Ten things all enterprise developers need to know about Secure Work Space

ENTERPRISE / 06.23.15 / shikhir


There are a few essential things every iOS and Android enterprise developer needs to know about Secure Work Space (SWS). Understanding the essentials discussed below will help you save time and ensure you produce secure apps that can access data behind your company’s firewall.

  1. Wrapping an app encrypts the app’s data at rest and in motion, automatically!

The goal of the SWS container solution is to be able to run enterprise approved apps that will transmit and store their data in a secure manner. Wrapping an app is a two minute process on the BES that secures the app’s data and facilitates the management of the app. After an app is secured via wrapping, the app will automatically encrypt all of its data at rest and in transit. You don’t need to write any encryption logic within your app to protect data at rest or in transit. For most developers, this means no need to use SqlCipher or code complex encryption logic! More details here on how the security/encryption works for SWS. The process to wrap an app is documented here.

  1. No API or code modifications are required for a wrapped app to access data behind the firewall

Once an app is wrapped and re-signed, it can now automatically access data behind the firewall. After an app is wrapped, all network traffic will be routed through the BES. Because the BES sits behind your firewall, you don’t need to write any VPN or connection logic into the app. This means you can write code as though you are sitting behind the firewall.

  1. Wrapping an app invalidates its signatures and thus you will need to re-sign the app again

The wrapping process will inject new libraries into the app. This will invalidate the signing process because the hash values for digital signatures no longer match up. This means you will need to re-sign the app. The process is described here. For iOS, you can use an automated signing script, located here which simplifies the process.

  1. For iOS, you may need to purchase another signing key

Once an app is wrapped, it will need to be re-signed due to reasons described above at item 3. Apple requires apps which aren’t deployed through its app stores (inhouse apps) to be signed using Enterprise Signing Keys. This means you will need to enroll in the iOS Developer Enterprise Program to obtain Enterprise Signing Keys. As of this writing, the process to purchase the Enterprise Signing Keys from Apple takes around a week.

  1. Many apps have already been wrapped for you!

Many iOS and Android apps have already been partner wrapped and uploaded to the Apple App Store or the Google Play Store. All you need to do is whitelist these pre-wrapped apps in BES to give your users access. Here is a list of some of the apps available. More information on the partner wrapping process is located here.

  1. Only wrapped apps can share data with other wrapped apps

This prevents employees from transferring data or files into unapproved personal apps.

  1. UDP is not supported

Make sure your apps communicate only via TCP.

  1. Your video/audio streaming app may not work

As all network traffic is routed through the BES, the latency becomes noticeable with heavy bandwidth apps. Additionally, because UDP doesn’t currently work with SWS, your video or audio streaming apps which depend on UDP will not work.

  1. BES will let the BES admin assign your apps to an individual user or a group of users

The BES admin can choose exactly who to deploy the app to. They can pick an individual user, or a group of users. If the user leaves the organization, they can wipe the workspace containing all of the enterprise apps.

  1. SWS is an Application Neutral Container solution

There are a few different categories of Enterprise Containers Solutions. SWS is an Application Neutral Container solution. Other types of solutions also exist including Application Specific and Integrated Container. Integrated Container solutions are also a great alternative to Application Neutral containers because the app wrapping step is not required to deploy an app into the enterprise container. To read more about the different types of containerization solutions, read this awesome whitepaper. BES 12.2 supports other Integrated Container solutions including BlackBerry Balance, Android for Work and Samsung Knox.

For more information on enterprise development for BlackBerry products such as Secure Work Space, click here.


About shikhir