LogoLogo
Provectus Technologies GmbH
  • Introduction
    • Secure Contacts App (SCA) - Safe & GDPR Compliant
    • Technical / Security Overview
    • Editions
    • Requirements
  • Quickstart Guide
    • iOS (MAM) - Steps to activate SCA in your Entra Tenant
      • Step 1 -MAM- Register Enterprise App
      • Step 2 -MAM- Add App Protection Policy
      • Step 3 -MAM- Add Conditional Access Policy
      • Step 4 -MAM- Add App Configuration Policy
    • iOS (Intune Managed Device) - Steps to activate SCA in your Entra Tenant
      • Step 1 -MDM- Register Enterprise App
      • Step 2 -MDM- Add App Protection Policy
      • Step 3 -MDM- Add Conditional Access Policy
      • Step 4 -MDM- Add App Configuration Policy
    • Android (Android Enterprise) - Steps to activate SCA in your Entra Tenant
      • Step 1 -AE- Register Enterprise App
      • Step 2 -AE- Add App Configuration Policy
    • Android (aMAM) - Steps to activate SCA in your Entra Tenant
      • Step 1 -aMAM- Register Enterprise App
      • Step 2 -aMAM- Add App Configuration Policy
      • Step 3 -aMAM- Add App Protection Policy
      • Step 4 -aMAM- Add Conditional Access Policy
    • Additional Datasource for SCA
    • Best-Practice Guide for SCA
  • Enduser guide
    • iOS - Onboarding SCA
    • iOS - activate Caller Identification
    • iOS - Userguide
    • iOS - App Manual
      • Contacts page
      • Contacts Sync
      • Contact information
      • Contact settings menu
      • Side menu
      • Logviewer
      • Help menu
      • vCard
    • Android Enterprise - Userguide
  • Documentation
    • Authentication
      • Enterprise Application
      • Conditional Access
        • CA with SCA - Require Complaint Device
        • SCA with CA - Require App Protection Policy
    • Deployment SCA
      • iOS - App Installation
      • Android - App Installation
      • App Configuration
        • iOS - MobileDeviceManagement (MDM) protocol
        • Android - App Restrictions
        • AppConfigurationPolicies
          • iOS - App Configuration Policies - MAM Integration in Microsoft Intune
          • Android - App Configuration Policies - MDM Integration in Microsoft Intune
      • App Protection Policy - Integration in Microsoft Intune
        • APP - unmanaged Devices
        • APP - managed Devices
        • Requirement - Open phone-settings
        • Requirement - Open Maps app
        • Requirement - Open GoogleMaps app
        • Requirement - Open WebExTeams
        • Requirement - Open WhatsApp
        • Requirement - Open Facetime
        • Requirement - Open email-link from SCA in Outlook
      • Deployment for your Devices in Intune
        • Deployment iOS - MAM-WE - APP only
        • Deployment iOS MDM - Managed & Complaint Device
        • Deployment iOS MDM - Managed Device & APP
        • Deployment Android MDM - Managed Device
    • App Configuration Policy -Name/Values for SCA
      • SCA Configuration - SecContacts.Defaults
      • SCA Configuration - SecContacts.Licenses
      • SCA Configuration - AAD filters
      • SCA Configuration - AAD groups
      • SCA Configuration - Connect additional Datasource
      • SCA Configuration - Custom Datasource Names
      • SCA Configuration - CI Customization
    • Data Sources
      • AAD - Azure Active Directory
      • GAL - Global Address List
      • APC - Personal Outlook Contacts
      • D365 - Dynamics 365
      • DVRS - Dataverse
      • ABS - Azure Blob Storage
      • SMC - Shared Mailbox Contacts
    • Valid phone numbers for SCA
    • iOS and Android version of SCA in comparison
  • Additional Information
    • Troubleshooting
    • Frequently Asked Questions (FAQ)
    • Phone number handling defaults changed in release v2.0.19
    • Links
    • Product Page - Secure Contacts App
Powered by GitBook
On this page
  • Intro
  • Function overview
  • Architecture
  • Security concept
  • Data sources
  • App Data in Transit
  • App Data in Rest
  • Microsoft Intune
  • Authentication
  • Data model
  • What data is processed
  • How data is processed by the app
  • Incoming caller identification
  • MS Teams Status display
  • Requirements
  • Deployment Scenarios

Was this helpful?

