Mobile-Access Security

Use caution when using B2C Service on a mobile device.

In a previous release of B2C Service, an accelerator was provided with new ways to use B2C Service services through a mobile device. This solution uses the Oracle Mobile Application Framework (MAF), which lets you to develop both iOS and Android applications from a single code base. For more information see Answer ID 5436.

The MAF accelerator contains supplemental objects as well as software that use REST APIs. You should become familiar with the MAF architecture and capabilities of the Oracle Mobile Application Framework before deploying and developing code.

As with all accelerators, the provided code is a sampling of what features can be developed. The sample code has not gone through a third party assessment for any regulation framework. While the included code may function directly upon deployment, it only uses basic authentication which may not be appropriate for deployment within a regulated environment.

The MAF architecture provides for encryption of data on end-user devices. When MAF is utilized within a PCI-compliant implementation of B2C Service, PAN data, and social security numbers displaying on the device will be unreadable.

One exception to this rule is push notifications. Since notifications sent from B2C Service are configured as events and pushed out of B2C Service, sensitive data sent in push notifications do not get masked. You should validate that fields containing PII, PAN, or PHI data are not included in push notifications that might appear on a mobile device.

Similar to other integrations, take care when implementing this mobile solution on iOS. Based on usage requirements of the Apple Push Notification Service (APNs), the sample code uses B2C Service Mobile as an intermediary service. You should understand how B2C Service Mobile protects and persists data before you implement it.