DavidStrom

How Northern Trust Built Its Secure iPad App

by DavidStrom ‎28-08-2012 01:35 PM - edited ‎28-08-2012 01:35 PM

If you are looking to build and deploy a wireless "occasionally connected" iPad app, you might want to look at how private wealth management firm Northern Trust did theirs. Using a combination of off-the-shelf and customized parts, the mobile development team assembled an app used today by a small pilot group of 20 of their private bankers, which will be more widely deployed later this year.

One of the bank's VPs and a system architect, Chris Price, gave a presentation at the Gartner Catalyst conference in San Diego to describe how the mobile app was designed, built, and deployed. The process that they went through to create the app is useful for both project managers and developers, as it delves into the app’s design, security, and usability.

Before writing a line of code, Price’s team started off with a reference model and a strategy for how they would do the project, pulling in the various stakeholders from around the bank. "We weren't writing any code until we got a clear direction of what we needed to do," Price said during his conference presentation.

Among the user stories: The bank's client managers – the people who work with very wealthy individuals – wanted to view a client's portfolio and investments and review what actions the bank should take… no matter where their clients were. And they wanted to do this on an iPad. "We frequently have our managers get on private aircraft or yachts with our clients,” Price said. “We needed an app that would work under those circumstances, regardless of connectivity and Internet access."

strom_1ntrust.png

You can see some of their technology requirements in the slide above. They made some key tech decisions: whether to code a native iOS app, what middleware and APIs to use, how to implement the various security requirements, and what kind of internal app store to use to deploy their app. Many of these resolutions actually ran counter to Price's previous experience with building internal apps for the bank.

strom_2ntrust2-2.png

"We typically build Web-centric apps because they are easier and quicker than native iOS apps,” said Price “But in this circumstance we wanted the iOS app to make it more secure, particularly when it was in online mode." The bank was worried about Web-based attacks such as cross-site scripting and SQL injection that could compromise their data. Also, the native app could be made more efficient with its use of local storage. 

Northern Trust also used a combination of purchased and custom-built solutions. They used a product from Layer 7 to expose their application services to REST protocols. "REST was easier to get running in this situation, even though we had used SOAP for some other apps," Price said.

When it came to picking the right kind of middleware that would communicate among the various apps, the bank ended up writing its own code. "We saw a lot of products, but none were ready at the time. We need to do some custom database source integration anyway because of the kind of apps that we were running at the bank," Price said. You can see the resulting infrastructure in the diagram below.

strom_3ntrust 3.png

As you might imagine, given the nature of their clientele, security was a primary focus. The bank combined several different pieces, including OAuth v2.0, two-factor "soft tokens" from RSA, and Good Technology's Mobile Device Management services. That let them deliver both local authentication and local encryption to their iPads. 

The first version of their iPad app just grabs data from the bank systems and stores it on the iPad for client presentation purposes. Later this year they will roll out an upgrade to allow synchronization between the iPad and existing systems, so that Northern Trust managers can update client records from the field.

So what are some lessons that Northern Trust learned from this experience? Price mentions several:

  • Listen to your clients. "We didn't want to build a native app,” said Price. “But when we looked at all the issues, it really made sense."
  • Define your strategy. "Don't just start writing your app before figuring out where and how your various solutions fit together."
  • Design for resilience. "We knew that we were facing environments wherein our managers wouldn't have any Internet access, and built that in."
  • Don't shy away from gateways if they can be useful.
  • Plan for the worst case security scenario, especially when your users are roaming all over the world on untrusted networks. The bank wanted to make sure that even if an iPad was lost or stolen, none of its data would be compromised.
  • Don't be afraid to write custom code when you need it.

As you can see, what they ended up with wasn't a single piece of code but rather the best solution from more than a dozen different products and services. Perhaps this process that the bank went through can be useful for your next mobile app project.

See also:

Article Options
Comments
by Aileen Shen-Parkes(anon) on ‎01-09-2012 09:30 AM
Options

It's very difficult to write secure software well.

It's made even more difficult when you're gluing together other people's software with your own.

It's even harder to keep the glued-together concoction secure across network and system boundaries.

The eminient security expert Bruce Schneier consistently notes (in a related context about cryptographic algorithms) unless you fully allow independent security professionals to critically analyze your software, you have very little reason to believe that you've done a decent job.

I have no doubt that Chris Price and his team at Northern Trust have the best of intentions, but if I were a high net worth individual banking at Northern Trust, there is no way I would allow my client manager to use this application until it had withstood critical outside scrutiny.

Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 

The HP Input Output site is sponsored by HP and features articles and content from HP and third-party contributors. Third-party articles and content, while paid for by HP, do not necessarily represent the views and opinions of HP. HP does not endorse this content and is not responsible for its accuracy, availability and quality.

Follow Us
Spotlight
"It's Not My Job" - Handling the Vendor Finger-Pointing Trap Is Teamwork Dead? A Post-Agile Prognosis Improving Your Personal Brand with Social Networking 5 Types of Meetings Every Business Must Explore
┼ Based on energy, paper and toner savings from regular printer usage. Results may vary.