Restricted Access for Technician Profile
Any ServiceMax mobile app enables the users to log in to ServiceMax from their mobile devices and view relevant information. The app uses tokens to identify the users and give them permissions based on these tokens. These tokens can be used to gain access to the ServiceMax Web App and perform operations that are not available in the mobile app. Attackers can gain access to the token and cookies that are stored on the device. They can use them to gain access to endpoints that are not expected to be consumed by the app. This can be achieved without even knowing the credentials. To address this problem, admins can now specify limited permissions and ensure that the mobile user profile (for example, technician profile) has only the required minimum level of access.
The following recommendations can be considered:
1. Salesforce profile of the mobile user can be configured in such a way that only the following three apex classes are enabled:
a. INTF_WebServicesDef
b. MobServiceIntf
c. ProductIQServiceIntf
2. In addition to the above classes, permissions can be given to all those webservice classes which are used to invoke a webservice from the mobile app.
3. Visualforce pages can be removed from the Salesforce profile as they are not required on the mobile device. This is applicable to all mobile apps.