Track problems

that affect UX
Manage and enforce
app versions
Security
User engagement Operations
Back-end
Front-end
30%
of the value and
effort is visible
(mobile UI)
70%
of the value and
effort lies under
the surface
Short time to market
Web? Hybrid? Native?
Teamwork
Industrialize app dev
Integrate with SDLC
Ensuring continued
support in a quick-
changing landscape
Data
protection
Push
upgrades
Malware
detection
integ
User
authentication
Connect to
back-end systems
Efcient and exible
push notications
Ofine availability
Track and use
location
B2E app distribution
Mobile apps go much deeper than the front- end User Interface
IBM Software
WebSphere
Technical White Paper
An overview of
IBMWorklight
Foundation V6.2
Build, test, integrate, deploy and manage native,
hybrid and web mobile applications
Contents
1 The IBMWorklight platform
4 Accelerating development
9 Optimizing user engagement
13 Securing your mobile channel
at the user, application and
device levels
16 Managing your mobile
ecosystem
The IBMWorklight platform
The IBM Worklight platform is a standards-based mobile-
middleware, categorized as a Mobile Enterprise Application Platform
(MEAP) and Mobile Application Development Platform (MADP).
IBMWorklight Foundation core value-add is the connectivity to and
extension of existing back-end systems also known as Systems of Records
(SoR) with development, user engagement, security and management
capabilities.
2
WebSphere
Technical White Paper IBM Software
With the Worklight platform, people at organizations can more
effectively address the full lifecycle of mobile app development,
delivery and on-going management.
The IBMWorklight platform consists of three distinct
offerings:

IBMWorklight Foundation to build, test, integrate, deploy,

manage and better secure web, hybrid and native applications
for desktop and mobile from standards-based technologies
and tools

IBMWorklight App Scanning to detect code vulnerabilities

earlier during development

IBMWorklight Quality Assurance to capture feedback

from users and testers with sentiment analysis and frictionless
bug reporting
The mobile application lifecycle
Develop Obtain insight
Manage
Deploy
Instrument
Integrate
Test
Scan and certify
Operationalize
Integrated DevOps
for Mobile
D
e
s
i
g
n
X
Application Center
Quality Assurance
Application
Scanning
Development Continuous Delivery
Studio
Console
Server Run time
Application Scanning
Detect code vulnerabilities at the
time of development
Quality Assurance
Collect beta test feedback, crashes
and analyze user sentiment
Foundation
Development, Run time, Operations,
Console and Private Store
IBM Worklight Platform overview
Accelerating development
With Worklight Foundation, you can support a wide range of
development approaches from native to hybrid as well as web
approaches. Therefore, you can evaluate the best approach for
each situation, according to skills, time and functionality, with-
out being limited by a specific approach to mobile application
development.
The IBMWorklight Studio is the Worklight Eclipse-based
integrated development environment (IDE) that helps develop-
ers to conduct virtually all the coding and integration tasks
required to develop rich and engaging applications. The
Worklight Studio is designed to augment the familiar Eclipse
tools with a wide variety of enterprise-grade features delivered
as plug-ins to streamline application development debugging
and testing and to facilitate enterprise connectivity.
Furthermore, with the Worklight command line interface
(CLI) tooling, developers can use their tools of choice
whether that is Xcode, Android Studio, Xamarin, Worklight
Studio, or any other development tool they want to use.
3
WebSphere
Technical White Paper IBM Software
Pure native development
With the pure native development approach, you can create
applications that fully use the device capabilities without any
compromise on performance and user experience. Such
Mobile
web site
(browser
access)
Native
shell
enclosing
external
m.site
Pre -
packaged
HTML5
resources
HTML5 +
native UI
Mostly
native,
some
HTML5
screens
Pure
native
Hybrid Pure web Pure native
Web-native continuum
HTML5, JS, and
CSS3 (full site
or m.site)
Quicker and
cheaper way
to mobile

Sub-optimal
experience
HTML5, JS,
and CSS
Usually
uses
Cordova
Downloadable,
app store
presence, push
capabilities

Can use native

APIs
As previous
+ more
responsive,
available ofine
Web + native
code

Optimized user
experience with
native screens,
controls, and
navigation
App fully
adjusted to OS

