3. About T-Mobile US
America's Un-carrier: Redefining the way consumers and businesses buy wireless through leading product and service
innovation.
• Based in Bellevue, Washington
• NASDAQ traded public company – TMUS
• Two flagship brands: T-Mobile and MetroPCS
• 21 consecutive quarters with more than one million net adds
• 323 million Americans covered today
• 18 quarters in a row with the fastest download and upload speeds (Ookla and
OpenSignal)
• #1 U.S. wireless carrier in customer care (J.D. Power)
3
4. About T-Mobile US (cont..)
4
T-Mobile Open Source Projects (https://opensource.t-mobile.com)
Digital Transformation
• Monolithic to Microservices
• DevOps You Build It, You Own It
• Telemetry
• CI/CD/CT
• Investment in FTEs
Product & Technology
• World-class product management
organization
• Empowering teams to build and own
customer experience-obsessed products
from design through sustainment
casquatch:
Java abstraction
layer for Cassandra
databases
next-identity:
Highly auditable
blockchain-based,
access
management
solution
keybiner:
Library for encoding
authorized business
functions in an ID
token
t-vault:
Simplified secrets
management
solution
jazz:
A platform for
building serverless
applications
12. T-Mobile App : Evolution to TAAP for Secure API Access in
Hybrid Cloud
• T-Mobile App Overview
• Using Opaque Token and its challenges
• Evolution to TAAP based Token and its benefits
About us, I m komes.. been with IT for long time in various service sector companies.
Thanks for taking time to attend this session. I am Senthil. I head the mCOE at T-Mobile. My responsibility include strategic, technological guidance to mobile apps solution that includes both internal as well partner apps. I support around 20 apps that are in T-Mobile portfolio.
T-Mobile started a wireless revolution, un-carrier movement , understanding customer pain points.
Part of some of these uncarrier movements that has redefined wireless.
We made moves that were never heard of in our industry to meet customer needs. We got rid of long term contracts, as part of Simple Choice, eliminated roaming charges as part of simple global, introduced unlimited data plans, taxes n fee included as part of T-Mobile One etc.
As a result of all the uncarrier moves, we had 100% growth in the company in the last five years. We have added more than 1+ million customers for 21 quarters in a row
Growth is a natural evolution for us, because as our network has expanded. In 2012, none of our customers had 4G LTE. Today, we cover 323 million people.
T-Mobile delivers an outstanding customer service, and has received the highest score of any company, ever, in the 2018 J.D. Power U.S. Wireless Customer Care study.
In order to adapt to this evolution, T-Mobile started a digital transformation in our Technology organization to make things faster, better and cheaper
.
The mission is to increase velocity, quality and throughput while reducing risk and eliminating pain points for both our customers and ourselves.
One key thing to callout is our investment on FTEs to ensure the inherent knowledge and IPs stay within the team to continue our journey.
Another critical change to help drive our success, has been merging product and technology teams to empower teams to build and own end-end from design to operations.
As we embark the journey to be a world-class technology leader, we started to share our best practices and learnings through open source projects. We have several project that are open sourced and these projects used across different countries in the world. The topic that we discuss today was also part of the digital transformation and sharing of our learnings. I will have Komes takes us through next few slides to set on the foundation for the topic.
Traditional service/api security is trust based. Just like once you got ticket in movie complex, you are good to go to any movie you want. Most places don’t have check at movie gate OR no checking on seat placement.
We follow similar approach in traditional security model where web application server takes care of incoming request session validation. If its good, web server allowed to make request to the back end services. Pretty much it can make call to any server.
Drawback: Servers need to validate with web application service about session validity and state. In modern SPA, its not scalable solution. Centralized system for session management is an another alternative.
Microservices arch become popular because of Netflix and Amazon success. Microservices promotes independent develop and deployment. Scalability and Reusability are key benefits. Having centralized session management would make more complexity in MS world and we want to make sure every cross domain communication authN and AuthZ validation. For instance, for air travel, After booking your ticket, You are getting an boarding pass, checking in, TSA check and Boarding Time.. Some times, if you lucky, you get selected randomly.
JWT used for securely transfer information between two parties. Optionally validation can included to make sure the legitimation of the content. Driving License is example
OAuth 2 : User Authorization delegation protocol
Thanks Komes.Komes has set the foundation for TAAP. In the next few slides, I will walk us through the journey of T-Mobile app from opaque token to TAAP. I will be covering Overview of T-Mobile app, challenges of using opaque token and the benefits of transitioning to TAAP
How many of you have worked on mobile apps?
T-Mobile app is a mobile application that is available in both Android and iOS. Its preloaded on all Android devices that T-Mobile sells and there are more than 75M downloads of the app.
T-Mobile app is key to self-service channel and it serves as the first touchpoint to T-Mobile for our customers. Our customers can message, shop, pay bill, call us from the app.
The app also collects analytics data that will be used to improve the app experience. The key takeaway for the slide is there are 2 core functions: Self-serve, analytics collection.
I will be refereeing to these 2 functions through out the slides and mapping it to 2 versions of application. V1 launched in 2015 uses Opaque toke, and V2 launched in 2018 is based on TAAP.
Komes discussed about how Hybrid cloud is used in enterprise. Here is an example of how its used by T-Mobile app.
T-Mobile app data is stored across different infrastructure On-Perm to Cloud.
All login, credential related information are stored on-perm.
Data that can be used across customers are stored in public cloud. E.g., device info, device images, plan information etc.
Restricted data like customer bill, usage, account info are all stored in private cloud at PCF.
The experience services specific to app to orchestrate data from different sources is also in AWS cloud
So to recap:
Mobile app that has self-serve & analytics
Two version of apps
3 different infrastructures
V1 of T-Mobile app was based on Opaque tokens to get self-serve data. And device identifiers were used to submit analytics data.
User submits the credentials and once successfully validated the response includes a Opaque token and a device identifier. These are short string of hexadecimal characters that means nothing for the receiving application. It need to send the opaque token back to IDP to check its validity. If its valid then it continues with the application business logic to retrieve data. When it requires data from a different cloud or on-perm it passes the opaque token in the request. The receiving app does the same to validate the token with IDP.
If you recall, Komes mentioned earlier that traditional API security is based on session ids.. And opaque tokens are based on session ids, valid for a duration.
There are 2 key challenges with Opaque token. The receiving application always dependent on a centralized system and in this case the IDP to complete its operation. There are multiple calls for a given session across different domains and this impacts the user experience.
The second challenge is when Opaque tokens are valid its blindly trusted. When OT are stolen it can be used to replay until its validity to access any APIs that just depends on OT validation.
The V2 of T-Mobile app launched early this year used TAAP.
User submits the credentials and once successfully validated the response includes a user ID token and a device ID token. These are JWTs that had identify of the user and device in respective tokens. When requests are made to get app data the userID token and POP isi included for message integrity. The UID is validated by the microservice itself and there is no dependency on IDP. The applications that would want to validate ID tokens fetched the IDP publick key using JWK. . When it requires data from a different cloud or on-perm it passes the UIT in the request and the receiving app follows the same process to self-validate.
There are 3 token used in v2 of app derived based on TAAP flow.
Device ID token:
Includes identity of the device like hardware ID, phone number. When diagnostic information is to be submitted the Device ID token is used.
User ID token:
Generated based on successful authentication of the credentials and it includes basic profile information. These information can be used at the microservice to determine subsequent calls.
POP:
POP token is used along with ID tokens for message integrity.