Product Documentation

Configuring Encryption Policies for Apps Running on Mobile Devices

Oct 08, 2015

You can configure encryption policies for apps running on iOS and Android mobile devices. You can configure four encryption policies for iOS apps and eight encryption policies for Android apps. This topic lists the encryption policies that apply to each device type.

Policies for Encryption for iOS Apps

This section describes the policies you can configure in App Controller for apps that run on iOS devices. For a complete list of the policies you can configure for iOS devices, see the topic, Configuring MDX Policies for iOS Apps in App Controller in this section.

Encryption keys
Ensures that access to keys and the associated encrypted content. Default is Offline access permitted.

Options:

  • Online access only. Secrets used to derive encryption keys may not be persisted on the device. Instead, the device must be recovered the keys from the key management service of XenMobile App Edition each time they are needed.
    Note: If you select Online access only, the authentication policy is assumed to be Network logon regardless of the authentication policy setting that you configured for the app.
  • Offline access permitted. Secrets used to derive encryption keys may be persisted on the device.
    Note: If you select Offline access permitted, Citrix recommends that you set the authentication policy to Offline challenge only in order to protect access to the keys and the associated encrypted content.
Enable encryption

Determines if the data held in local database files is encrypted. Default is On.

Options:

  • On. The data is encrypted in local database files.
  • Off. The data is not encrypted in local database files.
Database encryption exclusion list
Exclusion list of databases that are not automatically encrypted. To prevent database encryption for a specific database, add an entry to the comma-separated list of database file names. If any part of the supplied entry matches the database file name used by the app, that database is not automatically encrypted. For example, if the database to be excluded is named "googleanalytics.sql," adding "google," "googleanalytics," or "analytics" to the list prevents the database contents from being encrypted. Default is empty.
File encryption exclusions
Exclusion list of files that are not automatically encrypted. To prevent file encryption for a specific file, add an entry to the comma-separated list of file names. If any part of the supplied entry matches the file name, the file is not automatically encrypted. Default is empty.

Policies for Encryption for Android Apps

This section describes the policies you can configure in App Controller for apps that run on Android devices. Before you configure encryption policies for Android apps, to understand how file storage and encryption works on Android devices, see the topic, Configuring Encryption Policies for Android Devices. For a complete list of the policies you can configure for Android devices, see the topic, Configuring MDX Policies for Android Apps in App Controller.

Encryption keys
Ensures that access to keys and the associated encrypted content. Default is Offline access permitted.

Option:

  • Offline access permitted. Android devices permit offline access only. Secrets used to derive encryption keys may be persisted on the device.
    Note: If you select Offline access permitted, Citrix recommends that you set the authentication policy to Offline challenge only in order to protect access to the keys and the associated encrypted content.
Private file encryption
Controls the encryption of private data files in the following locations: /data/data/appname and /mnt/sdcard/Android/data/appname. Default is Security Group.
Options:
  • Disabled. Encryption is turned off.
  • SecurityGroup. Encrypts private files by using a key shared by all MDX applications in the same security group.
  • Application. Encrypts private files using a key unique to the application.
Private file encryption exclusions
Contains a comma-separated list of file paths. Each path is a regular expression that represents one or more files that should not be encrypted. The file paths are relative to the internal and external sandboxes. Default is empty.
Non-standard external storage locations
Contains a comma-separated list of non-standard external storage. Different devices may use different paths for SD cards and so on. The standard external storage location for Android (typically, /mnt/sdcard) is automatically recognized and does not need to appear on this list.
Access limits for public files
Contains a comma-separated list. There are three parts to each entry. The first part contains either "Ext" or "VS." Ext is standard storage and VS is vendor-specific external storage. Each entry also contains a regular expression path followed by (NA), (RO), or (RW). Files matching the path are limited to No Access, Read Only, or Read Write access. The list is processed in order and the first matching path is used to set the access limit. Default is empty.
Public file encryption
Controls the encryption of public files. Default value is Security group.
Options:
  • Disabled. Does not encrypt public files.
  • Security group. Encrypts public files by using a key shared by all MDX applications in the same security group.
  • Application. Encrypts public files using a key unique to this application.
Public file encryption exclusions
Contains a comma-separated list of file paths. Each path is a regular expression that represents one or more files that should not be encrypted. The file paths are relative to the default external storage and to any explicitly listed external storage.
Public file migration
This policy is enforced only when public file encryption is enabled (changed from the Disable option to the SecurityGroup/Application option). This policy is applicable only to existing, unencrypted public files and specifies when these files are encrypted. Default value is Write(WO/RW).
Note: New files or overwriting existing unencrypted files encrypts the replacement files in every case.
Caution: Encrypting an existing public file makes the file unavailable to other applications that do not have the same encryption key.
Options:
  • Disabled. Does not encrypt existing files.
  • Write (RO/RW). Encrypts the existing files only when they are opened for write-only or read-write access.
  • Any. Encrypts the existing files when they are opened in any mode.

Configuring Encryption Policies for Android Apps

App Controller supports the following encryption features for Android devices and apps:

  • Private or public data to be encrypted through the use of a security group
  • The ability to prevent data sharing by using an application key to encrypt files
  • The ability to prevent applications from being made public by using access limits for public files that defines what the app can do with storage, such as Read Only or Read Write access.
  • No encryption

Before you configure encryption policies for apps that run on Android devices, you need to understand how file storage and encryption work on Android devices.