Some screens
are multiplatform
when makes
sense

App fully
adjusted to OS
Best attainable
user experience
Unique
development
effort per OS,
costly to maintain
Mobile application development approaches
applications are written for a specific platform environment as
Objective-C for iOS, Java for Android for Java ME or C# for
Microsoft Windows Phone 8 and use Worklight capabilities
through its provided native APIs.
4
WebSphere
Technical White Paper IBM Software
Capability Objective-C
for iOS
Java for
Android
C# for Windows
Phone 8
Integration with back-end systems through adapters
Worklight Authentication Framework
Development Functional testing
Application version enforcement
Unified push and SMS notifications
Location Services -
On-Device Encrypted JSON Store -
Log collection for analytics -
Remote-controlled client-side log collection -
Native-device SDK integration
The Worklight Studio is also designed to integrate with
the software development kits (SDKs) of the mobile devices
that Worklight supports including Android, iOS, Microsoft
Windows 8, Microsoft Windows Phone and Blackberry.
With this integration, developers can take full advantage of
the native code capabilities, development tools, testing and
debugging mechanisms that are native to the mobile SDKs,
without leaving the development environment.
Automated mobile functional testing
To accelerate delivery cycles of mobile applications, you require
fast and effective test cycles. Worklight software includes
integrated automated functional testing. This testing is available
for Android and iOS native, hybrid and web applications.
Created for developers and testers, this capability is designed
to automate functional testing of apps that are developed with
Worklight. First, developers or testers record a sequence of
actions on a mobile device, emulator or simulator using an
instrumented recording-ready application to generate a test
script. Next, developers or testers edit and enhance the script
using natural-language syntax to add verification points and
other instructions. You can run the enhanced test script on
demand on a real device, simulator or emulator. You can
view and share the results using a generated HTML report.
Organizational teams can test Worklight apps more rapidly
and methodically at a reduced cost because of automated
functionality testing. As a result, you can enable higher-quality
mobile apps.
Centralized build
The IBMWorklight Builder is a stand-alone application
that can be more easily integrated with common central build
services, such as IBMRational Jazz Builder, Hudson and
Luntbuild. Using the centralized build functionality, the
different teams involved in the development, testing and
quality assurance (QA) phases can work off of one common
version of the code without complex installation of dedicated
mobile environments locally. Therefore, teams can more
effectively enhance the collaboration and automation of the
internal application development process.
5
WebSphere
Technical White Paper IBM Software
Hybrid development
Facing the constantly evolving fragmented ecosystem of mobile
devices and operating systems, application development has
become a costly, yet an unavoidable endeavor. This challenge
has lead to the creation of a market for cross-platform mobile
development solutions that is rapidly growing.
Most solutions in the market today rely on limiting proprietary
tools delivering lowest-common denominator based on code
cross compilation or interpretation from what you see is what
you get (WYSIWYG) tools or prepackaged apps that result
in an unavoidable tradeoff between user experience and multi-
platform coverage.
With the Worklight hybrid development approach, applications
can have any mix of standard native and web code, even in the
same UI views. Hybrid applications execute inside a native
container and use the browser engine to display the HTML5/
JavaScript and CSS part of the application interfaces and busi-
ness logic. The native container, based on Apache Cordova also
known as PhoneGap, grants application access to device capa-
bilities that are not accessible to standard web applications, such
as the accelerometer, camera and device local storage. They can
be distributed through public or private cross platform applica-
tion store and developed either using the provided Worklight
Studio CLI or IDE tools. For example, the Mobile Browser
Simulator enables advanced debugging earlier in the develop-
ment cycle to further accelerate developments with multiple
form factors preview side by side and Apache Cordova APIs
simulation.
Because developers are not dependent on an intermediary
build-time or run time layer, such as a cross-compiler or
interpreter, native APIs are accessible upon release of new
mobile operating system (OS) versions or third-party libraries.
Furthermore, the applications web code is executed directly by
the mobile browser, so developers have direct access to the
HTML Document Object Model (DOM) and are free to use
any JavaScript API or third-party JavaScript toolkits and
frameworks.
There are several possible native and web code mix in
Worklight hybrid applications including:

Native and web code mix. With Worklight, you can mix
virtually any set of native code with web code for different or
within the same screens or application logic. Some of the
benefits include full use of native capabilities and optimized
balance between code reuse and performance for user
experience where needed.

Pre-packaged HTML5 resources. Unlike the following

approach, the web resources are not loaded from an external
website at run time but are packaged within the application
itself enabling improved application responsiveness and
off-line operations support. In addition, you can enable
greater cross reuse across delivery channels with the
combined use of responsive design and Worklight skins.

