Links

Technical / Security Overview

Intro

Secure Contacts app enables the end-to-end privacy-compliant use of business contacts on the iPhone. Personal data is protected through full integration with Microsoft Intune, and synchronization with third-party apps such as Whatsapp, Google, etc. is prevented. Users do not have to store and maintain a single contact on their own device.
All business data from the company address book, personal Outlook address book, and customer data from any CRM system or other sources are made available in the app and managed centrally.
The app acts as a protected and encrypted container that prevents uncontrolled data leakage to third-party app providers.

Function overview

Data protection and information security
DSGVO/GDPR Compliant
DSGVO/GDPR compliant storage of data
Prevention of uncontrolled outflow of contact data by apps with access to the device phonebook (such as Whatsapp).
Encryption
256-Bit-AES-Encryption
Control over the data
Deletion of all data at
  • loss of the device
  • quits company
  • suspicious behavior
Prevent data from being stored in the iCloud or local backups
Control over data flow
Open-In Control
  • Control of the usable messenger and telephony apps
  • Deactivation of local data storage
Copy/Paste Control
  • Control in from and to which apps data can be copied
Disable 3rd party keyboards
Access protection
PIN, TouchID or FaceID before using the app
Azure AD Conditional Access based on device status (= Compliant Device)
Azure AD Conditional Access based on App-Status (= Require App protection policy)
Usability
Outgoing calls: Telephony
Contacts from Outlook address book
Contacts from the company address book (Global Address List)
Contacts from other sources such as CRM system
simple, anonymized calls
Caller identification of incoming calls
Contacts from Outlook address book
Contacts from the company address book (Global Address List)
Contacts from other sources such as CRM system
Vacation and idle mode (diverting business calls to voicemail)
Microsoft Teams status display
Display of Microsoft Teams status for contacts from the company address book
Integratable telephony and messenger apps
Cell phone
Microsoft Teams
Other services such as Cisco Jabber
More functions
Merging duplicate contacts
Simple search
Management
Central management of the app (via Microsoft Intune)
App-based configuration
  • App protection policies
  • App configuration policies
Global filter rules for contacts
CI-customization

Architecture

Security concept

The app's security concept is based on two components. First, the data is encrypted within the app. In addition, a security configuration is applied to the app via the Microsoft UEM System Endpoint Manager (Intune).

Data sources

SCA is a cloud nativ App, so it gets all contact information from the client Azure Tenant. Primary data sources are the Azure Active Directory [AAD] and the Global Address List [GAL]. Furthermore, it gets contact information from the users personal Outlook Contacts [APC] (Exchange Online only). Optional data sources are Dynamics 365 [D365], MS Dataverse [DVRS] and Azure Blob Storage [ABS], which need additional configuration at clients Azure Tenant.

App Data in Transit

SCA communicates with MS Azure Cloud only. Primarily with Graph API and the Azure Authentication Endpoint, optionally with Azure Blob Storage and Azure Dataverse. Any API call or transaction take place over HTTPS using Transport Layer Security (TLS). After SSL handshake negotiation, SCA and Azure API Endpoints will utilize the strongest encryption algorithm which is available on both sides. SCA does NOT collect any telemetry data, nor does it connect to endpoints other than MS Azure Cloud.

App Data in Rest

SCA stores any data in an encrypted SQLite database using an AES-256 Cipher. The cryptography key is randomly generated at the very first start of the App using RNGCryptoServiceProvider from Microsoft. The Key is then stored securely in the local iOS Key Chain of the device. The SCA App Container itself is secured by MS Intune App Protection. That way no other App nor the OS itself can see or alter the stored data.

Microsoft Intune

In addition to the security features built into the app, SCA also integrates the Microsoft Intune SDK. (https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk). The Intune SDK allows control of the app's security features via Microsoft App Protection Policies. https://learn.microsoft.com/de-de/mem/intune/apps/app-protection-policy This includes the following function, among others:
  • Securing access via app PIN, or biometric factors
  • Enforce app data encryption
  • Data flow control
    • Control of OpenIn function - definition with which apps OpenIn is allowed
    • Control of Copy/Paste - definition with which apps Copy/Paste is allowed
    • Control of links - definition in which apps calls, mails, chats can be started and which web browser is used
    • Control if printing of data is allowed
  • Selective wipe of app data, e.g. in case of loss of the device
The configuration of the Microsoft app protection policies is done by the customer. The customer decides which of these functions are enabled/disabled. We only make recommendations in this regard.

Authentication

Authentication is based on Microsoft Authentication Library (https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-overview) This is used to log in to the app against the Microsoft Azure AD Enterprise app “Provectus - Secure Contacts” using a business, school or university account. (https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-management) The App ID of “Provectus - Secure Contacts” is 76d61813-1886-40f8-a065-8ca490a108f6.
The user IDs used for login are always located in the customer's tenant.
The configuration of Azure AD user account security (password, login factors, etc.) is done by the customer. The customer decides which account security configuration is to be made.
Microsoft Conditional Access is used to control which devices can use the app. (https://learn.microsoft.com/de-de/azure/active-directory/conditional-access/overview) This makes it possible to decide, for example, that the app may only be used on company-owned devices, devices managed via MDM, or private devices.
The configuration of the Microsoft Conditional Access Policies is done by the customer. The customer decides which accesses are allowed or not allowed. We only make recommendations in this regard.

Data model

The SCA’s data model consists of a list of contact objects stored in a SQLite Cipher database.

What data is processed

SCA processes the following contact information:
  1. 1.
    First and last name
  2. 2.
    Company name
  3. 3.
    Position / job title
  4. 4.
    All email addresses saved
  5. 5.
    All telephone numbers saved
  6. 6.
    Profile photos
  7. 7.
    Contact GUID
  8. 8.
    Data source Name / ID / Priority
  9. 9.
    Hash id

How data is processed by the app

When the app is launched for the first time or the user performs the pull-to-update gesture, the resync process is started. During that resync process, SCA queries all configured data sources for which the user has been authorized. Then it analyzes each received contact, removes duplicates, combines contacts from different data sources if possible, normalizes and verifies each phone number against the international standard (ITU-T E. 164). After that, the contact data is stored encrypted in the local SQLite Cipher database. Next time the App restarts, it will load the contact data from the database.

Incoming caller identification

The SCA uses Apple's iOS CallKit Blocking & Identification feature. The phone numbers to be identified or blocked are loaded by the SCA’s Call Directory extension before an incoming call and stored by the operating system hidden from all other apps on the phone. When the phone receives an incoming call, the system first consults the user's local contacts to find a matching phone number. If no match is found, the system then consults SCA’s Call Directory extension to find a matching entry to identify the phone number.

MS Teams Status display

If configured and licensed, the SCA periodically polls the MS Teams Status via Graph API. For this purpose, it sends the GUID of each contact originating from the data source Azure Active Directory [AAD] to the Graph API and then receives the corresponding status information. This information is then inserted into the current view of the application. Depending on the current view, the query interval is between 20 to 60 seconds. When the app is pushed to the background, it stops polling the MS Teams Status.

Requirements

Microsoft Tenant
  • Microsoft 365 (worlwide) Tenant
  • Licenses
    • Azure Active Directory Premium P1 (or higher)
    • Exchange Online P1 (or higher)
    • Microsoft Intune
Devices
  • iPhone with iOS 15 or newer
  • iPad with iPadOS 15 or newer

Deployment Scenarios

  • For private use of the service smartphone BYOD
  • For use Corporate Owned, Private enabled Devices (COPE)