Table of Contents

Mockup/prototype 4

Another thing 7

Moar things 9

Mockup/prototype 12

Table of Contents

How Backend as a Service Enables the Mobile Enterprise 3

Comparing DIY and BaaS Development Tracks 7

Selecting target mobile platforms 8

Mockup/prototype 10

Analyze backend system interface 11

Select middleware technology that works with the backend interface 12

Generate the backend interface 14

Handling security 21

Caching 23

Offline behavior 25

Page 3 of 27

How Backend as a Service Enables the Mobile Enterprise

To achieve competitive advantage, large organizations today are busy developing mobile

applications that meet two key objectives: 1) enable business processes for employees,

and 2) meet the growing mobile demands of customers. In order to do both, organiza-

tions very often need to integrate mobile apps with enterprise systems and data col-

lectively referred to as the backend. Organizations that do not integrate mobile apps

securely and effectively with their existing backend infrastructure will face competitors

whose employees are more productive, whose customers are more satisfied, and whose

costs are lower.

Historically, many IT departments have gone the do-it-yourself route to integrate with

mobile, often by using homegrown solutions and at other times by cobbling together

various on-premise tools. But just as the cloud has disrupted virtually every other busi-

ness function, cloud-based middleware solutions are now emerging as viable alterna-

tives to DIY.

Page 4 of 27

DIY vs BaaS: The Enterprise Mobility Showdown

Organizations that adopt this type of cloud-based backend as a service (BaaS) typically

do so for the following reasons:

Faster deployment it takes less time to deploy a mobile app if most of the backend infrastructure already exists

Faster app performance because BaaS is their core business, providers are highly incentivized to constantly find and implement performance optimizations

in their code (and might be expected to have many more years of experience do-

ing it) compared to developers for whom the backend is not a core focus

Higher quality greater service refinement through constant process optimi-zation and deep domain experience leads to reduced error rates

Lower TCO development and support costs can be spread over many users, and organizations do not over-provision IT capacity to handle demand peaks for

data, thereby reducing expense

Higher reliability because a cloud infrastructure can scale with demand, app performance (e.g., screen refresh) remains consistently high

Higher customer / user satisfaction as quality, reliability and app perfor-mance all consistently reach higher levels, end-user satisfaction will follow

Higher margins lower TCO plus higher user satisfaction (hence increased business volume, lower cost of sales, and more productive employees) equals

more money for the business

The motivation of these BaaS adopters is easy to understand: why spend time develop-

ing and maintaining something that isnt your core competency when you can outsource

that component to a proven, more cost-effective vendor?

Building out backend infrastructure that makes enterprise data securely and efficient-

ly available on tailored enterprise mobile apps is non-trivial. Furthermore, that backend

plumbing like most plumbing is non-differentiating. Its one of those things

DIY vs BaaS: The Enterprise Mobility Showdown

Page 5 of 27

that is only noticed when it fails. So, rather than spend limited resources on challeng-

ing, non-differentiating backend development, organizations often create more value by

focusing instead on app frontend development i.e., the apps differentiating function-

ality.

These backend development challenges include:

Lack of compatibility between backend and frontend development

Security

Complexity of third-party APIs

Architecting highly reusable code

Legacy databases and systems not engineered for mobile

Offline operation

Caching

Policy management

User management and access control

Social login

Using a BaaS, many mobile integration tasks can be accomplished simply by filling out a

form or clicking a few dashboard icons rather than spending weeks in custom devel-

opment. Often functions such as auto generation of REST APIs are available out of the

box. (A REST API, or application programming interface, is a commonly used mechanism

with which a web service talks to an application over the webs http protocol. It is con-

sidered lighter weight and therefore better suited for mobile devices than the SOAP

mechanism which is typically used in the enterprise space to connect web services to

applications running on desktop computers.)

And rather than devise a one-of-a-kind interface for every app, backend data set, or

third-party API that a mobile app might require, organizations typically can use a single

stable BaaS interface to specify virtually any backend data field they want an app to

read or update.

So lets look at how a BaaS handles mobiles enterprise integration challenges ver-

sus DIY and how this achieves the benefits cited in speed, cost savings, higher quality,

DIY vs BaaS: The Enterprise Mobility Showdown

Page 6 of 27

greater reliability, higher customer / user satisfaction and ultimately improved margins.

For the sake of our discussion in this paper, lets also assume that in either case, DIY

or BaaS, the organization is seeking to employ an agile development methodology (al-

though companies that deploy waterfall or other development methodologies can equal-

ly derive value from these comparisons.) So one of the first challenges right at the start

is to figure out how to adapt an agile track to the mobile space.

Page 7 of 27

Comparing DIY and BaaS Development Tracks

For the sake of discussion, lets assume that software development occurs in seven stag-

es, each of which is iterative within its own scope and within the overall cycle:

1. Receive request to build app

2. Select the target mobile platform(s)3. Wireframes

4. Mockup or prototype5. Core development (backend interface, security, caching, offline operation, etc.)6. Testing

7. Deployment

The highlighted stages (2, 4 and 5) make the most difference in terms of time and effort

when choosing one approach over the other and hence offer the greatest opportuni-

ty for cost and time savings. In this example, lets assume we are building a client app to

work with our SalesForce CRM system. Okay, so lets compare:

DIY

Selecting target mobile platforms

In the DIY scenario, developers are limited in the number of mobile platforms they can support in part because they will have to de-vote resources to building a different backend connection to each platform they target. The problem is: there are lots of platforms. There are two dominant ones by market share, An-droid and iOS, and also several that are less dominant, but nonetheless important, including Windows Mobile, Symbian and Blackberry. The mobile web (i.e., HTML5/JavaScript/CSS3) is also a platform. Then within the An-droid market itself there are also dozens of

BaaS

Selecting target mobile

platforms

By serving as an any-to-any universal

connector, a BaaS can provide a single

interface to each mobile platform the

organization wishes to support. It essen-

tially commoditizes the pipe, meaning

that there is no additional connection

toll to pay in order to plug a given back-

end data source into another mobile

platform or to plug a given mobile plat-

form into another backend data source.