Native shell application enclosing an external mobile

website. With this approach, your mobile website is dis-
played inside of the native shell provided instead of the device
browser allowing application access to the device native
functionality through JavaScript APIs. There are drawbacks
to this approach because of downgraded user experience with
subpart response time and off-line modes.
Support for HTML5
Worklight software uses a standards-based approach, enabling
developers to write or import circumventing the debugging and
maintenance limitations of proprietary interpreters or code
translators.
6
WebSphere
Technical White Paper IBM Software
You can benefit from capabilities that include:

A cleaner, more readable and consistent HTML code

Access to rich media types including audio and video that are
usually available only by way of native code

Use of advanced UI components, such as data pickers, sliders

and edit boxes that automatically support ellipsis and
othersimplemented natively by the browser

Use of Cascading Style Sheets 3 (CSS3) styles and

CSS3-based animation to reduce application size and to
improve application responsiveness

Application distribution channels that go beyond the

different application stores and their time-consuming and
limiting restrictions

Support for location services

Off line storage capabilities

Support for third-party JavaScript toolkits and UI
frameworks
In addition to its support for HTML5, Worklight software
provides integration with the growing ecosystem of UI frame-
works, such as Angular or jQuery Mobile. Developers can pick
the JavaScript UI framework of their choice and use it to
develop their application within the Worklight Studio.
Rich Page Editor (RPE)
Furthermore, the Worklight Studio ships with a WYSIWYG
drag-and-drop for UI design and development. With these
editing capabilities, developers can create pure HTML or
HTML and JavaScript files by dragging HTML5, JQuery
and Dojo mobile components from a built-in palette to the
HTML canvas. Developers can use property sheets to control
HTML and CSS properties. At the same time, with these
editing capabilities, developers can enable direct editing of
HTML and CSS files, updating the graphical canvas to
visualize almost immediately the impact of their changes.
These editing capabilities are integrated with the Worklight
optimization framework, making it possible for developers
to view a specific application environment or to view a
specific skin.
Screen templates
To deliver an outstanding mobile UI experience, conformance
to continuously evolving mobile patterns of behavior that are
specific to each OS family is required. Worklight software
includes screen templates that automate the creation of mobile
screens. The design of these screen templates is based on
industry-proven methods.
Developers can choose from templates in four categories
including:

Lists

Authentication

Navigation and search

Configuration
Each screen template can be previewed live, used as is, or
further refined using any combination of web and native
technologies.
IBMWorklight Application Framework
Worklight Application Framework is designed to help
you quickly create data-driven hybrid applications that are
interacting with back-end services. Your whole application is
configured from a single editor named Worklight Application
Framework editor.
An application is defined using the following artifacts or
building blocks:

Services. In the context of Worklight Application

Framework, a service is a remote information source from
which you can retrieve data when you invoke the service.
Worklight Application Framework is designed to support
SOAP-based web services or services from the SAP
NetWeaver Gateway.
7
WebSphere
Technical White Paper IBM Software

Data Objects. The data that you access from a specified

service is represented as local data objects. You can choose to
execute various operations such as create, retrieve, update,
delete, or query on data objects. Operations are connection
types that are used to model the relation between a data
object and a service. For example, you can choose to retrieve,
or update data from a service.

Views. Views are the representations of your application

UI in the Worklight Application Framework editor and they
define how the data in your application is presented to the
user. For example, a view can be a screen that displays the
contact details of a customer. Data objects contain key
attributes that are used within the UI of your application.
You can configure the different views in which these
attributes are displayed.
Optimization framework
Unlike other alternative approaches, the Worklight optimiza-
tion framework enables developers to share the majority of
the application code across multiple environments, without
compromising platform-specific user experience or application
functionality. Developers can share the common application
code among multiple environments, while isolating environ-
ment-specific code in designated code branches that can
overwrite or augment the commonly shared code. As a result,
application logic remains consistent among the different
environments, while the UI behaves natively and adheres to
user expectations and the differentiated functionality and design
guidelines of the device. Therefore, developers can strike the
desired balance between development efficiency, application
functionality and user experience. Hybrid application web
portion of the code can be updated with the IBMWorklight
Direct Update mechanism.
Run time skins
Further optimization of hybrid apps is possible by using run
time skins. These skins are packaged with the applications
executable files and are applied to the mobile app during run
time. With this capability combined with responsive design
techniques, you can more easily adjust automatically the appli-
cation appearance and behavior to different devices from the
same OS family and better manage application code complexity.
Common scenarios that benefit from run time skins
include:

