March 6th, 2013

New Layer 7 eBook: 5 Ways Every Telco Can Benefit from APIs

Telco eBookThe recent Mobile World Congress event in Barcelona reminded us about the growing importance of APIs to the telecommunications sector. Telco was actually one of the first sectors to show an interest in APIs but most carriers have still not taken full advantage of the opportunities presented by APIs and some have got their fingers burned trying to court the long tail of third-party app developers.

Still, with Web and mobile technologies creating competition from outside the telco sector, carriers need ways to quickly adapt to technological change – and APIs provide the perfect solution. APIs allow telcos to open up their services for efficient repurposing by internal developers and partner organizations, creating opportunities for being quick to market with innovative new offerings.

Layer 7’s latest eBook 5 Ways Every Telco Can Benefit from APIs provides an overview of how carriers can realize these opportunities. If you visited the Layer 7 booth at MWC, you might have picked up the print version of this handsome document. If not, don’t hesitate to download the electronic version.

February 25th, 2013

SSO & OAuth for Mobile Apps – Live Discussion, Feb 26

OAuth SSO Tech TalkIn case you haven’t heard, we are living in the age of mobile applications and the APIs that power them. Sometimes it’s called the API economy.

Smart phones are ubiquitous, social networks are the norm and we are connected to applications on our devices all the time. We love applications like Instagram, Twitter, Evertnote and Snapchat. But we don’t like signing in and out of each of these applications across networks or devices. It’s awkward and cumbersome and we’re often doing it while on the go or commuting, with only one hand to use while tapping in our passwords. Besides, who wants to remember all those passwords anyway? And it’s not safe to use the same one for every application.

This is the major downside of using all these great new mobile applications. Most of us would gladly invite a scenario where we’d only need to log in once to access multiple applications. There’s social login – but is it safe and is our privacy secure? Remember what happened to Burger King’s Twitter account? Enter Single-Sign-On & OAuth for Mobile Applications.

On Tuesday Feb 26, we’ll be hosting a live interactive Tech Talk on security and Single Sign-On (SSO) for mobile applications. And I’m excited to welcome back Layer 7′s Chief Architect and resident OAuth expert Francois Lascelles. He’ll discuss how to provide SSO for mobile applications, without compromising the security of the apps or the APIs that power them. Francois will also be taking your questions throughout the Tech Talk. So, this will be a great opportunity to get answers to your questions about your own applications and the security that surrounds them.

Click here to get the event details and a reminder in your calendar.

On the day of the event, click here to join:

Submit your questions:

February 20th, 2013

Journey to the Center of the Mobile World

Written by
 

Layer 7 at Mobile World CongressMobile World Congress – three words that strike fear into the hearts of marketing managers everywhere, for this is the largest mobile event of the year and we’re just a few days away from seeing 70,000 visitors descend upon Barcelona like a kettle of vultures, hungry for new innovations. This year, they will be treated to new hunting ground too, as MWC moves to a new, larger venue with more room for fresh meat. Before that metaphor gets completely worn out, let’s take a look at what we can actually expect from this year’s show.

As usual, we’re likely to see a very broad sweep across various areas of telco innovation and mobile strategy but there are some fundamental questions facing the community and these will dominate many conference sessions, seminars and exhibits:

  1. Connected Living
    As the Internet of Things gains momentum, how can the service provider community deliver the kind of enriched connectivity the broader ecosystem increasingly demands?
  2. Mobile Commerce
    For years, mobile has been a key banking and commerce tool for certain markets. With the rise of NFC (near field communication) and success stories like the Starbucks mobile payment app, will mobile become the preferred payment instrument for us all?
  3. Next-Generation Communications
    The world of communications moves quickly – too quickly even for service providers at times, with the runaway success of technologies of iMessage, WhatsApp and – next – WebRTC. In this ever-innovating world of mobile communications, can service providers regain some ground and demonstrate their value?

Layer 7 has answers to these questions and will be at MWC, demonstrating a variety of solutions that can help service providers address the challenges ahead. For example:

  1. We have been collaborating with AT&T and have planned an M2M solution that will capture anonymous information about visitors as they move around the exhibition halls. This information will be presented as intelligent APIs via the Layer 7 platform.
  2. Security and authentication are very familiar terms to Layer 7 and we’ll be showing how mobile payments can be easily and securely integrated with a mobile app without compromising the user experience.
  3. “Communications as a Service” opens many opportunities for service providers and the new partnership between Layer 7 and Voxeo Labs will show how easy it can be to capitalize on these opportunities.

Come and meet the team at booth 8.1A47 in the App Planet zone or email info@layer7.com to schedule a meeting. See you there!

