webMOBI Help Center
All Categories webMOBI Platform Overview webmobi security whitepaper & compliance

webmobi security whitepaper & compliance

WebMobi Security White Paper

By Ngage.ai Support
July 12, 2022


Security Overview

webMOBI is hosted on AWS which is compliant with all the security requirements. https://aws.amazon.com/compliance/soc-faqs/

webMOBI deploys a number of key security architectures. Access to the webMOBI platform is audited via secure Dome firewall (http://dome9.com/) Access to the webMOBI platform via the net has an application firewall (http://cloudflare.com/

For payments, we use Stripe -  https://stripe.com/guides/pci-compliance#how-stripe-helps-organizations-achieve-and-maintain-pci-compliance

From the network security perspective - we are hosted on AWS and we have two firewalls - one Cloudflare WAF and AWS Firewall. Cloudflare is based on IP reputation and will challenge IPs that have shown problematic activity online. The web application firewall stops hack attempts on the site. We will also define rule sets based on the technology stack from the management console. We are using Dome9 for access to the infrastructure hosted on AWS. We are doing regular training and periodic audits. Other security aspects of the webMOBI platform are listed below. 

  1. Secure Data Transmission and Data Storage on WebMobi's Platform

  2. WebMobi utilizes Amazon Web Services (AWS) cloud solutions to ensure physical and

operational security of data transmission and data storage at rest.

  • WebMobi utilizes Amazon EC2 Security Groups allowing connections via HTTPS (443) only.

  •  WebMobi stores static assets (e.g. images) in AWS S3 accessed only via signed URL.

  •  AWS employs a rigorous security model. See http://aws.amazon.com/security/ for more information.


  1. Secure Management of Access Controls via the Admin Console

Through the WebMobi Admin Console, your administrator has the ability to directly manage integration configurations, application themes and user licenses.

  • Your administrator can instantly enable or disable a WebMobi user.

  •  Your administrator authenticates himself or herself with a username/password authentication procedure to log into the Admin Console.

  •  Audit trails can be downloaded from the webMOBI backend by the administrator.

  • The Admin Console is built on Amazon Web Services and has a rigorous security policy. 

  1. Secure API and Mobile Device Strategies

WebMobi utilizes Amazon Web Services (AWS) cloud solutions to ensure the security of data

transmission from the API to mobile devices. In addition, WebMobi's apps are built using the latest mobile OS security standards.

  •  Native data encryption (e.g. iOS10+ Data Protection, Android 16+)

  • WebMobi users are authenticated with a username/password login from the app.

  • WebMobi suggests that your enterprise have internal mobile device security strategies in place, such as remote wiping, passcode policies, and mobile OS standards 

    1. Asset Management Program

Our asset management program includes assets in the home network and external to the home network. We keep track of the following typical asset management lifecycle scenarios including Request for assets, approval, Procurement including licenses, Deployment, usage tracking, storage, expiration, and disposal.

For immediate destruction of the most sensitive information we are using on-site shredding with local vendors

Documents and charts (paper is destroyed) • Magnetic media • Redundant IT equipment (anything holding data is destroyed) • Handsets and phones  • Disused or faulty products   

For data encryption, we use AES-128 encryption and FileVault full-disk encryption (FileVault 2) uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on disk. Our policy is to use data devices Crushing / Shredding is used for confidential media and paper and using accredited organisations for completing this step.

  1. Networking Security DDOS mitigation and WAF

webMOBI has licensed Cloudflare's advanced DDoS protection and is designed to instantly protect everything on the  cloud and on-premise networks from DDoS attacks.

From the network security perspective - we are hosted on AWS and we have two firewalls - one cloudflare WAF and AWS Firewall. Cloudflare is based on IP reputation and will challenge IPs that have shown problematic activity online. The web application firewall stops hack attempts on the site. We will also define rule sets based on the technology stack from the management console. We are using Dome9 for access to the infrastructure hosted on AWS. 

