Technical / Security Overview
Secure Contacts app enables the end-to-end privacy-compliant use of business contacts on the iPhone. Personal data is protected through full integration with Microsoft Intune, and synchronization with third-party apps such as Whatsapp, Google, etc. is prevented. Users do not have to store and maintain a single contact on their own device.
All business data from the company address book, personal Outlook address book, and customer data from any CRM system or other sources are made available in the app and managed centrally.
The app acts as a protected and encrypted container that prevents uncontrolled data leakage to third-party app providers.
The app's security concept is based on two components. First, the data is encrypted within the app. In addition, a security configuration is applied to the app via the Microsoft UEM System Endpoint Manager (Intune).
SCA is a cloud nativ App, so it gets all contact information from the client Azure Tenant. Primary data sources are the Azure Active Directory [AAD] and the Global Address List [GAL]. Furthermore, it gets contact information from the users personal Outlook Contacts [APC] (Exchange Online only). Optional data sources are Dynamics 365 [D365], MS Dataverse [DVRS] and Azure Blob Storage [ABS], which need additional configuration at clients Azure Tenant.
SCA communicates with MS Azure Cloud only. Primarily with Graph API and the Azure Authentication Endpoint, optionally with Azure Blob Storage and Azure Dataverse. Any API call or transaction take place over HTTPS using Transport Layer Security (TLS). After SSL handshake negotiation, SCA and Azure API Endpoints will utilize the strongest encryption algorithm which is available on both sides. SCA does NOT collect any telemetry data, nor does it connect to endpoints other than MS Azure Cloud.
SCA stores any data in an encrypted SQLite database using an AES-256 Cipher. The cryptography key is randomly generated at the very first start of the App using RNGCryptoServiceProvider from Microsoft. The Key is then stored securely in the local iOS Key Chain of the device. The SCA App Container itself is secured by MS Intune App Protection. That way no other App nor the OS itself can see or alter the stored data.
In addition to the security features built into the app, SCA also integrates the Microsoft Intune SDK. (https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk). The Intune SDK allows control of the app's security features via Microsoft App Protection Policies. https://learn.microsoft.com/de-de/mem/intune/apps/app-protection-policy This includes the following function, among others:
- Securing access via app PIN, or biometric factors
- Enforce app data encryption
- Data flow control
- Control of OpenIn function - definition with which apps OpenIn is allowed
- Control of Copy/Paste - definition with which apps Copy/Paste is allowed
- Control of links - definition in which apps calls, mails, chats can be started and which web browser is used
- Control if printing of data is allowed
- Selective wipe of app data, e.g. in case of loss of the device
The configuration of the Microsoft app protection policies is done by the customer. The customer decides which of these functions are enabled/disabled. We only make recommendations in this regard.
Authentication is based on Microsoft Authentication Library (https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-overview) This is used to log in to the app against the Microsoft Azure AD Enterprise app “Provectus - Secure Contacts” using a business, school or university account. (https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-management) The App ID of “Provectus - Secure Contacts” is 76d61813-1886-40f8-a065-8ca490a108f6.
The user IDs used for login are always located in the customer's tenant.
The configuration of Azure AD user account security (password, login factors, etc.) is done by the customer. The customer decides which account security configuration is to be made.
Microsoft Conditional Access is used to control which devices can use the app. (https://learn.microsoft.com/de-de/azure/active-directory/conditional-access/overview) This makes it possible to decide, for example, that the app may only be used on company-owned devices, devices managed via MDM, or private devices.
The configuration of the Microsoft Conditional Access Policies is done by the customer. The customer decides which accesses are allowed or not allowed. We only make recommendations in this regard.
The SCA’s data model consists of a list of contact objects stored in a SQLite Cipher database.
SCA processes the following contact information:
- 1.First and last name
- 2.Company name
- 3.Position / job title
- 4.All email addresses saved
- 5.All telephone numbers saved
- 6.Profile photos
- 7.Contact GUID
- 8.Data source Name / ID / Priority
- 9.Hash id
When the app is launched for the first time or the user performs the pull-to-update gesture, the resync process is started. During that resync process, SCA queries all configured data sources for which the user has been authorized. Then it analyzes each received contact, removes duplicates, combines contacts from different data sources if possible, normalizes and verifies each phone number against the international standard (ITU-T E. 164). After that, the contact data is stored encrypted in the local SQLite Cipher database. Next time the App restarts, it will load the contact data from the database.
The SCA uses Apple's iOS CallKit Blocking & Identification feature. The phone numbers to be identified or blocked are loaded by the SCA’s Call Directory extension before an incoming call and stored by the operating system hidden from all other apps on the phone. When the phone receives an incoming call, the system first consults the user's local contacts to find a matching phone number. If no match is found, the system then consults SCA’s Call Directory extension to find a matching entry to identify the phone number.
If configured and licensed, the SCA periodically polls the MS Teams Status via Graph API. For this purpose, it sends the GUID of each contact originating from the data source Azure Active Directory [AAD] to the Graph API and then receives the corresponding status information. This information is then inserted into the current view of the application. Depending on the current view, the query interval is between 20 to 60 seconds. When the app is pushed to the background, it stops polling the MS Teams Status.
- Microsoft 365 (worlwide) Tenant
- Azure Active Directory Premium P1 (or higher)
- Exchange Online P1 (or higher)
- Microsoft Intune
- iPhone with iOS 15 or newer
- iPad with iPadOS 15 or newer
- For private use of the service smartphone BYOD
- For use Corporate Owned, Private enabled Devices (COPE)