Secure Mobile Web Service Applications: The BlackBerry Enterprise Solution
Industry analysts (Gartner—SOBA Apps show their potential.—SPA-20-7295) predict that over 80% of the business applications sold between 2005 and 2008 will be based on the principles of Service-Oriented Architecture (SOA). SOA expresses a business-driven approach to software architecture that defines the business as a set of linked business tasks or services. These self-contained, reusable software modules with well-defined interfaces are independent of the applications and computing platforms on which they run.
The most prevalent implementation of SOA, Web services, is having a significant effect on Enterprise Applications as we know them today. Web services enable incompatible and disparate software systems to interoperate. Web services enable applications to share data and invoke the capabilities of other applications regardless of how the applications were built, the operating system or platform the applications run on, or the devices that access the applications. Packaged application vendors such as SAP, Oracle, Salesforce.com, and the like have now introduced Web service architecture into their own offerings in the hope that enabling a service-based approach to applications will lower barriers to entry for customers.
Historically, IT investments in software development projects were commonly made in silos. Today, Web services provide organizations with a standard mechanism for enabling intra-company communication between heterogeneous internal systems. For example, by using Web services, a customer relationship management (CRM) system can extract customer order information from a financial or enterprise resource planning (ERP) application. Such loose coupling helps preserve the future by allowing parts to change at their own pace without the risks linked to costly migrations using monolithic approaches.
A brief overview of Web services is given in Appendix A and a more detailed discussion is available in Reference 5.
This article is about the development, deployment, and administration of secure Web services mobile clients. Additional topics will include the rationale for using Web services vis-à-vis traditional architectures for mobile clients and how mobile applications need to function when the user transitions in and out of the area covered by the service provider's signal.
Web services are naturally a high-bandwidth solution; that is, they're built with the expectation that they'll be accessed over a wired network. But, when you access a Web service over a low-bandwidth wireless (mobile) network, the user experience can be seriously diminished. To compound the matter, roaming, handheld devices that transfer data over public networks are vulnerable to a seemingly limitless number of security compromises. I'll focus on how one vendor—Research In Motion, Limited (RIM)—addresses these issues with its BlackBerry platform.
My selection of RIM is based on a number of factors: particularly its pioneering work with push technology—critical to optimizing the user experience—and mobile security—BlackBerry was the first mobile solution to be FIPS certified (FIPS is a United States federal standard that specifies security requirements for cryptography modules). See Appendix B for further details.
Web services (server-side) applications available from major software vendors are shown in Figure 1 at the far right. But, many Web services applications are home grown. For these, IDEs such as Microsoft's Visual Studio and Oracle's SOA Suite make development of custom Web services about as easy as the development of any other kind of back-end application.
For building Web service clients that run on their handheld devices, BlackBerry has recently introduced a RAD environment named Mobile Data Service (MDS) Studio. This visual tool and the handheld device are depicted at the top right and far left, respectively, in Figure 1.
BlackBerry Enterprise Server (BES) with MDS Services, located behind the firewall, is shown in the center of Figure 1. Among its many functions, BES serves as the gateway between the wired network on the right and wireless network on the left of this figure.
MDS Services also handles the interaction between the MDS applications running on the handheld device and back-end enterprise applications and systems.
The whole system allows the handheld device to connect securely into a server-side Web service over standard HTTP using the SOAP protocol.
Figure 1: System for development, deployment, and administration
MDS Studio enables you to integrate enterprise Web services with BlackBerry devices using a graphical methodology. This tool enables you to design the screen, data elements, and application messages visually using a component-based drag-and-drop approach. Wizards and editors further enable you to connect graphical components.
Once you have a Web service defined—either internal to your organization or external—you point MDS Studio to the WSDL of the Web Service and MDS can largely build the app for you. To illustrate, I created and ran the rather simple example shown in Figure 2 in just a few minutes, after first importing the WDSL file from a Web service application that I had previously created in Microsoft Visual Studio.
MDS Studio automatically created three basic components types:
- User interface components
- Used to lay out the application user interface
- UI components can be grouped into screens and frames
- UI components can be linked to data components and/or message components to create application workflow/logic
- Used to store persistent and non-persistent application data on the device
- Data components can be linked to messages components and UI components
- Used to send/receive application data between the client application on the device and the back-end system
- Message components can be linked to UI and data components
The developer can build a client application in its entirety (screens, data, messages, and application logic) without starting with the WSDL definition from a pre-existing Web service. The MDS Studio Service Pack has a WSDL generator that takes the output of the Studio application and either maps it back to an existing Web service WSDL definition or uses it to generate the WSDL itself. He or she can then import it into a tool like Visual Studio .NET, Axis, or Lotus Domino to generate mappings, components and stubs based on the WSDL or create the Web Service if it doesn't already exist.