  1. Introduction

Technical / Security Overview

Last updated 1 year ago

Was this helpful?

  • 1

  • 2

  • 3

  • 4

    • 4.1

    • 4.2

    • 4.3

    • 4.4

    • 4.5

  • 5

    • 5.1

    • 5.2

  • 6

  • 7

  • 8

  • 9

Intro

Secure Contacts app enables the end-to-end privacy-compliant use of business contacts on the iPhone. Personal data is protected through full integration with Microsoft Intune, and synchronization with third-party apps such as Whatsapp, Google, etc. is prevented. Users do not have to store and maintain a single contact on their own device.

All business data from the company address book, personal Outlook address book, and customer data from any CRM system or other sources are made available in the app and managed centrally.

The app acts as a protected and encrypted container that prevents uncontrolled data leakage to third-party app providers.

Function overview

Data protection and information security

DSGVO/GDPR Compliant

DSGVO/GDPR compliant storage of data

Prevention of uncontrolled outflow of contact data by apps with access to the device phonebook (such as Whatsapp).

Encryption

256-Bit-AES-Encryption

Control over the data

Deletion of all data at

  • loss of the device

  • quits company

  • suspicious behavior

Prevent data from being stored in the iCloud or local backups

Control over data flow

Open-In Control

  • Control of the usable messenger and telephony apps

  • Deactivation of local data storage

Copy/Paste Control

  • Control in from and to which apps data can be copied

Disable 3rd party keyboards

Access protection

PIN, TouchID or FaceID before using the app

Azure AD Conditional Access based on device status (= Compliant Device)

Azure AD Conditional Access based on App-Status (= Require App protection policy)

Usability

Outgoing calls: Telephony

Contacts from Outlook address book

Contacts from the company address book (Global Address List)

Contacts from other sources such as CRM system

simple, anonymized calls

Caller identification of incoming calls

Contacts from Outlook address book

Contacts from the company address book (Global Address List)

Contacts from other sources such as CRM system

Vacation and idle mode (diverting business calls to voicemail)

Microsoft Teams status display

Display of Microsoft Teams status for contacts from the company address book

Integratable telephony and messenger apps

Cell phone

Microsoft Teams

Other services such as Cisco Jabber

More functions

Merging duplicate contacts

Simple search

Management

Central management of the app (via Microsoft Intune)

App-based configuration

  • App protection policies

  • App configuration policies

Global filter rules for contacts

CI-customization

Architecture

Security concept

The app's security concept is based on two components. First, the data is encrypted within the app. In addition, a security configuration is applied to the app via the Microsoft UEM System Endpoint Manager (Intune).

Data sources

SCA is a cloud nativ App, so it gets all contact information from the client Azure Tenant. Primary data sources are the Azure Active Directory [AAD] and the Global Address List [GAL]. Furthermore, it gets contact information from the users personal Outlook Contacts [APC] (Exchange Online only). Optional data sources are Dynamics 365 [D365], MS Dataverse [DVRS] and Azure Blob Storage [ABS], which need additional configuration at clients Azure Tenant.

App Data in Transit

SCA communicates with MS Azure Cloud only. Primarily with Graph API and the Azure Authentication Endpoint, optionally with Azure Blob Storage and Azure Dataverse. Any API call or transaction take place over HTTPS using Transport Layer Security (TLS). After SSL handshake negotiation, SCA and Azure API Endpoints will utilize the strongest encryption algorithm which is available on both sides. SCA does NOT collect any telemetry data, nor does it connect to endpoints other than MS Azure Cloud.

App Data in Rest

SCA stores any data in an encrypted SQLite database using an AES-256 Cipher. The cryptography key is randomly generated at the very first start of the App using RNGCryptoServiceProvider from Microsoft. The Key is then stored securely in the local iOS Key Chain of the device. The SCA App Container itself is secured by MS Intune App Protection. That way no other App nor the OS itself can see or alter the stored data.