Different screen sizes and screen densities

Different input method

Different support levels for HTML5

The shell approach
When different teams having varying degrees of expertise, work
on common mobile projects, the Worklight shell approach can
help separate concerns amongst teams. An external shell is a
customizable container that provides JavaScript access to the
native capabilities of the device. A dedicated expert team works
on one or multiple shells branding, security configurations,
audits and authentication frameworks. Using such shell struc-
ture forces hybrid inner applications to automatically comply
with its built-in policies as data access restriction, use of certain
APIs and different branding.
With the corporate policies enforced by the shell, the
inner applications can be more easily built by departmental
development teams using well-known web technologies. Such
teams are only required to focus on the user interface and
business logic.
Desktop and mobile website development
In this model, the application that executes the devices browser,
can be made platform independent and requires no installation
with simple access through a URL or bookmark. The downside
is support for connected mode only, sub-part user experience
with potentially response time and no access to the device
functions such as camera or contact list.
Aspects of each development approach
With Worklight, you can select the most appropriate develop-
ment approach fitting your application context and objectives.
Selecting the best development approach must be the first step
of your application project.
8
WebSphere
Technical White Paper IBM Software
The major aspects of the supported development approaches to help you decide which one best fits your needs include the
following:
Comparison of mobile development approaches
Aspect Mobile website
development
Native shell, external
mobile website
Prepackaged
HTML5 resources
Mixing web and
native in code and UI
Pure native
development
Easy to learn Easiest Easiest Medium Harder Hardest
Application performance Slowest Moderate Good Fastest Fastest
Device knowledge required None Some Some Some A lot
Development lifecycle
- build, test, deploy
Shortest Shortest Medium Medium Longest
Application portability
to other platforms
Highest High High Medium None
Support for native device functionality Some Most Most All All
Distribution with built-in mechanisms No No Yes Yes Yes
Ability to write extensions
to device capabilities
No No Yes Yes Yes
Optimizing user engagement
Users value apps that help them complete tasks such as order-
ing takeout, hailing a taxi, or making a restaurant reservation.
To deliver this type of transactions, you require mobile applica-
tion integration with existing back-end services and data.
Standardized back-end access with adapters
Worklight brokers mobile apps back-end connectivity over
HTTP, JMS and SQL and you can further optimize connectiv-
ity by using IBMIntegration Bus or IBMCast Iron. The
Worklight adapter architecture is designed to promote a
decoupling of integration logic hosted server side from the
mobile application logic. As a result, with this IBMarchitecture,
you can manage back-end services and mobile-apps-distinct
evolution timelines.
Moreover, mobile apps often have to connect to services that
were built long before mobile was in existence, which poses
challenges in both data delivery and service security for the
mobile channel. Worklight is designed to deliver ready-to-use
data transformation capabilities to the JSON format to
optimize payloads size and response time for the mobile
applications. For instance, adapters can easily filter out
unneeded parts of large payloads from legacy services targeted
at the traditional web channel. Further, adapters can enable
server-side service composition to reduce number of requests to
optimize application response time over slow mobile network.
9
WebSphere
Technical White Paper IBM Software
In terms of integration security, Worklight provides mobile-
specific and fine-grained security controls that can be wrapped
around legacy services. In addition, Worklight acts as a strong
control point, enabling overview and management of mobile
activities. It also includes built-in analytics for user actions and
device and application properties with possible extension to
monitor and act upon unusual usage patterns that might result
from fraudulent repackaged apps.
Integration is the driver for the level of interaction many users
expect from their mobile apps and the Worklight platform
provides a robust set of integration capabilities. With these
features, you can use existing enterprise investment, optimize
data delivery to sustain user interactions over unstable mobile
networks and help reduce development cost by providing
zero-code integration paths. In addition, you can improve
organizational insight into user experience through analytics.
Automated services discovery for SOAP and SAP
SOAP automated services discovery adapter generation
10
WebSphere
Technical White Paper IBM Software
With Worklight, you can further expedite the creation of
mobile apps that invoke SAP NetWeaver Gateway and SOAP-
based web services described by Web Services Description
Language (WSDL). With the Worklight services discovery
wizard, developers can specify the back-end services invoked
from the mobile app, generate application specific adapters for
web, hybrid, or native app with near-zero coding. Further,
developers can place them in the proper mobile app project
folder.
Unied push notication and SMS
There are many differentiated characteristics of mobile apps but
perhaps none more so than the notion of anywhere, anytime
engagement. Worklight provides a unified API to send push
notifications and SMS from the server to mobile apps helping
developers to more easily manage mobile platform fragmenta-
tion. In addition, they can develop a single set of logic to send
push notifications across their target platforms.
Unified Push Notifications
Polling
Adapters
Back-end
System
Back-end
System
Message-
based
Adapters
Unied
Push API
Notication
State
Database
User
Device
Database
iOS
Dispatcher
Android
Dispatcher
Windows
Phone
Dispatcher
SMS
Dispatcher
Apple Push
Servers
(APN)
Google
Push
Servers
(GCM)
Microsoft
Push
Servers
SMS/MMS
Brokers
Administrative Console
Notication statistics, SMS subscription control
Worklight
Client-side
Push Services
iOS
Push API
Android
Push API
Windows
Push API
Broker
API
Optional 2-way SMS
Worklight
Client-side
Push Services
Worklight
Client-side
Push Services
Location services
If push notifications deliver the means for engagement, location
services deliver the ability to engage in context. Worklight is
designed to help engage users based on their location by
providing end-to-end services for detecting, transmitting and
consuming location-based events in back-end business pro-
cesses, decision management systems and analytics systems.
Traditional approaches constantly poll device GPS or
triangulate and then send the resulting position to the back-end
systems for decision-making. Whereas, Worklight delivers a
location services framework that helps optimize development
time, battery and network usage.
11
WebSphere
Technical White Paper IBM Software
Worklight geo-services architecture
Device Run time
Application code
Device location API Server location API
Worklight device run time Worklight server run time
Analytics and reporting
Set acquisition
policy and triggers
Transmit events
Log activities and
event with device
and app contexts
Events
Device context
Set event handlers
Get device context
Set app context
Trigger callbacks Event callbacks
Adapter code
Worklight Server
Worklight USSD architecture overview
Enterprise
backend
Worklight
HTTP/S
USSD
Gateway
Mobile User dials
USSD short code
e.g. *123#
Telco forwards
this to a USSD
gateway
Gateway maps the
short code to a known
URL provided by the
enterprise and creates
the USSD session
Worklight responds
to the gateway request
with the USSD menu
options (congurable)
Enterprise
Adapter
12
WebSphere
Technical White Paper IBM Software
IBMWorklight Foundation location services provide both
client side and server side services that deliver:

