Mobile device security

This document applies to the current ServiceNow iOS and Android offering. This document may be subject to change for future mobile releases and re-platforming efforts.

Components and architecture

The ServiceNow solution consists of the ServiceNow server instance and the iOS and Android hybrid apps. A hybrid app includes both native and web components. The mobile client applications communicate over a wireless connection with the server and pull live data for the end user.

Component explanations

iOS App
The ServiceNow iOS app is a hybrid application that can be used on iPhone, iPad, and Apple Watch. Most components are native, however, there are web components, such as forms. It can be downloaded from the app store directly by a user, or can be pulled, dynamically configured, and distributed using MDM (more information available in EMM section). ServiceNow does not currently distribute the IPA file to customers.
Android app
The ServiceNow Android app is a hybrid application that can be used on Android devices. Most components are native, however, there are web components, such as forms. It can be downloaded from the app store directly by a user, or can be pulled, dynamically configured, and distributed using MDM (more information available in EMM section). ServiceNow does not currently distribute the APK file to customers.

Identity and access management

Control user access with user authentication, session timeout, and termination.

User authentication

The mobile app supports platform authentication using OAuth 2.0. Authentication mechanisms include multi provider SSO, MFA, LDAP, Local DB, and Digest.

Multi Provider SSO

The mobile app leverages federated login when using the multi provider SSO plugin [com.snc.integration.sso.multi.installer] . For more information on configuring multi provider SSO, see Mobile single sign on.

Multifactor authentication

Users can access the instance via Multifactor Authentication using the MFA plugin [com.snc.integration.multifactor.authentication]. For more information on MFA configuration, see mobile multifactor authentication.

LDAP

Use LDAP authentication to access using LDAP credentials. For more information on LDAP configuration, see LDAP integration and authentication.

Local DB

The username and password in the user record in the instance database.

Digest

The digest token authentication passes user credentials and a digest token within an unencrypted HTTP header. For more information on digest configuration, see Digest token authentication.

Not supported

  • SAML 2.0 plugin, however SAML with the Multi-provider SSO plugin is supported
  • Kerberos
  • Certificate-based authentication

Storage/Keychain

When you sign in to the app on your mobile device, the app uses your credentials to negotiate an OAuth Token with the instance. The iOS Keychain stores the token and Android uses KeyStore. The keychain encryption is AES 128 in Galois/Counter Mode (GCM).

The mobile app never stores the user password.

Session length and timeout

The session length and timeout is configurable by the organization. For more information on configuring session time out, see mobile session app timeout.

User termination

When an administrator deletes or removes a user from the system, they are logged out of the mobile client.

Mobile data flow

Data can be retrieved, downloaded from, and written back to a mobile device.

Retrieval

The following describes how data is retrieved from the ServiceNow mobile app.

Read data

When a user requests to view information on the mobile app, the following steps occur.
  1. The mobile app sends a request to access data from the instance.

    The request includes the token and any relevant data field needed for the request.

  2. The instance receives the request and checks if the Token is valid.
  3. If the token is valid, the request is directed to the relevant API to fetch the information.
  4. The information is returned to the mobile app.

Downloading documents

When a user requests to download documents from the app, the following steps occur.
  1. The mobile app sends a request to access the document.

    The request includes the Token.

  2. The instance receives the request and checks if the Token is valid.
  3. If valid, the document becomes available to view or take further actions on the device.

Write-backs

The following describes how data is written back from the ServiceNow mobile app.

Updating fields

When a user updates a field in the mobile app, the following steps occur.
  1. The mobile app sends the Token and the action metadata, for example the ID, or the field to be updated, to the instance.
  2. The instance directs the action based on the relevant API.
  3. The instance completes the action and sends a response to the mobile app.
  4. Based on the response, the mobile app reflects the field changes and action availability in the UI.

Attaching documents

When attaching documents, the following steps occur.
  1. The mobile app asks the user to attach a document, for example, an image.
  2. The mobile app sends the document and Token to the instance.
  3. The instance places the document based on the relevant API.
  4. The instance sends a response back to the mobile app.

Internal mobile app distribution

Internal distribution of the ServiceNow app is supported through all major EMM vendors.

Customers are able to pull the iOS or Android app from the Apple App store and Google Play respectively, dynamically configure the apps to point to the correct ServiceNow instance, and distribute using the EMM hub. This way, the MDM can fully manage the app as part of a customer portfolio.
Note: ServiceNow does not currently distribute the IPA/APK files, or any other unpublished app to customers as it breaches the Apple Enterprise Developer License Agreement.
Mobile app distribution providers:

Data security

The ServiceNow app uses SSL/TLS for Over-the-Air communication encryption. The OAuth authorization endpoints are HTTPS.

Data at rest

Application preference data such as favorites, home screen, and the mobile navigator items are stored and cached locally on the device. The mobile app does not store record data such as incidents, problems, etc. on the device unless the organization has specifically enabled offline syncing for Field Services. The record data is encrypted with AES 128.

Data in motion

Data in motion is over a secure SSL/TLS channel and encrypted with HTTPS.

Offline access and data cache configuration

Some field service tables are available to cache locally on the device at the customer’s discretion.

Push notifications

Administrators create push notifications and users are able to receive them.

Cloud

For more information on the push notification system including process, configuration, and architecture, see Push notification system. Administrators can configure push notification delays using scheduled jobs. To view an example included with the base system, navigate to System Scheduler > Scheduled jobs, then search for a job with the name Push. 5 seconds is the minimum time allowed for the push delay.

Mobile security practices

Mobile security practices include moble-specific system properties, attachment control, password reinforcement, security patching, and controlling shared data.

Security controls

Configure security controls to restrict copy/paste, enable biometric controls, enforce passwords, or control attachment functionality.

Restrict copy/paste

Copy/paste restrictions are defined in the system properties [sys_properties] table. There are two applicable security properties.
  • glide.ui.m.clear_pasteboard_when_backgrounded: Clears the copy/paste clipboard when the ServiceNow app enters the background
  • glide.ui.m.blur_ui_when_backgrounded: Forces the app to blur the screen when the app enters the background on iOS. This property prevents users from being able to take screenshots and also blurs the screen when in app switcher on Android.

Enable biometric controls for ReAuth

Determine whether biometric controls are allowed for approval re-authentication using the following system property in the system properties [sys_properties] table.
  • glide.ui.m.auth.allow_biometrics
Enabling this property does not allow users to sign in to the mobile app using biometrics, it is restricted to only work with the e-signature plugin for approvals.

PIN/Password reinforcement

Standard platform password requirements are enforced. Any additional device hardening is the responsibility of the customer.

Attachment control

Use an ACL to block specific access on mobile. Use the isMobile method to check if a request comes from a mobile device. For example, you could add an ACL for the sys_attachment table where the read and write scripted ACLs includes the following check.
(gs.isMobile()) {
 return false;
}
Note: You need elevated privileges to create ACLs.

Security patching

In the event a security patch is needed, the mobile development team aligns with standard SDLC properties in order to patch.

User data collection

The mobile app does not specifically collect any user data.

Any user transactions or usage within the app is tracked on the ServiceNow instance just as it is on the web. For user credentials, after a user logs in, the mobile app negotiates an OAuth Token that is stored in the Apple Keychain or the Android Keystore. User credentials are never saved. If the user opts in, the following information is collected:
  • Location
  • Access to camera

Shared data

The mobile app communicates with a third party Google program called Fabric for app crash reporting. No customer information is shared.

Incident reporting

Mobile app issues should be reported through the standard support channels. You can report incidents by contacting ServiceNow support.