topic Re: Securing the .mmpk file on the device in .NET Maps SDK Questions

Securing the .mmpk file on the device

SandeepKuniel1 — Thu, 16 May 2019 08:30:28 GMT

We are in the process of creating an offline application(for android, uwp & ios) using Xamarin Forms with editing capabilities for the field worker.

The workflow is to download the offline map package (.mmpk file), record/edit records in the field and post it whenever network is restored.

One of the concerns we have is the security of the map package, the data is sensitive and the customer would not like it to be tampered, except by the concerned application.

Is there any workflow to secure this map package?

Re: Securing the .mmpk file on the device

MichaelBranscomb — Tue, 21 May 2019 15:03:39 GMT

Hi,

We're investigating workflows for ArcGIS Pro and ArcGIS Runtime to support aspects such as encryption, password protection, and expiration of mobile map packages. At this time all I can say is these features are on the roadmap.

Cheers

Mike

Re: Securing the .mmpk file on the device

SandeepKuniel1 — Wed, 22 May 2019 10:34:02 GMT

Nice Michael,

Any detail on which Arcgis version is going to carry this functionality?

As of now, we are securing the files inside a local password protected DB.Which is extracted on the fly by the application and destroyed upon usage.

It would be nice to hear more about the approach you intend to take, in order to resolve the issue.

Re: Securing the .mmpk file on the device

MichaelBranscomb — Wed, 22 May 2019 16:27:44 GMT

Hi,

I can't share any information yet on password protection / encryption but support for expiration of mmpk files is on the short term roadmap for an upcoming release of ArcGIS Pro (it was included in the ArcGIS Runtime v100.5 API in readiness).

Cheers

Mike

Re: Securing the .mmpk file on the device

SandeepKuniel1 — Thu, 23 May 2019 06:37:21 GMT

Thank you for the info Michael.

Re: Securing the .mmpk file on the device

dotMorten_esri — Fri, 24 May 2019 23:56:23 GMT

Generally on iOS and Android, if you store data within the application's own storage area, there's no way for any other app to get at it (unless you explicitly enable that). For Android you should ensure your doesn't allow to be installed on an SD Card (albeit I believe it's still encrypting that area).

I'd suggest you should read up on how Android and iOS stores data securely. They can lock it down much better at the hardware level, than an SDK would ever be able to do, so using the built-in features of the OS is always more secure.

WRT UWP, data is stored in a folder that does require some admin access to get to, but that's about as secure as that gets - once you're elevated to administrator you can do pretty much anything. However you should consider using Bitlocker on the device to encrypt the harddrive and reduce admin access to a select few. Especially with a TPM chip on device, that gets pretty tricky to hack into.

Re: Securing the .mmpk file on the device

SandeepKuniel1 — Mon, 27 May 2019 07:39:46 GMT

Thank you for your time Morten,

For android and ios secure storage helps but the UWP has been a concern, shall look into your suggestions.

Re: Securing the .mmpk file on the device

KatieHansen_NIFCAdmin — Wed, 25 Nov 2020 16:57:24 GMT

Hello Michael,

Are there any updates on encryption of mmpk files?

Thank you

Re: Securing the .mmpk file on the device

AlbertoMillán-Meléndez — Thu, 04 Feb 2021 21:02:01 GMT

this will be helpful