When the design of an MDS Application is complete, MDS Studio automatically generates an Extensible Markup Language (XML) metadata representation of the client application.
From MDS Studio, you can publish your app directly into an application repository. Anything that's been published to that repository can be proactively pushed out as an app to the device by the administrator (using the BlackBerry Manager shown at the lower right in Figure 1) or the user of the handheld can search the repository for applications they want to install.
MDS Studio enables you to build apps that have integration with native BlackBerry functions. For example, once a user looks up a telephone number (always current on the handheld device because any changes to the data are automatically pushed out to the handheld from the backend server), he or she can click on the 'phone number and have the 'phone dial launched automatically. That's part of the beauty of this converged voice-data device.
And, to cite another example, the user can look up a job ticket that resides in a backend job ticketing application and, once he or she clicks on that job, the MDS Studio-built app can add that job to the user's calendar.
And, to help protect a published application from tampering, MDS facilitates your signing of an application bundle with a digital certificate described by an alias. You can use either a trusted certificate authority (CA) or a generated (self-signed) certificate. MDS Studio generates and signs applications with certificates that are compliant with the Public-Key Infrastructure (X.509) standard. See Reference 9. Note: The MDS Services system administrator might set IT policy options that require users to sign applications using trusted CA certificates only.
Figure 2: BlackBerry MDS Studio (based on Eclipse)
The MDS Runtime, which runs on the handheld device's operating system, is the container-based execution environment for MDS applications. The MDS Runtime contains a control center application that enables users to search for and manage MDS applications and view application information. The MDS Runtime is designed to provide the underlying services that are used by MDS applications, including the user interface, data storage, and client-server communication services. It manages the on-device application lifecycle, including deployment, execution, and upgrade.
Figure 3: Individual services in BlackBerry Enterprise Server
MDS and other BES services
For this part of the discussion, a simplified version of Figure 1 is drawn in Figure 3 to illustrate the individual services in BlackBerry Enterprise Server.
MDS Services are designed to provide connectivity between MDS applications on the devices and enterprise data. MDS is a secure conduit that exists between all BlackBerry handheld units and their home BES. Data is sent from MDS to the BES, which sends it to the handheld units. Returning data is sent to the BES and then on to MDS. You also can think of the MDS as an HTTP and TCP/IP proxy with special features. (See Connection and other services in the following table.)
These special MDS features make it possible for developers easily to push content out to the BlackBerry handheld devices. Push refers to the capability of a BlackBerry user to receive content pushed out to their device automatically. Administrators with the required authorization can limit which groups of users can receive push data.
Making use of this conduit allows you to extend your intranet services to your BlackBerry users, virtually no matter where in the world they are. They can be connected to your intranet even as they cross from one cell to another or one carrier to another—these transitions are seamless to the user.
MDS runs as a standalone Windows service, but your BES communicates with it extensively as part of its normal operation. In fact, the data sent between the MDS and the BlackBerry must go through the BES, because it is the BES that communicates directly with the RIM Network Operating Center (NOC).
Each cellular carrier that supports the RIM BlackBerry sets up a secure Virtual Private Network (VPN) connection between the carrier's data center and the RIM NOC. When a BlackBerry handheld unit is turned on, or when it comes into wireless coverage, it identifies itself to the NOC. At that point, the NOC knows how to communicate with it. More specifically, the NOC knows which cellular carrier the handheld unit is on, and, therefore, which VPN connection to use to communicate with the handheld device.
The following table provides an outline of the other BES services.
|Connection Service||Enables a system administrator to connect the MDS Services to the Mobile Data Service feature of the Enterprise Server. The Connection Service is designed to accept and respond to push requests from server-side push applications when the application server is behind the corporate firewall. This service is designed to provide a link to standard servers on the corporate intranet or Internet by using standard Internet protocol, such as HTTP or TCP/IP, and encrypt content using the same encryption standard that is used to encrypt BlackBerry messages and other BlackBerry data.|
|Application Integration Service||Supports Web services and other standard mechanisms for integrating wireless applications with existing enterprise applications and systems. This service is designed to manage the transmission of application data messages between BlackBerry MDS Applications and data sources.|
|Provisioning Service||Controls which BlackBerry MDS Applications users can download to their BlackBerry devices, supports application discovery from a BlackBerry device, and manages wireless transmission on BlackBerry devices.|
|Data Optimization Service||Converts existing server-side content and data to enable wireless transmission and use on BlackBerry devices.|
|Administrative and Management Service||Centralizes the application lifecycle management, including centralized push installation, upgrade, and removal of applications from BlackBerry devices.|