Points of interest and geo-fences definition and a more

efficient, policy-based controlled acquisition of GPS,
triangulation and Wi-Fi coordinates to save battery whether
the application is executing in the background or foreground

Events generation for action triggering based on location

changes as when crossing a geo-fence and server-side logic to
enable meaningful reaction to important geo events

Geo-coordinates storage while off line

More efficient communication with back-end systems and

batch sends to optimize network use

Unified server-side API that enables developers to consume

location events on the server and take action facilitating
enterprise systems integration into patterns of intelligent user
engagement
The benefits of Worklight location services are twofold to
the organization. First, developers do not have to worry about
efficient location data collection and transmission for the client
as they can use Worklight services. Second, developers can
build one set of location-enriched engagement logic on the
server and apply that logic to their mobile apps throughout
platforms. The platforms location services help people at
organizations efficiently understand where app users are
and more importantly, execute business logic based on this
contextual understanding.
Unstructured Supplementary Service Data (USSD)
Unstructured Supplementary Service Data provides a
cost-effective alternative to mobile apps in emerging markets
where feature phones are still fairly common and data networks
unreliable.
USSD is a protocol used by GSM cellular telephones to send
text messages between a mobile phone and an application
program in the network. USSD establishes a real-time session
between the mobile phone and the application that handles
the service.
Worklight is able to:

Accept incoming requests from a USSD gateway and map

the USSD short codes as a user entering *123# to the
corresponding Worklight adapters

Construct and respond with USSD menu options

Invoke corresponding back-end services through Worklight

adapters
The IBMWorklight Application Center cross platform
private app store
The Worklight Application Center enables teams to set up
an enterprise cross platform private application store to help
govern the distribution and management of pre-release and
production-ready mobile applications. This Worklight private
app store can manage Worklight and non-Worklight-based
applications, including apps from public app store.
Administrators can make the most of existing authentication
frameworks, including ACL and LDAP, to manage app distri-
bution by department, job function, geography and other
schema. Employees who access the Worklight Application
Center from their mobile devices will only see the mobile apps
that they are allowed to download and can rate apps and
provide feedback to help future enhancements.
13
WebSphere
Technical White Paper IBM Software
For development teams, the Worklight Application Center
provides a more convenient way to distribute pre-release
software to developers and testers. Feedback can be organized
by device and by version to quickly isolate and resolve defects,
whether those defects are device-specific or version-specific.
The Worklight Application Center is designed to also integrate
with software-build processes to automate the distribution of
the latest releases to project teams, helping to accelerate the
develop-test-debug cycle.
The Worklight Application Center provides:

Administrators with improved governance over the

distribution of mobile apps throughout the enterprise,
including app hosted on public app stores;