  1. Passwords and Security Params

We use industry-standard complex passwords. SHA1 with salt and AES encryption for sensitive data including passwords and tokens. We also have minimum length and expiration supported 

  1. Enterprise deployments systems enforce a minimum password length requirement

  2. Enterprise deployments systems enforce a maximum password age

  3. Enterprise deployments systems enforce password strength requirements requiring the use of a combination of upper-case letters, lower-case letters, numbers, and non-alphanumeric symbols

  4. Enterprise deployments systems restrict the use of the account or userID as part of the password

  5. Enterprise deployments systems  have a password history functionality enabled such that passwords cannot be reused within a predefined period of time

  6. Enterprise deployments systems enforce user account lock-out after a specified number of incorrect authentication attempts

  7. The access privileges are immediately revoked for employees leaving the company or moving to a new job role

For user security, we also enforce a session time-out and/or lockout that would be triggered after a predefined amount of user inactivity. The user sessions are maintained through cookies. We bind the session id with the cookie so the session hijacking is not possible.

We use the user id to keep track of audit logs for each user at the application and dashboard levels. For administrators, we are using the Dome9 audit cloud to keep track of login and access to the cloud. We are using a combination of Dome9 and Cloudflare access logs capture. See the link below for more information. 

https://blog.cloudflare.com/dome9-cloudflare-combined-security-for-your-w/

  1. Data Transit and REST security

We employ encryption technologies to protect customer data during transit. We are using SSL and the Minimum TLS version is 1.2. HTTP Strict Transport Security (HSTS) is also enabled. Only allow HTTPS connections from visitors that support the TLS protocol version 1.2 or newer.

For protection (encryption/hashing) for stored passwords and other sensitive data - SHA1 with salt and AES 256 with salt encryption for sensitive data including passwords and tokens.

  1. Passwords, Security Params & Backups

We are storing all the media information backup and following the AWS encryption process as follows  https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html All sensitive data stored in our system uses AES encryption

For data backups, we are using the AWS RDS service for regular backups and updates. backup occurs during a daily user-configurable 30-minute period known as the backup window. Automated backups are kept for a configurable number of days (called the backup retention period) https://aws.amazon.com/rds/details/backup/

All the media information is stored in S3 including backups. All backups are encrypted according to the prescribed standards by AWS S3

  1. Security-related events record

We use https://aws.amazon.com/inspector/ for compliance of applications deployed on AWS

After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings are available via the Amazon Inspector console which is shared to the security administrators weekly.

We are using ThreatResponse Suite to help with incident response in the AWS environment. After the security incident we have a process to identify and notify customers for a specific incident

 We are using Amazon Guard Duty for SIEM. More information is available on the link below -https://aws.amazon.com/blogs/security/tag/siem/

The reports were generated via various tools for audited events as listed in the previous responses including Dome9, Cloudflare,  AWS inspector, and other monitoring services. Log retention period of three years and protected from change. 

  1. Network Devices


All our encrypted traffic goes through cloudflare. We secure the fixed network in the corporate environment  with Secure access to Infrastructure Devices and Implement multi-factor authentication (MFA) to restrict access to authorised personnel.  We use Dome9 for unauthorized network connection points such as wireless access points, modems, etc


Wireless networks are enabled with encryption (WPA2 + AES). Guest have different wif network on a needed basis. For VOIP we are using compliant services (ringcentral) 



  1. webMOBI Architecture and Compliance


Security Option: Data security / Retention (10 years in AWS S3 cloud) 

https://webmobi.com/security GDPR Compliance: https://webmobi.com/gdpr-compliance 

Privacy policy: https://webmobi.com/privacy-policy 

Terms and Conditions: https://webmobi.com/terms-and-conditions 

AAD Authentication  / SAML / Enterprise Integration for SSO - Integration available for web and native Android / iOS Apps 

User Provisioning https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/user-provisioning SSO 

Integration https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/one-click-sso-tutorial 

Android / IOS Apps 

https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-android


Was this article helpful?

Thanks for your feedback!
© webMOBI 2024
Powered by Powered By HelpSpace