10 Ways an Embeddable PDP Boosts Continuous Mobile Authentication
To implement continuous authentication, mobile developers must support fine-grained enterprise security policies about the person, device state and authenticator. An embeddable Policy Decision Point (PDP) is essential for lightning fast policy evaluation, consistent decision logging, and advanced JWT validation. Token-Based Access Control (TBAC) is an emerging access control model that can help mobile developers and security architects implement continuous authentication in iOS and Android applications — taking advantage of:
- Platform attestation JWTs from Google and Apple
- Passkey JWT attestations of the authenticator (e.g. device-bound private key?)
- A variety of JWTs from trusted identity providers, like OpenID Connect id_tokens or OAuth access tokens.
TBAC answers the question: “Given this bundle of tokens, is this action on this resource allowed in this context?” In TBAC, these tokens become first-class citizens in the decision-making process. TBAC enables developers to implement security based on the information contained in JWTs from trusted issuers like identity providers, hardware platforms, and federations.
Top 10 Reasons to use an Embeddable PDP for Mobile Access Control
1. Continuous Authentication
Based on local policies the device is in an excellent place to properly authenticate the user based on the current threat data from the enterprise. As mobile apps are long running, verifying a user’s presence may be required to perform an action. Why wait for a failed API request if the mobile app can detect the insufficiency of the current authentication state?
2. Consistent JWT Validation
While validating JWT signatures is easy enough, developers have two more jobs which are more challenging: (1) validating the contents of the JWT — which varies based on the type of JWT; (2) checking the status of the JWTs to support revocation. These complex validations are better left to the embeddable PDP, which can enforce the requisite strength of the encryption algorithms, and has formalized mappings for all known JWT security tokens, attestations, and assertions.
3. Consistent Logging
The decision logs from the mobile app provide the most important data for detecting attackers before they can get onto your protected network. If you only examine the data from the identity provider, and have no visibility into what’s happening in the application, your opportunity to detect identity threats is greatly reduced.
4. Dynamic UI Rendering
Access control doesn’t just protect API endpoints — it also dictates what users see. Should a user see a “delete” button? Should they be able to access a feature in the app’s menu? Using policies at the UI layer enables dynamic UI rendering based on the user’s permissions or context.
5. Offline Support
Modern apps often work in unreliable or offline environments. If access control is enforced only on the server, offline features are impossible or hard to secure. An embeddable PDP allows developers to enforce local access policies even when there’s no network. Mobile apps can upload decision logs to the enterprise once network connectivity is restored.
6. Improved Responsiveness
Latency kills UX. With local TBAC policy evaluation, decisions happen instantly — there’s no need to ping a server just to check if a button should be enabled. An embeddable PDP can evaluate policies in microseconds, which is blazing fast even on mobile CPUs.
7. Privacy Protection
Policies are evaluated locally. No personal data or access logic needs to be sent to the server for every decision. This can help reduce data exposure and improve compliance.
8. Zero-Trust Adherence
In zero-trust environments, decisions should be made based on real-time context. By embedding the PDP in the mobile application, you can enforce policies that consider dynamic attributes like device state, network, or session timeouts. Zero Trust architecture also dictates security everywhere — especially in the front end. Obviously we still need security policies in the API gateway, backend and database. But ignoring security in the front-end is inconsistent with the intent of Zero Trust.
9. Developer Productivity
Help developers externalize policies from code, making it easier to test, audit, and reuse the security of components. Externalized, peer-reviewed policies normalize the never-ending policy update process.
10. Consistency Across Platforms
Using externalized policies creates a unified policy model. You write the policy once and run it anywhere. No more digging through iOS and Android code, and ensuring they are consistent across both platforms.
Conclusion
Security is not an afterthought — it’s a user experience requirement. By embedding a PDP into your mobile app and adopting Token-Based Access Control, you gain:
- Instant, offline-capable access decisions
- Cleaner, testable, and maintainable authorization logic
- Improved user experience with dynamic UI
- Policy consistency across platforms
Mobile developers today are expected to build secure, dynamic, and responsive apps. With TBAC, you’re equipped to meet those expectations — and go beyond.
If you’re building a mobile app that needs real access control, it’s time to ditch hardcoded logic and move toward a policy-first architecture. Contact us at Gluu to find out more about our new open source embeddable PDP called the Cedarling, which is powered by the Rust Cedar Engine, which has bindings to iOS, Android and WASM.