Employees with easier access to the latest apps that are

needed by their departments or job function and that are
optimized for their device;

Developers with an easier way to distribute mobile builds

and to elicit feedback from members of development and
test teams
The Worklight Application Center is designed to manage
native or hybrid applications for the Google Android platform,
the Apple iOS platform, the Microsoft Windows Phone 8 plat-
form and the BlackBerry OS 6 and OS 7 platform.
Securing your mobile channel at the user,
application and device levels
Security is a clear priority for executives at organizations
embarking on mobile implementations but it proves to be
challenging. Up to 53 percent of enterprises report that they
struggle to implement effective end-to-end mobile security
measures.
1
A key characteristic of the Worklight security framework is
its delegation to the existing security infrastructure to foster
reuse and security standardization across delivery channels.
IBMWorklight Server is designed to integrate more seamlessly
as a presentation tier into the existing enterprise infrastructure
while supporting custom extensions to integrate with virtually
any security mechanism. The IBMWorklight Foundation
security framework provides a wire protocol that enables the
combination of challenges and responses of multiple security
checks during a single request-and-response round trip. With
this IBMsecurity framework, the number of client and server
round trips can be reduced and the application logic from the
security checks implementation can be separated.
Worklight facilitates stronger implementation of security
measures at the user, data, application and device levels:

Worklight provides an open user authentication framework

to help you integrate your mobile apps with existing enter-
prise or third-party security systems. Worklight enables
both basic authentication approaches such as username and
password authentication. This Worklight platform as also
enables more complex schemes such as certificate-based
authentication and multifactor authentication protocols with
one-time passcodes, step-up authentication procedures and
more. A typical example of multifactor authentication is the
combination of device, application and user authentication.
You can also integrate Worklight with existing enterprise
certificate authority such as X509 Public Key Infrastructures
(PKI) certificate creation back-end, to pass certificates
creation requests and use resulting certificates. Resulting
X509 certificates stored on the devices help deliver enhanced
user experience by streamlining user authentication steps as
removing login and password steps for a particular app on a
given device. X509 certificate creation software is provided
if you do not already have one deployed. Worklight is also
designed to support off-line authentication, single sign on
(SSO) capabilities for multiple mobile apps to participate in a
globally authenticated session.
14
WebSphere
Technical White Paper IBM Software
Worklight Security Framework
Proactively enforce
security updates
Remote
disable
Direct
update
Provide robust authentication
and authorization to secure users
Authentication
integration
framework
Data
protection
realms
Coupling
device id
with user id
Streamline corporate
security approval
processes
Mobile
platform as
a trust factor
Protect from known
application security threats
Code
obfuscation
SSL with
server identity
verication
Proven
platform
security
Jailbreak
and malware
detection
App
authenticity
testing
Protect data on the device
Encrypted
cache / DB
Ofine
authentication
Secure
challenge-
response on
startup

Worklight helps more effectively secure data on the device

with the JSON Store AES-256 encryption. Data on the
device and in transit can be further secured with the use of
optional libraries to make them FIPS 140-2 compliant.

You can protect applications against repackaging attacks with

app authentication by ensuring that mobile apps that connect
to the Worklight environment are known and trusted. With
Worklight, you can also support integration with third party
jailbreak and malware detection libraries. These capabilities
are complemented with Worklight direct update to automati-
cally propagate updates of web portions of the hybrid
mobile apps helping to ensure latest security patches are
deployed to users.

Worklight also provides device provisioning capabilities

enabling control over which device can access corporate
back-end systems.

In addition to all of these capabilities, the platform provides

management controls through standard J2EE security
controlled for role-based access to UI console, CLI
and REST APIs used for tasks automation. They help
administrators to mitigate risk in the face of unknown
app vulnerabilities and recently lost devices. Further,
administrators can more quickly change access rules with
fine-grained management of user or device or application
triplets with disablement of all or given apps for all or given
users or devices.
15
WebSphere
Technical White Paper IBM Software
The main security features of the Worklight platform include the following:
Mechanism Benefit Details
On-device
encrypted storage
Help protect sensitive information from malware
attacks and device theft

Uses AES256 and PCKS #5-generated encryption keys for storing

app-generated information on the device
Enables offline user authentication
Implemented in JavaScript that is highly obfuscated, with optional
native performance enhancements
Direct update Take action to help ensure timely propagation of
updated hybrid app versions to the entire install base

New versions of the code can be distributed without requiring the

manual update of the application and are applicable to web
resources
Remote disable Enforce timely adoption of critical security updates to
the entire install base

