Overview
Recently I did a Windows Phone 8 application project for the state government. It has an existing system for tracking and monitoring the tagged sharks in the oceans for research and alerting purposes. It has an internal administration website for maintaining the business data. The goal of this project is to implement a Windows Phone 8 application that can give the staff the ability to maintain the data by using mobile devices either online or offline when they are on boats doing the job, with some nice features such as giving the current location’s longitude and latitude.
Requirements
The main requirements include:
- The user needs to input a six-digit number in order to use the functionalities
- The user needs to be able to retrieve the data from the server if there is a connection
- The user needs to be able to filter the data on the phone
- The user needs to be able to create and update the data on the phone
- The user needs to be able to push the changes back to server. If there is no connection the changes need to be saved on the phone
- When there is a connection the user needs to be able to push the changes saved on the phone to the server
- The phone needs to provide the location service to get the current location’s longitude and latitude
- The communication between the phone and server needs to be secured
- Only authorized phone devices can exchange data with the server
- The data stored on the phone needs to be encrypted
- The user interface needs to be user friendly
Technologies
The project used the following technologies
- Windows 8 64-bit
- Windows Phone 8
- Visual Studio 2012
- SQL Server Compact
- Resharper 8.0
- MVVM Light
- Windows Phone Toolkit
- Moq
- Microsoft Windows Phone Unit Testing
- Https WCF services
Security
The security is implemented from the following aspects:
- Windows phone lock screen
- Mobile application pin number screen
- Local data encryption
- Data transportation security
- Device authorization process
Windows phone lock screen
The user’s Windows phone devices are required to setup a lock screen with a pin number. The phone should be auto-locked if it is not attended for some time (recommend 5 to 10 minutes).
Mobile application pin number screen
When the mobile app is launched, it displays a pin number screen. The user needs to input a correct six-digit pin number by tapping the numbers on the screen before the user can access any of the application functionalities.
Local data encryption
The mobile application uses a SQL Server Compact database to store the data on the phone. The database is encrypted by using the algorithm provided by .Net Framework 4.5 that the database is encrypted by using AES-128 and the password is hashed by using SHA-256.
Data transportation security
The data exchanged between the Windows Phone and the services is encrypted by using https, which is a secured communication over a computer network. This makes sure all the data is transferred between the phone device and the trusted services in a secure way that the data is encrypted by using a valid certificate from a trusted CA authority.
Device authorization process
Since Windows Phone 8 operation system does not support client certificate, the mobile application embeds its device unique ID in the message head in every request sent to the service. The service validates the device unique ID against a list of authorized device ID in every request before it processes to any actual data. This makes sure that only authorized devices are allowed to consume the business data.
Windows Phone App Policies
In order to be able to be published on the Windows Phone App Store, there are a list of App Policies need to be implemented by the phone application. The policies can be found at
http://msdn.microsoft.com/en-us/library/windowsphone/develop/hh184841(v=vs.105).aspx
SMN Mobile application implemented two policies:
- clause 2.7 which is related to location service
- clause 2.8 which is related to acquiring phone device information