Storing Files on Android Devices

On Android devices, files may be read or written in the following locations:

  • App Controller supports the following encryption features for Android devices and apps:

    • Private or public data to be encrypted through the use of a security group
    • The ability to prevent data sharing by using an application key to encrypt files
    • The ability to prevent applications from being made public by using access limits for public files that defines what the app can do with storage, such as Read Only or Read Write access.
    • No encryption

    Before you configure encryption policies for apps that run on Android devices, you need to understand how file storage and encryption work on Android devices.

    Internal storage
  • External storage
  • Vendor-specific external storage

How Internal Storage Works

Internal storage is a private sandbox for a specific application. The storage path is /data/data/appname, where appname is the name of the application. Directory permissions can prevent other applications from accessing the files in the specified path.

How External Storage works

External storage is a partition that is shared by all applications. On Android devices, external storage can use internal memory. Older devices might use an SD card for external storage.

External storage is often located at /mnt/sdcard. Within that directory, there are subdirectories. These include:

  • Android/data/appname that is a private sandbox, similar to what exists for internal storage.
  • Alarms, DCIM, Download, Movies, Music, Notifications, Pictures, Playlists, and Podcasts that are well known directories for specific types of content.
  • Anything else that is available to the application. The application can access files in the root external storage directory or any subdirectory. The application can also create new subdirectories.

How Vendor-Specific External Storage Works

Android devices might support external storage devices, such as memory cards. When users insert the memory card into the device, the path is defined by the device manufacturer. For example, on the Samsung Galaxy Tab 2, the path is /mnt/extSdCard. The Android operating system does not manage this storage.

Configuring File Application Policies

You can use application policies to control transparent file encryption. The policies apply to public and private files and other areas on Android devices.

  • Private files. A vault that contains internal storage and the sandbox area for external storage.
  • Public files. A vault that contains standard external storage and any vendor-specific external storage.
  • Other. A category that you can use for key management and access limit policies.

Encryption uses the concept of inclusion prefixes and exclusion filters. Inclusion prefixes are used to indicate whether a file is in a particular vault. Each vault has a list of inclusion prefixes. Exclusion filters are POSIX extended regular expressions which then cause particular files or directories to be omitted from a vault. When determining if a path is in a vault, the path must first begin with a prefix associated with the vault. If the prefix exists, the path must also NOT match any of the exclusion filters. If both conditions pass, the path is considered to be part of the vault.

Some applications use unsupported access modes like memory mapping. Others may try to use encrypted files before the encryption key is available. If application issues are encountered, the logcat log may be used to search for error messages on the ctxtfe component. This may lead to possible paths/files that should be excluded.

The following are examples of inclusion prefixes, exclusion filters, and paths:

Inclusion Prefixes

  • /data/data/com.foo
  • /mnt/sdcard/Android/data/com.foo

Exclusion Filters

  • ^app_dx/
  • \.jpg$

Paths

If a vault is defined by the above inclusion prefixes and exclusion filters, the following example paths may or may not appear in the vault:

  • data/data/com.foo/files/myfile.doc

    Located in the vault.

  • /data/data/com.bar/files/myfile.doc

    Not in the vault because there are no inclusion prefixes that match.

  • /data/data/com.foo/app_dx/generated23423.jar

    Does not reside in the vault because of the ^app_dx/ exclusion. The prefix is removed from the path, leaving the path app_dx/generated23423.jar. The exclusion entry that contains the caret (^) symbol means that the match must occur at the beginning of the string. The next characters "app_dx/" must match exactly. The remainder of the path can be anything. You can use this pattern to exclude everything under a specified directory name.

  • /mnt/sdcard/Android/data/com.foo/files/mypic.jpg

    Does not reside in the vault because of the \.jpg$ exclusion. The "\." indicates a match with a dot. The backslash is necessary because the dot is a special regular expression character. The "jpg" extension is a literal match. The "$" means match at the end of the line. This matches any path that ends in ".jpg".

When you configure encryption in App Controller for Android devices, users are permitted offline access only which allows secrets used to derive encryption keys to be persisted on the device.

Note: If you select Offline access permitted, Citrix recommends that you set the authentication policy to Offline challenge only in order to protect access to the keys and the associated encrypted content.

For a complete list of the policies that you can configure for Android devices, including the encryption policies, see Configure MDX Policies for Android Apps in App Controller, in this section.

Configuring Private and Public File Encryption

You can configure two types of encryption that can be applied to either the private or public files. You can select the key type to balance between higher security and the ability to share data. You can use both key types with apps wrapped with the MDX Toolkit and apps that are not wrapped with the toolkit. The two keys are:

  • Security Group Key that encrypt public files by using a key available to all MDX apps in the same security group. Using the security group key allows sharing of data between applications. However, the level of security is lower.
  • Application Key that encrypt public files by using a key only available to the specific MDX app. The application key offers the highest security. If you use the application key, it prevents data from being accessed by other MDX apps. For example, if users in the health industry have radiology files that cannot be compromised, when you upload the app to App Controller, the files are encrypted and cannot be shared.

You can also configure access limits for public files to block data from being moved to less secure locations, such as removable storage. Access limits are independent of encryption.