Securing the .mmpk file on the device

604
8
05-16-2019 01:30 AM
SandeepKuniel1
New Contributor III

We are in the process of creating an offline application(for android, uwp & ios) using Xamarin Forms with editing capabilities for the field worker.

The workflow is to download the offline map package (.mmpk file), record/edit records in the field and post it whenever network is restored.

One of the concerns we have is the security of the map package, the data is sensitive and the customer would not like it to be tampered, except by the concerned application.

Is there any workflow to secure this map package? 

0 Kudos
8 Replies
MichaelBranscomb
Esri Frequent Contributor

Hi,

We're investigating workflows for ArcGIS Pro and ArcGIS Runtime to support aspects such as encryption, password protection, and expiration of mobile map packages. At this time all I can say is these features are on the roadmap.

Cheers

Mike

SandeepKuniel1
New Contributor III

Nice Michael,

Any detail on which Arcgis version is going to carry this functionality?

As of now, we are securing the files inside a local password protected DB.Which is extracted on the fly by the application and destroyed upon usage.

It would be nice to hear more about the approach you intend to take, in order to resolve the issue.

0 Kudos
MichaelBranscomb
Esri Frequent Contributor

Hi,

I can't share any information yet on password protection / encryption but support for expiration of mmpk files is on the short term roadmap for an upcoming release of ArcGIS Pro (it was included in the ArcGIS Runtime v100.5 API in readiness).

Cheers

Mike

0 Kudos
SandeepKuniel1
New Contributor III

Thank you for the info Michael.

0 Kudos
KatieHansen_NIFCAdmin
New Contributor III

Hello Michael,

Are there any updates on encryption of mmpk files? 

Thank you

AlbertoMillán-Meléndez
New Contributor

this will be helpful

0 Kudos
dotMorten_esri
Esri Frequent Contributor

Generally on iOS and Android, if you store data within the application's own storage area, there's no way for any other app to get at it (unless you explicitly enable that). For Android you should ensure your doesn't allow to be installed on an SD Card (albeit I believe it's still encrypting that area).

I'd suggest you should read up on how Android and iOS stores data securely. They can lock it down much better at the hardware level, than an SDK would ever be able to do, so using the built-in features of the OS is always more secure.


WRT UWP, data is stored in a folder that does require some admin access to get to, but that's about as secure as that gets - once you're elevated to administrator you can do pretty much anything. However you should consider using Bitlocker on the device to encrypt the harddrive and reduce admin access to a select few. Especially with a TPM chip on device, that gets pretty tricky to hack into.

SandeepKuniel1
New Contributor III

Thank you for your time Morten,

For android and ios secure storage helps but the UWP has been a concern, shall look into your suggestions.

0 Kudos