Server-side console enables configuration of allowed app

versions. Administrator can ask users to install security updates to
the native code.
Authentication
framework
Help reduce overall cost and complexity of integration
with authentication infrastructure

Server-side architecture designed for integration with back-end

authentication infrastructure based on Java Authentication and
Authorization Service (JAAS) concepts, with authentication realms
Specify one SSL per HTTP adapter for enhanced flexibility and
security
Ready-to-implement integration with Kerberos, NTLM, Basic and
Digest authentication
Ability to encrypt server-to-server SOAP communication with
X509 certificates, following the Web Services Security (WSS)
standard
Client-side framework for asynchronous login requests on session
expiration
X509 certificates support
Server-side
safeguards
Help prevent SQL injection and help protect against
cross-site request forgery (XSRF)

Prepared-statement enforcement
Validation of submitted data against session cookie
Enterprise SSO
integration
Use existing enterprise authentication facilities and
user credentials and enable employee-owned devices

Client-side mechanism obtains and encrypts user credentials,

sends to the server with requests
Encryption incorporates user-supplied PIN, server-side secret and
device ID
Credentials cannot be retrieved from lost or stolen device
16
WebSphere
Technical White Paper IBM Software
Mechanism Benefit Details
Device SSO

Enables a mobile user to authenticate one time to

Upon successful login, the authentication state is saved in the

integration

gain access to multiple mobile applications from a

single device
Mobile users get a more-seamless experience
without having to explicitly log in to each application
Enterprise teams can integrate authentication
services under a single umbrella, streamlining
governance and reducing help-desk costs that are
related to password resets and security
Developers can help eliminate redundant develop-
ment effort; they are no longer required to build
authentication into each application independently

database and used for validations in subsequent sessions from

the same device
No credentials are stored in the on-device database; only the state
of the authentication is stored, for improved security
Virtual private

Enable delivery and operation of mobile apps for

Client-side and server-side frameworks act as secure socket layer

network (VPN) employee-owned devices or device types that are (SSL)-based VPN
alternative

not allowed on the corporate network

Enable delivery when installation of VPN client on
mobile devices is not possible or when such
installation is complicated to manage

Network access control and policies are preconfigured in the

client-side framework layer
Network access and security measures are updated using
server-side framework
On-device encrypted storage to help prevent compromise of
sensitive data
These capabilities are essential, but business leaders realize that
delivering secure mobile apps is about more than securing the
run time; security must be embedded into the development and
app lifecycle management process. With Worklight Application
Scanning, you can conduct a static code analysis of a mobile
app, both native and web content, to detect potential vulnera-
bilities earlier during the development cycle for data leakage,
sensitive information exposure, high-risk API usage and more.
This analysis can be an automated part of an organizations
continuous integration and build strategy and it can be run on
demand as well. Static code analysis for mobile apps is an
important part of raising an organizations overall security
posture. With Worklight Application Scanning this analysis is
made easier to institutionalize as part of the mobile app
lifecycle.
17
WebSphere
Technical White Paper IBM Software
Worklight also integrates with:

MaaS360 from Fiberlink to help support BYOD strategies

with full device control through policies, app containerization
and app security as copy and paste prevention

Trusteer to deliver a context-driven risk assessment and

advanced malware and jailbreak detection

IBMDataPower for scalable security enforcement points

(PEP), traffic management, message validation, transport
level communications protection and rate limitation through
policies

ISAM for risk-based access (RBA) and single sign-on (SSO)

using LTPA token, HTTP header, or OAuth
Clearly, security is an imperative for companies delivering
mobile apps and it goes deeper than security measures
employed for traditional web applications. Worklight provides
a more comprehensive set of and integration with security-
focused capabilities that help address both development and run
time concerns. Security officers and developers can use these
capabilities to enhance their mobile security posture without
spending considerable upfront and ongoing resources to match
with what Worklight provides right off the shelf. Worklight
does not warrant that systems and products are immune from
the malicious or illegal conduct of any party.
Managing your mobile ecosystem
Unlike web application where you are in full control of the
experience and versioning where users get the sanctioned
version when connecting, mobile applications are a different
challenge with binaries executing on end-users devices,
traditionally outside of your control. Worklight is designed
to provide means to claim back control with its Mobile
Application Management (MAM) capabilities while maintaining
a higher level of insights with operational analytics.
The Worklight Console
The Worklight Console is a web-based user interface, also
available through REST services, Ant tasks or CLI tools to
more seamlessly integrate with your automation system of
choice. The Worklight Console is dedicated to the ongoing
administration of the Worklight Server and its deployed apps,
adapters and push-notification services whether in development
or production.
18
WebSphere
Technical White Paper IBM Software
Main management tasks include:

Deployment of mobile applications and adapters

Fine-grained management of users, devices and applications

Black listing given devices when lost and managing their

provisioning, preventing access to given users when role
changed or managing multiple versions of the same
application

Remotely disabling applications by version and

mobile-operating-system type

Management of notification messages on application startup

when installation of new application version is requested

Control and monitor push-notification services, event sources

and related applications.

