Mobile SDK Security

Zoom's Contact Center Mobile SDK allows Zoom customers to integrate Contact Center capability into their mobile apps. Contact Center Mobile SDK was designed and developed through the Zoom Secure Development Lifecycle (SDLC). Security is a shared responsibility. We recommend customers and third-party developers/integrators use these security best practices when developing mobile apps with the Zoom Contact Center Mobile SDK.

Contact Center Mobile SDK lets end users start their engagement by selecting a pre-configured entry ID from your mobile app's landing page. Your app may request your end users' basic contact information to identify themselves. To better protect both your Contact Center assets and your end users' data, we recommend deploying additional security measures at this point.

Authenticate the mobile user

Your mobile app provides end user access to your Contact Center, and possibly to other resources. Some form of user authentication - such as username and password - is recommended to protect your app from unauthorized access. For an enhanced user experience and improved security, you may also add some sort of biometric authentication supported by the native mobile platforms.

Prevent mobile app fraud

Threat actors can use bots or trojans to abuse your Contact Center integrated mobile app by excessively issuing engagement requests, which wastes both your valuable Contact Center resource and your agent's human resources. Here are some countermeasures to deploy to help prevent mobile app fraud.

Use reCAPTCHA

Google SafeNet reCAPTCHA API is a free service which uses an advanced risk analysis engine to protect apps from abusive actions. reCAPTCHA effectively distinguishes between your human customers and bots or click trojans. reCAPTCHA is also available to iOS apps. See https://cloud.google.com/recaptcha-enterprise/docs/instrument-ios-apps. Since typical mobile devices have smaller screen sizes, take measures to present an accessible and user-friendly reCAPTCHA UI/UX.

Implement two-factor authentication (2FA)

Two-factor authentication (2FA) is standard for apps that allow users to access sensitive functions and data. Deploy one of these 2FA measures to protect critical transactions - such as CCI entry access - from abuse.

  • One-time password via SMS (SMS-OTP)
  • One-time code via phone call
  • Hardware or software token
  • Push notifications in combination with Public Key Infrastructure (PKI) and local authentication

Whichever option is used as the second factor, it must always be enforced and verified on the server side, never on the client side.

Detect a jailbroken or rooted device

A threat actor often runs the target mobile app on a jailbroken or rooted device to bypass many security controls. If your mobile app lacks this capability, there is a greater threat to your mobile app.

We recommend that you build your mobile app with the ability to detect and respond to a rooted or jailbroken device by alerting the user, terminating the app, or both.

Use supplementary authentication

Supplementary authentication involves checking an end user's contextual information to strengthen user authentication. Such information might include:

  • Geolocation
  • IP address
  • Time of day
  • The mobile device being used

Ideally, in such a system, the user's context is compared to previously recorded data to identify anomalies that might indicate account abuse or potential fraud. This process is transparent to the user, but is a powerful deterrent to attackers. However, the collection and reporting of the users' information MUST comply with local data privacy regulations.

Conclusion

In addition to the security countermeasures in this article, we recommend that you adopt the industry-accepted OWASP Mobile Application Security Verification Standard.