Skip To Content

Mobile Product Capabilities

Mobile devices are typically designed to be single-user devices and normally lack basic user profile and security features beyond just a simple password. Do not assume mechanisms available on larger platform will be available for mobile. An enterprise Mobile Device Management (MDM) solution is a great starting point to a more secure mobile posture. The Esri Security Standards & Architecture team has released a white paper titled ArcGIS Secure Mobile Implementation Patterns to help guide IT managers and GIS administrators in deploying an enterprise GIS with a mobile field component.

Mobile Risks

The Open Web Application Security Project (OWASP) provides a good representation of the current mobile application threat landscape. Common risks in the OWASP Mobile Top 10 risks include:

  • Weak server-side controls
  • Insecure data protection (in-transit and at-rest)
  • Lack of authentication and authorization

Reference the OWASP site for the full listing of the Mobile Top 10. The best practices section for mobile provides useful guidance for minimizing these risks.

Security Guidelines for Esri Mobile Applications

Esri's mobile apps enable field workflows through ArcGIS Online and ArcGIS Enterprise. As such all of the apps support the following:

  • Named user identity for access control
  • Leveraging Groups and Sharing to control access to content
  • Using ArcGIS Custom Roles to limit privileges
  • HTTPS to encrypt data in transit

Privacy Considerations:

  • Users should design Projects to limit or prevent collection of Personally Identifiable Information (PII)
  • Consider designing a hybrid solution with an on-premises ArcGIS Enterprise host data that contains PII
  • Configure your organization to require HTTPS ONLY

Collector for ArcGIS

  • Requires a Level 2 Named User
  • Supports Feature Service Views to control sharing/editing access to content
  • Supports The AppConfig standard and Mobile Application Management solutions to enhance security
  • Supports side-loading of basemap content for offline viewing
  • Supports Esri's transaction model for enterprise geodatabases (versioning, non-versioned archiving)
  • Editor or Location Tracking functionality may collect information like:
    • Who created data (username for Named User Account)
    • When data was created (date and time at the point of creation)
    • Where data was collected from (GPS accuracy in meters)

Survey123

  • Requires a Level 2 Named User
  • Supports Feature Service Views to control sharing/editing access to content
  • Supports side-loading of basemap content for offline viewing
  • Use the Collaborate Tab in survey123.arcgis.com to share surveys with stakeholder groups
    • Using the Collaborate Tab will leverage ArcGIS Hosted Feature Layer views to block editing access from stakeholders

Explorer for ArcGIS

Navigator for ArcGIS

  • Requires a Level 1 Named User and additional license
  • Supports offline maps (downloaded or side-loaded)
  • With custom navigation maps you can see and search for your organization's assets, route on custom roads, and use custom travel modes

Workforce for ArcGIS

  • Control access through ArcGIS Online or ArcGIS for Portal
  • Web app requires HTTPS ONLY enabled in the Organization to encrypt all data in transit
  • Limit user capabilities by limiting feature access (create, delete, query, update)
  • Editor or Location Tracking functionality may collect information like:
    • Who created data (username for Named User Account)
    • When data was created (date and time at the point of creation)
    • Where data was collected from (GPS accuracy in meters)

ArcPad

  • Password protect and encrypt the AXF data file
  • Encrypt mobile device memory cards
  • Secure your ArcGIS Server environment with users and groups to limit who can publish ArcPad data
Note:

Best practices guidance across all ArcGIS mobile apps is provided in the ArcGIS Secure Mobile Implementation Patterns Whitepaper.