The secure app problem

We’ve seen a lot of train wrecks in secure iPad and iPhone development.    It used to be that outside of COTS tools like the PKard Reader app for secure web, the only way to implement secure apps with strong two-factor military or government grade smart card authentication was laborious, expensive and time-consuming low-level hard-coding to a specific reader or card with tools like PC/SC or PKCS11 and re-inventing the wheel in terms of higher-level functionality, more like coding in assembler in the 1960s or 70s than anything of the modern era.

Organizations, systems integrators and ISVs spent man months and years discovering how different iOS is from legacy Windows, Linux and Android (how sand boxing is different from shared resources, or that dynamically linked libraries are not supported) and just how far open source and web forums didn’t take them in development, integtration, testing, certification and maintenance despite the lure of something seemingly free and easy with a 'just a few tweaks'.   Most projects were abandoned early, with only a few limping to the prototype stage, saddling users with no or little choice in cards, readers and an inability to use newer, faster hardware coming to the market, or simply hardware with different form factors.

Simple and free solution for secure app development

Since the launch of PKard Reader app and the PKard Reader early this year, an affordable and immediately useful end-to-end COTS solutions, the market has gone from what was a few dozen lab and R&D developers (the only groups able to build their own software, although often for demo use or just training/familiarization) to thousands of real world end users in deployments across the DoD, Federal Government and enterprises across the US, Europe, Asia and Latin America.

Over the last two years, we’ve been listening to clients, integrators and ISV’s that need to develop custom secure apps for their users but without the strings and costs attached to specific readers, or specific cloud, or NOC-based solutions.  They wanted and we delivered -

-       Multi-reader support (delivering choice in hardware, including all of the mass market readers for volume deployments, covering various price points, form factors and distribution channels, with more to come)

-       Multi-card support (opening up markets more widely than just US DoD or Fed, especially important with more smart cards outside the US than within it, with more to come)

-       Soft or derived certificate support where security standards / infrastructure permit them

-       FIPS 140-2 for standards-based Data At Rest (DAR) and Data In Transit (DIT)

-       Work with BYOD, or any MDM (without hard-coding to any specific NOC or proprietary "container")

-       Faster, simpler development, certification and maintenance (high level calls make many secure apps trivially simple to develop compared to low level coding)

-       Free (no one wants to build in royalties and fees with their apps)

As is usual for our products, soft launch has already happened – our secure browsing apps were field tested across the DoD/Federal government for fully six months before launch.

Simpler still solution for secure web development

We still think that smart card enabling web sites is the fastest, most cost effective way to reach iPad and iPhone users, as well as users on Windows, OS X, Linux etc.   An IIS web server tied into Active Directory can be PIV or .NET enabled by just selecting a few options and then is plug’n’play with the PKard Reader app, leveraging nothing but standard infrastructure.   The WWW, now over twenty years old was created as the ultimate thin client.  If all data is left on the server, it’s incredibly secure since devices have no DAR and are stateless.  HTML5/Javascript in a browser can do just about anything an app can but it's inherently cross platform, faster and easier to build and maintain.