On Tuesday 21st July we presented the latest SAP Customer Data Cloud Webinar named "Mobile SDKs - Android and iOS | Go Digital the Right Way (Part 1)". The presenters of the session were:
Daniëlle Loppé – Senior Product Marketing Manager, SAP Customer Data Cloud
Alejandro Perez – Technical Architect, SAP Customer Data Cloud
Ian Hametz – Identity Product Lead, SAP Customer Data Cloud
In this webinar, I demonstrated how to use SAP Customer Data Cloud to set up your mobile applications, use the latest biometrics for easy and fast login, and increase your mobile applications security by incorporating Two-Factor authentication Push Notification. The end result: more seamless, personalized experiences and stronger, more trusted customer relationships.
In this blog post, I will describe some of the best practices when implementing these Mobile SDK features into your mobile applications.
Mobile SDKs considerations
When viable, I suggest you integrate SAP Customer Data Cloud to your mobile applications using the Android and iOS Mobile SDKs. These SDKs provide access to SAP Customer Data Cloud's core API, while providing support for features such as session management, screen-sets, social login, biometric and two-factor authentication. Here's why I believe these Mobile SDKs are a great way go:
Mobile SDKs include ready-for-use business APIs for registration, login, and all the supported profile management flows.
Mobile SDKs features are currently used by thousands of users in production (sports, media, automotive, others).
Session management is performed by the Mobile SDK. There is no need for your development teams to implement custom keychain-like storing mechanism for token management and refresh token.
Implementing social login in a mobile application is possible with minimum effort. SDKs include wrappers for the most popular social providers native SDKs (i.e. Google, Facebook, LINE, WeChat). Furthermore, your mobile application require minor effort to incorporate changes made by social providers authentication flows as well as changes these providers decide to do in future themselves. I've illustrated this consideration in the following diagram:
Sample architecture with mobile application using SAP Customer Data Cloud Mobile SDK
As you can see from the diagram above, your mobile application does not need to interact directly with the social provider SDK, but instead with the SAP Customer Data Cloud Mobile SDK. I found this to be one of the greatest advantages, as it will considerably reduce the development effort required to add social login into a mobile app.
For instance, imagine that your iOS mobile application was implementing Facebook Social Login. Since April 2020, Apple guidelines now require Apple ID to be offered as an alternative social login mechanism.
Instead of learning from scratch on how to use the Apple ID APIs, with SAP Customer Data Cloud Mobile SDKs, you can simply pass "apple" as a providerID when initiating a social login, and the SDK will do the rest.
This is my number one security recommendation: never store a secret key in the source code of your mobile application! A mobile application that interacts with SAP Customer Data Cloud is considered a client-side application or public client. Therefore, you should never store secret keys in the source code of a mobile application. A malicious user with basic technical knowledge could decompile the app, and retrieve sensitive information. Secret Keys (partner secret, user/app secret) should only be used in server-server calls and should never be passed to the client-side application.
Nowadays, Fingerprint authentication is one of those features that many of our customers are currently looking into implementing. Biometric authentication enables a much higher level of security in mobile applications by using biometric identification to verify that the user is, in fact, the device owner. When this feature is enabled in SAP Customer Data Cloud iOS and Android SDKs, sessions are encrypted with a biometric key. This biometric identification is usually either face or fingerprint.
Here's an example of how the user will confirm opt-in for biometrics authentication on its account:
Biometrics authentication opt-in dialog
It is important to remember that biometric authentication does not replace SAP Customer Data Cloud traditional authentication mechanisms (i.e. login ID + password or social login or enterprise federation). The biometric authentication feature is a security encryption on top of an existing session of the mobile application, therefore, calling any biometric operations requires a valid session.
Biometric authentication, just like other security measures, will have an impact in the user experience and might not be the best option for all types of mobile applications. Apps which contains sensitive data like finance, banking, or those doing transactions relating to money, require higher degree of security. In such risky apps, integration of biometric authentication is more favorable.
For such data sensitive apps, I suggest you prompt for face or fingerprint authentication every time your users need to access the app or specific operations within the app.
Two-factor authentication and Push notification
I'm sure you are already familiar with the concept of "Two-Factor Authentication". For example, if you bank sends you an SMS code in order to confirm it is really you, then you are already using TFA.
In SAP Customer Data Cloud, "Two-factor authentication" is offered as part of the Risk-Based authentication feature. When TFA is enabled for a user's account, it will require them to enter a code received to their phone or email in order to login to the mobile application.
A recent improvement to TFA support in SAP Customer Data Cloud, is the ability to send a push notification to the mobile application, that the user needs to approve. For instance, as I demonstrated in the webinar, after a user opts in for Push Notification TFA in the mobile app, when later the user tries to login from another device (e.g. desktop), the user receives a push notification to their mobile phone, and can complete login only after approving the notification.
The Push Notification (TFA) dialog displayed to the user in your mobile app will look like this:
TFA Push Notification dialog
In my opinion, this is a great alternative for those organisations who would like to increase security in their solution, but do not want to depend on SMS or 3rd party authenticator apps like Google Authenticator or Microsoft Authenticator.
This brings an end to my blog post which discusses SAP Customer Data Mobile SDKs features and best practices. To learn more about Customer Data Cloud, please sign up for our next webinar on the 20th of August.
Since this is an educational webinar series, no personal information is required to register; only a valid email address. So whether you are a customer, partner, employee, or member of the community-atlarge, please join my team for the next Mobile SDKs webinar series session to learn more about how to implement Identity, Consent, and Profile in an easy way into to your mobile applications.