AppTunnel with TCP tunneling support for Android secure apps
AppTunnel can tunnel HTTP/S requests from an AppConnect app to an enterprise server that is behind the enterprise firewall. AppTunnel with HTTP/S tunneling is supported with wrapped Java apps that use a specific set of Java HTTP/S APIs. If a wrapped Java app uses APIs outside of this set, or uses TCP for its network connections, it can use AppTunnel with TCP tunneling to secure data-in-motion to enterprise servers. AppTunnel with TCP tunneling therefore expands the set of AppConnect apps that can tunnel data to an enterprise server.
When an AppConnect app uses AppTunnel with TCP tunneling, the traffic between the device and the Standalone Sentry is secured using an Secure Sockets Layer (SSL) session, as shown in the following diagram:
Figure 1. AppTunnel with TCP tunneling for Android devices
Types of apps that can use AppTunnel with TCP tunneling
The following types of apps can use AppTunnel with TCP tunneling:
- Hybrid web apps, including PhoneGap apps.
Hybrid web apps use Android WebView and WebKit technologies to access and display web content. WebView does not use one of the Java HTTP/S APIs that Android AppConnect wrapping supports with AppTunnel with HTTP/S tunneling. Therefore, AppTunnel with TCP tunneling is required. - Java apps
Java apps that use APIs outside of the set of Java HTTP/S APIs that AppTunnel with HTTP/S tunneling supports can tunnel the data using AppTunnel with TCP tunneling. - Java apps which use C or C++ code to access an enterprise server
C or C++ code does not use the set of Java HTTP/S APIs that AppTunnel with HTTP/S tunneling supports. These apps can tunnel the data using AppTunnel with TCP tunneling. - React Native apps
- Xamarin apps that use APIs outside the set of APIs that AppTunnel with HTTP/S tunneling supports.
Note the following:
-
AppTunnel does not support UDP tunneling. For example, apps that require UDP for streaming video are not supported.
-
AppTunnel with TCP tunneling does not support Kerberos authentication to the enterprise server. It supports only pass through authentication. With pass through authentication, the Standalone Sentry passes the authentication credentials, such as the user ID and password (basic authentication) or NTLM, to the enterprise server.
Therefore, apps that must use AppTunnel with TCP tunneling, such as hybrid apps, cannot use Kerberos authentication to the enterprise server. However, these apps can use Certificate authentication using AppConnect with TCP tunneling for Android secure apps.
When to use AppTunnel with HTTP/S tunneling versus TCP tunneling
The following table shows whether to use AppTunnel with HTTP/S tunneling or AppTunnel with TCP tunneling for an Android secure app. It also shows which generation of the wrapper to use.
|
|
AppTunnel with HTTP/S tunneling |
AppTunnel with TCP tunneling |
|
Java code using supported HTTP/S APIs * |
Supported with Generation 1 or 2 wrapper |
Supported Requires Generation 2 wrapper |
|
Java code using unsupported HTTP/S APIs * |
Not supported |
Supported Requires Generation 2 wrapper |
|
C or C++ code |
Not supported |
Supported Requires Generation 2 wrapper |
|
Hybrid web app, including Phonegap apps |
Not supported |
Supported Requires Generation 2 wrapper |
|
Xamarin apps |
Supported with Generation 1 or 2 wrapper if using supported HTTP/S APIs |
Supported Requires Generation 2 wrapper |
|
React Native |
Not supported |
Supported Requires Generation 2 wrapper |
* The supported HTTP/S Java APIs are listed in the AppConnect for Android App Developers Guide
Contact the application vendor or developer to find out whether to configure AppTunnel with HTTP/S tunneling or AppTunnel with TCP tunneling.