General
Any security assessment of a mobile application will include multiple factors and layers and should commence from the inside (the SAP instance itself) out. BlueWorx as an application has an appropriate role to play however security of the overall solution is not limited to the application. While not exhaustive the following simplistically represented some of these layers:
Click on image to enlarge
Security and Threat Assumptions
The following security and threat assumptions are made with respect to BlueWorx:
- Ultimately the responsibility for security rests with the organisation itself. An organisations own network and device security policies will be employed/ reviewed - i.e. server, network, internet access, device management and controls and physical security. Their own network and security personnel will be involved in the network review, design and implementation to their own satisfaction.
- That SAP and Network security best practices for external access are instituted, enforced and regularly reviewed.
- That users of BlueWorx will be trusted by the organisation as employees or contractors - i.e. it is an enterprise application, not a public application.
Important
Data at rest in BlueWorx, that is the data stored in the application on the device or browser, is not encrypted1. While the underlying technology supports encryption for mobile, it's deliberately not encrypted because:
- The requirement to share devices between users and leverage common data, in some circumstances.
- The requirement for the application to operate as fast as possible, sometimes with comparatively large data volumes on devices with sub optimal specifications.
1 The exception, as of SP10, being contact information from SAP for personnel available in the optional Crew component of the BlueWorx application. As of SP10 this data is encrypted at rest using the standard Neptune Software encryption option and unencrypted when the application is in use .
Recommendations
General recommendations around security include:
- Development of a formal mobility security strategy/ policy integrated into your existing SAP and network security policy
- Organisations should independently assess their data security classification for data being transferred to and from BlueWorx and ensure that it conforms - noting that as discussed above the data at rest is not encrypted at the application level.
- The use of a Mobile Device Management solution for application deployment and management
- Application access only over HTTPs
- Use of a proxy service - like SAP Web Dispatcher
- Creation/ review of SAP Security Profiles specific to BlueWorx
- Use of Network segregation - like use of SAP Gateway and DMZs
- Domain White Listing in the BlueWorx mobile application
- Use of Content Security Policy in the BlueWorx mobile application (more granular control the domain white listing)
- Use of native mobile device screen timeouts and pin code access (part of mobile security policy)
- Use of network intrusion detection and auditing.
We also highly recommend that prior to deployment the BlueWorx application/ network is tested to ensure compliance to the organisations own security requirements. We further recommend the use of external, independent specialist security analysts unless in-house personnel have this specialisation and knowledge of latest threats and techniques.
Accenture strongly recommends the use of multifactor authentication (MFA) for the deployment of BlueWorx. The MFA option provides additional security to your BlueWorx application and, more importantly, your SAP ERP (ECC) system. It should be a conscious and considered decision not to deploy the application using MFA and, for Accenture delivered projects, should include a customer waiver acknowledging deployment against advice where not used.
If SAP GUI has been enabled for MFA then its use for BlueWorx (through Neptune Software) should be simpler. Neptune Software has provided a detailed video explaining the MFA steps for Azure AD with SAP and Neptune Software. This is available here: https://www.youtube.com/watch?v=tPINF0LNbTI
Additional Information
The following page provides some additional information, including why true Certificate Pinning is not available using Cordova based applications (as used by BlueWorx): https://cordova.apache.org/docs/en/latest/guide/appdev/security/
For an alternative approach to Certificate Pinning see: https://www.npmjs.com/package/cordova-plugin-sslcertificatechecker