Microsoft Intune

  • Securing access via app PIN, or biometric factors

  • Enforce app data encryption

  • Data flow control

    • Control of OpenIn function - definition with which apps OpenIn is allowed

    • Control of Copy/Paste - definition with which apps Copy/Paste is allowed

    • Control of links - definition in which apps calls, mails, chats can be started and which web browser is used

    • Control if printing of data is allowed

  • Selective wipe of app data, e.g. in case of loss of the device

The configuration of the Microsoft app protection policies is done by the customer. The customer decides which of these functions are enabled/disabled. We only make recommendations in this regard.

Authentication

The user IDs used for login are always located in the customer's tenant.

The configuration of Azure AD user account security (password, login factors, etc.) is done by the customer. The customer decides which account security configuration is to be made.

The configuration of the Microsoft Conditional Access Policies is done by the customer. The customer decides which accesses are allowed or not allowed. We only make recommendations in this regard.

Data model

The SCA’s data model consists of a list of contact objects stored in a SQLite Cipher database.

What data is processed

SCA processes the following contact information:

  1. First and last name

  2. Company name

  3. Position / job title

  4. All email addresses saved

  5. All telephone numbers saved

  6. Profile photos

  7. Contact GUID

  8. Data source Name / ID / Priority

  9. Hash id

How data is processed by the app

When the app is launched for the first time or the user performs the pull-to-update gesture, the resync process is started. During that resync process, SCA queries all configured data sources for which the user has been authorized. Then it analyzes each received contact, removes duplicates, combines contacts from different data sources if possible, normalizes and verifies each phone number against the international standard (ITU-T E. 164). After that, the contact data is stored encrypted in the local SQLite Cipher database. Next time the App restarts, it will load the contact data from the database.

Incoming caller identification

The SCA uses Apple's iOS CallKit Blocking & Identification feature. The phone numbers to be identified or blocked are loaded by the SCA’s Call Directory extension before an incoming call and stored by the operating system hidden from all other apps on the phone. When the phone receives an incoming call, the system first consults the user's local contacts to find a matching phone number. If no match is found, the system then consults SCA’s Call Directory extension to find a matching entry to identify the phone number.

MS Teams Status display

If configured and licensed, the SCA periodically polls the MS Teams Status via Graph API. For this purpose, it sends the GUID of each contact originating from the data source Azure Active Directory [AAD] to the Graph API and then receives the corresponding status information. This information is then inserted into the current view of the application. Depending on the current view, the query interval is between 20 to 60 seconds. When the app is pushed to the background, it stops polling the MS Teams Status.

Requirements

Microsoft Tenant

  • Microsoft 365 (worlwide) Tenant

  • Licenses

    • Azure Active Directory Premium P1 (or higher)

    • Exchange Online P1 (or higher)

    • Microsoft Intune

Devices

  • iPhone with iOS 15 or newer

  • iPad with iPadOS 15 or newer

  • Android-devices with Android 12 or newer

Deployment Scenarios

  • For private use of the service smartphone BYOD

  • For use Corporate Owned, Private enabled Devices (COPE)

In addition to the security features built into the app, SCA also integrates the Microsoft Intune SDK. (). The Intune SDK allows control of the app's security features via Microsoft App Protection Policies. This includes the following function, among others:

Authentication is based on Microsoft Authentication Library () This is used to log in to the app against the Microsoft Azure AD Enterprise app “Secure Contacts App” using a business, school or university account. () The App ID of “Secure Contacts App” is 20429334-d869-476e-8a65-ea300a327985.

Microsoft Conditional Access is used to control which devices can use the app. () This makes it possible to decide, for example, that the app may only be used on company-owned devices, devices managed via MDM, or private devices.

https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk
https://learn.microsoft.com/de-de/mem/intune/apps/app-protection-policy
https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-overview
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-management
https://learn.microsoft.com/de-de/azure/active-directory/conditional-access/overview
Intro
Function overview
Architecture
Security concept
Data sources
App Data in Transit
App Data in Rest
Microsoft Intune
Authentication
Data model
What data is processed
How data is processed by the app
Incoming caller identification
MS Teams Status display
Requirements
Deployment Scenarios