability of the app bundle
  • Delete App bundle
  • App bundle Groups

In the context of the app, if the App itself is restricted or unpublished - it will result in the App Bundle being restricted or unpublished. App bundles follow the same permission structures as Apps. An App can be more open, for instance, Available to Everyone but the App Bundle could be restricted. From the restricted state, you must scope the App Bundle to the specific groups.

App Bundle Metadata

MISSING

Security Configuration

The App Bundle security configuration is inherited from the parent App. These configuration settings can be customized based on the specific App Bundle.

Tapping the Security Configuration button will prompt the editor for the Security Configuration. By default, the prompt will show that the App Bundle is inheriting from the parent app. This can be override by tapping the Customize button.

Once tapped it will provide all the configuration settings available for the root App Security Configuration.

This can be undone by tapping the Revert to App Security Configuration button.

Any changes made must be saved by tapping Save in the top right hand corner of the screen.

App Bundle Published State

App Bundle Published State indicates if the app bundle is available for use. Apps can be in two states:

  • Unpublished (Default for new app bundles) - meaning the app bundle is unavailable
  • Published - meaning the app bundle can be used

To change the App Bundle Published State, tap Published: App Bundle Published/Published: App Bundle Unpublished

App Bundle Availablity State (Grid to show which groups)

App Bundle Availability State indicates who the app is available to. App bundles can be in one of two Availability states:

  • Restricted - (Default for new app bundles) meaning only groups can be assigned the app bundle to use
  • Everyone - everyone with access to Rebar app bundles can access the app bundle

To change the App Bundle Availability State, tap Availability: Restricted/Availability: Everyone

When availability is set to Restricted the Group Access for App grid at the bottom of the screen will become available. This will indicate which groups have been granted access to the app. To add an app to a group, navigate to the group and select the app as having access.

Auto Register Versions

By default, the Rebar Hub automatically registers new versions of app bundles within the Hub. This can be enabled or disabled via the Modify App Bundle page.

Tap the Auto Register Versions to have the prompt to change the setting. Once the prompt is available - confirm the change. MISSING

Manage App Config

For iOS mobile apps, MISSING - list keys

JSON Based - Export for MDM Save Cancel

Delete Bundle

Deleting an app bundle will delete the bundle and all associated metadata. This cannot be undone.

To delete the app, tap the Delete App Bundle button. This will prompt the confirmation modal.

If you wish to delete the app bundle, follow the on screen prompt and confirm the delete.

Push (iOS/Android)

The Rebar Hub automatically can integrate push notification services by leveraging Amazon Web Services Simple Notification Service. This integration is automatic to the Rebar Hub when deployed into AWS. Each app bundle must have its own Push configuration settings.

iOS Push Configuration

iOS requires the push notification SSL certificate to be uploaded to the portal. This is obtained through the Apple Developer Portal. Once created, export it from the Apple Keychain where the certificate was generated.

  1. Tap Configure and the iOS Push Notification screen will be presented
  2. Select the P12 file that contains the certificate and private key. The Rebar Hub will reject the certificate if it is invalid
  3. Enter the P12 passcode in the Password filed
  4. Select the environment this is being deployed in for APNS
  5. Tap Save and the push configuration will be updated.

After tapping Save, the Rebar Hub will automatically configure the AWS SNS configuration to send out messages to app users. There is no configuration that needs to occur other than that.

Android Push Configuration

The Rebar Hub leverages Google’s Firebase push notification service. After obtaining your API key, you can tap the Configure button in the Push Notification section in the App Bundle modify screen. To configure the push nofitication services for Android:

  1. Tap Configure` and the Android Push Notification screen will be presented
  2. Enter the API Key obtained from Firebase
  3. Enter the bundle identifier (this is repopulated)
  4. Tap Save and the push configuration will be updated.

After tapping Save, the Rebar Hub will automatically configure the AWS SNS configuration to send out messages to app users. There is no configuration that needs to occur other than that.

Add Bundle Version

App Name/OS Modify

Modify gives you:

  • Active Available to everyone
  • Inactive Disabled for everyone (Will cause logoffs)
  • Nag Upgrade Prompts user to upgrade to newer version
  • Force Upgrade Forces user to upgrade to newer version

Tap Save Changes for the status of the bundle version to be updated MISSING

Key Value Pair Access

The Rebar Hub allows for the Settings Configuration of each app to deploy a set of key/value pairs that can be obtained via the Rebar SDK.

These values can quickly be obtained once set in the app via the methods:

iOS:

let myKeyedValue = RebarAppController.default.configuration.getString(withKey: "sample.key")

Android:

val myKeyedValue = AppController.instance.config!!.getString("sample.key")