Technical / Security Overview
1 Intro
Intro
Secure Contacts app enables the end-to-end privacy-compliant use of business contacts on the iPhone. Personal data is protected through full integration with Microsoft Intune, and synchronization with third-party apps such as Whatsapp, Google, etc. is prevented. Users do not have to store and maintain a single contact on their own device.
All business data from the company address book, personal Outlook address book, and customer data from any CRM system or other sources are made available in the app and managed centrally.
The app acts as a protected and encrypted container that prevents uncontrolled data leakage to third-party app providers.
Function overview
Data protection and information security
DSGVO/GDPR Compliant
DSGVO/GDPR compliant storage of data
Prevention of uncontrolled outflow of contact data by apps with access to the device phonebook (such as Whatsapp).
Encryption
256-Bit-AES-Encryption
Control over the data
Deletion of all data at
loss of the device
quits company
suspicious behavior
Prevent data from being stored in the iCloud or local backups
Control over data flow
Open-In Control
Control of the usable messenger and telephony apps
Deactivation of local data storage
Copy/Paste Control
Control in from and to which apps data can be copied
Disable 3rd party keyboards
Access protection
PIN, TouchID or FaceID before using the app
Azure AD Conditional Access based on device status (= Compliant Device)
Azure AD Conditional Access based on App-Status (= Require App protection policy)
Usability
Outgoing calls: Telephony
Contacts from Outlook address book
Contacts from the company address book (Global Address List)
Contacts from other sources such as CRM system
simple, anonymized calls
Caller identification of incoming calls
Contacts from Outlook address book
Contacts from the company address book (Global Address List)
Contacts from other sources such as CRM system
Vacation and idle mode (diverting business calls to voicemail)
Microsoft Teams status display
Display of Microsoft Teams status for contacts from the company address book
Integratable telephony and messenger apps
Cell phone
Microsoft Teams
Other services such as Cisco Jabber
More functions
Merging duplicate contacts
Simple search
Management
Central management of the app (via Microsoft Intune)
App-based configuration
App protection policies
App configuration policies
Global filter rules for contacts
CI-customization
Architecture
Security concept
The app's security concept is based on two components. First, the data is encrypted within the app. In addition, a security configuration is applied to the app via the Microsoft UEM System Endpoint Manager (Intune).
Data sources
SCA is a cloud nativ App, so it gets all contact information from the client Azure Tenant. Primary data sources are the Azure Active Directory [AAD] and the Global Address List [GAL]. Furthermore, it gets contact information from the users personal Outlook Contacts [APC] (Exchange Online only). Optional data sources are Dynamics 365 [D365], MS Dataverse [DVRS] and Azure Blob Storage [ABS], which need additional configuration at clients Azure Tenant.
App Data in Transit
SCA communicates with MS Azure Cloud only. Primarily with Graph API and the Azure Authentication Endpoint, optionally with Azure Blob Storage and Azure Dataverse. Any API call or transaction take place over HTTPS using Transport Layer Security (TLS). After SSL handshake negotiation, SCA and Azure API Endpoints will utilize the strongest encryption algorithm which is available on both sides. SCA does NOT collect any telemetry data, nor does it connect to endpoints other than MS Azure Cloud.
App Data in Rest
SCA stores any data in an encrypted SQLite database using an AES-256 Cipher. The cryptography key is randomly generated at the very first start of the App using RNGCryptoServiceProvider from Microsoft. The Key is then stored securely in the local iOS Key Chain of the device. The SCA App Container itself is secured by MS Intune App Protection. That way no other App nor the OS itself can see or alter the stored data.
Microsoft Intune
In addition to the security features built into the app, SCA also integrates the Microsoft Intune SDK. (https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk). The Intune SDK allows control of the app's security features via Microsoft App Protection Policies. https://learn.microsoft.com/de-de/mem/intune/apps/app-protection-policy This includes the following function, among others:
Securing access via app PIN, or biometric factors
Enforce app data encryption
Data flow control
Control of OpenIn function - definition with which apps OpenIn is allowed
Control of Copy/Paste - definition with which apps Copy/Paste is allowed
Control of links - definition in which apps calls, mails, chats can be started and which web browser is used
Control if printing of data is allowed
Selective wipe of app data, e.g. in case of loss of the device
The configuration of the Microsoft app protection policies is done by the customer. The customer decides which of these functions are enabled/disabled. We only make recommendations in this regard.
Authentication
Authentication is based on Microsoft Authentication Library (https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-overview) This is used to log in to the app against the Microsoft Azure AD Enterprise app “Secure Contacts App” using a business, school or university account. (https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-management) The App ID of “Secure Contacts App” is 20429334-d869-476e-8a65-ea300a327985.
The user IDs used for login are always located in the customer's tenant.
The configuration of Azure AD user account security (password, login factors, etc.) is done by the customer. The customer decides which account security configuration is to be made.
Microsoft Conditional Access is used to control which devices can use the app. (https://learn.microsoft.com/de-de/azure/active-directory/conditional-access/overview) This makes it possible to decide, for example, that the app may only be used on company-owned devices, devices managed via MDM, or private devices.
The configuration of the Microsoft Conditional Access Policies is done by the customer. The customer decides which accesses are allowed or not allowed. We only make recommendations in this regard.
Data model
The SCA’s data model consists of a list of contact objects stored in a SQLite Cipher database.
What data is processed
SCA processes the following contact information:
First and last name
Company name
Position / job title
All email addresses saved
All telephone numbers saved
Profile photos
Contact GUID
Data source Name / ID / Priority
Hash id
How data is processed by the app
When the app is launched for the first time or the user performs the pull-to-update gesture, the resync process is started. During that resync process, SCA queries all configured data sources for which the user has been authorized. Then it analyzes each received contact, removes duplicates, combines contacts from different data sources if possible, normalizes and verifies each phone number against the international standard (ITU-T E. 164). After that, the contact data is stored encrypted in the local SQLite Cipher database. Next time the App restarts, it will load the contact data from the database.
Incoming caller identification
The SCA uses Apple's iOS CallKit Blocking & Identification feature. The phone numbers to be identified or blocked are loaded by the SCA’s Call Directory extension before an incoming call and stored by the operating system hidden from all other apps on the phone. When the phone receives an incoming call, the system first consults the user's local contacts to find a matching phone number. If no match is found, the system then consults SCA’s Call Directory extension to find a matching entry to identify the phone number.
MS Teams Status display
If configured and licensed, the SCA periodically polls the MS Teams Status via Graph API. For this purpose, it sends the GUID of each contact originating from the data source Azure Active Directory [AAD] to the Graph API and then receives the corresponding status information. This information is then inserted into the current view of the application. Depending on the current view, the query interval is between 20 to 60 seconds. When the app is pushed to the background, it stops polling the MS Teams Status.
Requirements
Microsoft Tenant
Microsoft 365 (worlwide) Tenant
Licenses
Azure Active Directory Premium P1 (or higher)
Exchange Online P1 (or higher)
Microsoft Intune
Devices
iPhone with iOS 15 or newer
iPad with iPadOS 15 or newer
Android-devices with Android 12 or newer
Deployment Scenarios
For private use of the service smartphone BYOD
For use Corporate Owned, Private enabled Devices (COPE)
Last updated