Troubleshooting and problem determination with server

initiated client log collection for given devices, apps and users
Worklight console app management
Supports multiple
versions on the
same platform
Device specic
versions are
uncoupled
19
WebSphere
Technical White Paper IBM Software
Automated collection of user-adoption, device and app
properties, user actions and back-end calls, JSONStore
and back-end system calls performance, usage information,
exceptions, crashes, logs and response time, with customizable
dashboards for auditing and reporting purposes. All collected
data can be easily exported for further analysis by external
business intelligence tools.
Ready-to-use analytics helps address the following:
The Worklight Console can administer several run time
environments from several independent Worklight projects
deployed to the same application server or cluster.
The Worklight Console includes role-based security with
different built-in profiles:

Monitor. This feature includes read-only profile monitoring

deployed Worklight deployed artifacts.

Operator. With this feature, you cannot add or remove

applications and adapters but you can conduct all other
management operations

Deployer. This feature includes same capabilities as the

operator role but can also deploy applications and adapters.

Administrator. This feature includes all administration

operations.
Operational analytics for usage insights
Worklight provides an advanced operational analytics platform
to automatically assemble and analyze user-adoption, device and
app properties, user actions and back-end calls, JSONStore and
back-end calls performance, usage information, exceptions,
crashes, logs and response time. Search across logs and events
collected from devices, apps and servers enable patterns,
problems and platform usage insights.
The following sources are combined into the analytics
repository:

Interactions of any app-to-server activity; anything that is

supported by the Worklight client/server protocol, including
push notification

Client-side logs and crashes

Server-side logs that are captured in traditional Worklight

log files
The IBMWorklight Server for analytics is provided as a
WAR file for standard install and administration.
Using the Worklight approach, developers can instrument
mobile apps using the provided library for more efficient
collection and streaming of information. Business leaders who
optionally upgrade to the IBMTealeaf CX mobile platform
can gain additional insight into mobile user experience analyt-
ics. This insight includes session replays, device orientation,
screen size and touch-screen interactions, to understand mobile
users behavior for web and native applications. These insights
empower organizational teams to diagnose and resolve
customer struggles that can be difficult to identify and that
inhibit application usability and effectiveness.










For more information
To learn more about the IBM Worklight, please contact
your IBM representative or IBM Business Partner,
or visit the following website:
ibm.com/software/products/en/ibm-worklight-platform
Additionally, IBM Global Financing can help you acquire
the software capabilities that your business needs in the most
cost-effective and strategic way possible. Well partner with
credit-qualified clients to customize a financing solution to suit
your business and development goals, enable effective cash
management, and improve your total cost of ownership. Fund
your critical IT investment and propel your business forward
with IBM Global Financing. For more information, visit:
ibm.com/financing


Please Recycle
Copyright IBMCorporation 2014
IBMCorporation
Software Group
Route 100
Somers, NY 10589
Produced in the United States of America
August 2014
IBM, the IBMlogo, ibm.com, DataPower, Jazz, Cast Iron, Rational,
Tealeaf, and Worklight are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBMor other companies. A current
list of IBMtrademarks is available on the web at Copyright and trademark
information at ibm.com/legal/copytrade.shtml
Microsoft, Windows and Windows NT are trademarks of Microsoft
Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
This document is current as of the initial date of publication and may be
changed by IBMat any time.
It is the users responsibility to evaluate and verify the operation of any
other products or programs with IBMproducts and programs.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED
AS IS WITHOUT ANY WARRANTY, EXPRESS OR
IMPLIED, INCLUDING WITHOUT ANY WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND ANY WARRANTY OR CONDITION OF
NON-INFRINGEMENT. IBMproducts are warranted according to the
terms and conditions of the agreements under which they are provided.
The client is responsible for ensuring compliance with laws and regulations
applicable to it. IBMdoes not provide legal advice or represent or warrant
that its services or products will ensure that the client is in compliance with
any law or regulation.
1
The Upwardly Mobile Enterprise, IBMInstitute for Business Value,
October 2013
WSW14181-USEN-08