February 7th, 2013

“Mobile App Security: Always Keep the Back Door Locked” – Our Take

Mobile App SecurityToday’s lead article on Ars Technica talks about the importance of protecting backend resources in the context of mobile applications. The article rightly stresses the importance of this security, talks about the uptake in OAuth and cites API Gateway solutions as a popular option in this space.

However, the article clearly misstates the capabilities of an API Management solution founded on an API Gateway. I am going to assume that the author only had exposure to API Gateways second hand or through a competitor of Layer 7. Here are the misconceptions propagated by the article, along with some corrections:

“These API gateway services can be prohibitively expensive for small-scale applications…  ‘You can replicate the API gateway by creating a set of proxy services in their data center in an application container in their DMZ.’”

Trying to create your own homegrown set of proxy services is expensive and risky. The Layer 7 API Management Suite’s Gateway technology includes 10 years of functional enrichment and optimization. Such robustness cannot be hacked together on the fly.

“An API gateway still runs on the notion that you have to be careful not to block what might be legitimate traffic. So that could cause some openness – some attacks might slip through using Web application firewall evasion techniques.”

An API Gateway is not a typical web application firewall. Layer 7’s Gateway (evident in the company’s name) has full access to all layers of the data stream and can apply protections at any of these layers.

“Of course, if they can retrieve a developer key, attackers can slip past API gateways until their activity is noticed…  That’s why it’s important to encrypt any data stored on the device, including developer keys[.]”

API keys are not treated as security tokens by an API Gateway. The term “API key” is equivalent to a “database key”, not a security key, so don’t mistake it for a robust access control mechanism. It is mainly an identification mechanism. It is a gross misunderstanding to equate API developer keys with a standard access control cryptographic mechanism like PKI public/private keys.

“But keys have other ways of getting into the wild besides breaking into the application code.”

Right, so you should not rely on these keys for access control. The good news is that the API Management Suite’s Portal/Gateway combination makes it easier to revoke and reissue developer keys.

“For enterprise applications, an API gateway isn’t always enough – users need to get access to content on servers inside the firewall that may not be easily exposed through a Web API.”

And this is where the API Gateway really adds value. The Layer 7 API Management Suite allows companies to turn those backend interfaces from their native protocols into REST APIs or other formats that are friendly to mobile devices.

So, thanks to Ars Technica for flagging up this important aspect of mobile security and here’s hoping that this corrected information is included in the next article.

February 4th, 2013

More Mobile Access Predictions for 2013

MWC PredictionsWith February just beginning, the mobile world is gearing up for Mobile World Congress (MWC), which will be taking place in Barcelona, at the end of the month. It’ll certainly be interesting to see what new products and features will be announced at the show. From the ongoing trends (some of which Mike Amundsen recently discussed), I’d expect to see a number of announcements of IoT products.

The good old measure of progress, mobile subscriber penetration, doesn’t cut it anymore. Now, the real measure is how many other connected devices a subscriber uses – iPads, Smart TVs and even fridges (who wouldn’t want a Galaxy Kitchen or an iPad Mini?) This is just the start of a revolution in connectivity, which will make it easier than ever to consume information and equally easy to emit a lot of information, often through social networks.

But there is another aspect to this – not only will you be able to post your own information but there will be all kinds of devices that can “sense” information about you. I expect to see a lot of this at MWC – sensors and cameras scattered around the floor, mapping passers-by to Facebook profiles and other personal information. Obviously, the capturing and cross pollination of this information raises all sorts of privacy issues.

It will also have a number of significant ramifications for mobile developers. First, there will be a new wealth of information available in the form of Web service APIs, as most of the data will be stored in cloud. The sheer scale of this new information-rich world will require apps to leverage cloud processing capabilities in order to be truly effective. This will create opportunities for enterprises to rethink their mobile architectures.

Second, mobile developers will need to use standard protocols for authentication and authorization. OAuth and OpenID Connect are key standards for protecting resources and allowing app users to authorize apps to leverage their information. Will these standards address all the privacy issues mentioned above? Probably not but they will make it a good deal easier for app developers to comply with privacy laws and regulations.

Third, the most successful app developers will be those that are able to provide a seamless user experience (UX) across multiple devices. This is because the end user of the near future will naturally expect all apps to know about other sessions that user had with an app across all of his or her many smart devices. Devs will therefore want to migrate sessions across devices, to bolster the UX.

If you’re going to MWC, come and say hello to the Layer 7 team. We will be located in the App Planet area Hall: 8.1 Booth: A47. I hope to see you there!