Typically, to achieve an acceptable level of assurance about the validity of identity or authorization asserted for the purposes of access to enterprise or cloud systems, the identity and/or authorization assertion (hereinafter “assertion”) needs to be validated against an identity or authorization system that can perform validation processes within a secure and controlled context. Such systems include enterprise or cloud-hosted systems that authenticate against an active directory, or similar database, within secure and controlled environments managed by trusted entities.
Applications deployed on mobile devices are typically not designed to use enterprise or cloud-managed identity or authorization infrastructure, and instead use proprietary systems, with potentially unknown levels of security, outside of the control of the enterprise or user. This is both inconvenient for the user, as they have to manage multiple sets of credentials, and insecure for the enterprise as employees will be mixing corporate and private applications on the same device. This mix of applications from different sources, and the potential for loss or theft leading to unauthorized use, introduces the risk that a client application or underlying operating system can be compromised in a way that allows for credentials or assertions to be maliciously intercepted on the device.