AppTunnel with TCP tunneling support for Android secure apps

AppTunnel can tunnel HTTP/S requests from an AppConnect app to an enterprise server that is behind the enterprise firewall. AppTunnel with HTTP/S tunneling is supported with wrapped Java apps that use a specific set of Java HTTP/S APIs. If a wrapped Java app uses APIs outside of this set, or uses TCP for its network connections, it can use AppTunnel with TCP tunneling to secure data-in-motion to enterprise servers. AppTunnel with TCP tunneling therefore expands the set of AppConnect apps that can tunnel data to an enterprise server.

When an AppConnect app uses AppTunnel with TCP tunneling, the traffic between the device and the Standalone Sentry is secured using an Secure Sockets Layer (SSL) session, as shown in the following diagram:

Figure 1. AppTunnel with TCP tunneling for Android devices

Types of apps that can use AppTunnel with TCP tunneling

The following types of apps can use AppTunnel with TCP tunneling:

  • Hybrid web apps, including PhoneGap apps.
    Hybrid web apps use Android WebView and WebKit technologies to access and display web content. WebView does not use one of the Java HTTP/S APIs that Android AppConnect wrapping supports with AppTunnel with HTTP/S tunneling. Therefore, AppTunnel with TCP tunneling is required.
  • Java apps
    Java apps that use APIs outside of the set of Java HTTP/S APIs that AppTunnel with HTTP/S tunneling supports can tunnel the data using AppTunnel with TCP tunneling.
  • Java apps which use C or C++ code to access an enterprise server
    C or C++ code does not use the set of Java HTTP/S APIs that AppTunnel with HTTP/S tunneling supports. These apps can tunnel the data using AppTunnel with TCP tunneling.
  • React Native apps
  • Xamarin apps that use APIs outside the set of APIs that AppTunnel with HTTP/S tunneling supports.

Note the following:

  • AppTunnel does not support UDP tunneling. For example, apps that require UDP for streaming video are not supported.

  • AppTunnel with TCP tunneling does not support Kerberos authentication to the enterprise server. It supports only pass through authentication. With pass through authentication, the Standalone Sentry passes the authentication credentials, such as the user ID and password (basic authentication) or NTLM, to the enterprise server.
    Therefore, apps that must use AppTunnel with TCP tunneling, such as hybrid apps, cannot use Kerberos authentication to the enterprise server. However, these apps can use Certificate authentication using AppConnect with TCP tunneling for Android secure apps.

When to use AppTunnel with HTTP/S tunneling versus TCP tunneling

The following table shows whether to use AppTunnel with HTTP/S tunneling or AppTunnel with TCP tunneling for an Android secure app. It also shows which generation of the wrapper to use.

Table 20.   AppTunnel support for HTTP/S versus TCP tunneling on Android secure apps

 

AppTunnel with HTTP/S tunneling

AppTunnel with TCP tunneling

Java code using supported HTTP/S APIs *

Supported with Generation 1 or 2 wrapper

Supported

Requires Generation 2 wrapper

Java code using unsupported HTTP/S APIs *

Not supported

Supported

Requires Generation 2 wrapper

C or C++ code

Not supported

Supported

Requires Generation 2 wrapper

Hybrid web app, including Phonegap apps

Not supported

Supported

Requires Generation 2 wrapper

Xamarin apps

Supported with Generation 1 or 2 wrapper if using supported HTTP/S APIs

Supported

Requires Generation 2 wrapper

React Native

Not supported

Supported

Requires Generation 2 wrapper

* The supported HTTP/S Java APIs are listed in the AppConnect for Android App Developers Guide

Contact the application vendor or developer to find out whether to configure AppTunnel with HTTP/S tunneling or AppTunnel with TCP tunneling.