Of course, the mere fact that a BaaS

could potentially provide such a

important variants of the platform introduced by different device manufacturers.

This typically means (in the DIY approach) that the interface between each data source and each mobile client must be custom tailored, which also means there is a potentially astro-nomical number of unique source-to-mobile connections that must be developed and main-tained over time even with all the various components of those connections subject to constant change: enterprise data, data formats, connection protocols, middleware, develop-ment tools, mobile operating systems, mobile hardware specs, and more.

This is a new environment for many enterprise developers even compared to writing desk-top web apps. Those were often targeted for one browser (Internet Explorer) running on one kind of system (Windows PCs). Even though there have been many browsers introduced over the years, and even though Apple desk-tops and laptops have gained significant market

share, enterprise IT managers have been able to enforce the IE/Windows standard as cor-porate policy. Such platform purity is much harder to achieve in the mobile space when end users (even employees) insist on using their own devices.

commoditized backend pipe does not

mean that a given BaaS actually does.

Thats one of the criteria for evaluating a

BaaS: How easy is it to add mobile plat-

forms on which the organization wishes

to access backend data?

DIY BaaS

Page 10 of 27

Mockup/prototype

Instead of a mockup, a BaaS approach

enables construction of a working pro-

totype using sample backend data

and in less time than to go through all

the work of constructing a cardboard

lookalike. (For prototyping you just im-

port sample .CSV or JSON data to Kin-

vey.) Once user buy-in is obtained, the

prototype is essentially done except for

polishing work and implementing securi-

ty.

Mockup/prototype

In the DIY case, the goal is to create a model of what the finished app might look like, so

developers can present it to end-users for com-ment and buy-in. A lot of effort is therefore spent making the model as lifelike as possible. Sample screens are mocked up and sample (static) data is typically hardcoded and stored locally. The code used to populate the screens with that data may in fact bear no resemblance to the actual code to be written for the finished

app. It is simply there to create an experience that approximates what end-users can expect. Actual work on the production code can only begin after end-user buy-in.

DIY BaaS

Page 11 of 27

Analyze backend system

interface

If a vendors BaaS implementation an-

swers these questions already, most

analysis can focus on the frontend, not

backend interface details. In this app,

for example, the developer can just fol-

low the Kinvey Getting Started Guide to

download the library containing the code

needed to talk to the backend.

Analyze backend system interface

How does the backend present its data to the outside world? What type of inputs will the client app give the backend and what type of outputs will the client expect back? What type of API exists on the backend? SOAP? REST? Whats the connection protocol? TCP? HTTP? How will the backend handle errors? What re-sponse codes will be returned? These are some of the questions the DIY developer needs to ask and answer before moving forward.

DIY BaaS

Page 12 of 27

Select middleware

technology that works with

the backend interface

Not needed. Out of the box, Kinvey gen-

erates a REST interface that maps to the

SalesForce SOAP API, which the orga-

nization then tailors based on data field

mappings, etc.

Select middleware technology that works with the backend interface

Since this is a SalesForce example, the devel-oper has to work with a SOAP interface. So de-velopers need middleware technology that gen-erates compatible APIs for the client. Theyll have to check with the SalesForce documen-tation to see if there is a recommended tool-set. (There is. For a full rundown, check the SalesForce API Quick Start Guide). For other enterprise apps, appropriate candidates might be Apache Axis2 (for generating Java-based clients) or WSClient++ (a web service SOAP

Page 13 of 27

client generator for Android, iPhone, and Blackberry on Java). Developers will need to be familiar with the appropriate tools and make an evaluation as to which tool is best suited for their specific situation.

DIY BaaS

Page 14 of 27

Generate the backend

interface

Going the BaaS instead of the DIY route

takes a lot of this back and forth be-

tween development teams off the table.

As a result there is a lot less rework and

a lot less time spent on conference calls

and email so resources are used more

efficiently. But they are also used more

efficiently because there is simply less

work to do if a BaaS has already done

much of the work already. In the Sales-

Force example, generating a backend in-

terface is a two-step process. First, fron-

tend and backend developers agree on

Generate the backend interface

Once the middleware technology is selected, other implementation choices also need to be made and both the frontend and backend developers need to agree on these choices. This agreement is necessary if the frontend devel-oper will build an interface to the backend that the backend developer is expecting. What makes this agreement so challenging is that there are so many areas on which the two must agree in order for the interface to work and in a DIY scenario front- and backend develop-ers may need to negotiate every single item. Areas of potential disagreement run the gamut

Page 15 of 27

what fields from the SOAP interface are

required and, second, they generate the

data link using a Kinvey command-line

application (i.e., they dont need to write

the interface).

A BaaS can therefore make coming to

agreement simpler in two key ways.

First, it can greatly reduce the number

of variables over which the frontend and

backend teams need to negotiate and,

second, it can make it easier for them to

negotiate over those variables that do re-

main. The number of variables is reduced

to the extent that the BaaS provides off-

the-shelf connections to enterprise data

that the development team would other-

wise need to create on its own. So in the

example described above (i.e., Opportu-

nities vs. OpportunityById) that discus-

sion would be moot if the BaaS provider

had already written or selected interface

syntax, a connection protocol (e.g., TCP

or HTTP), an interface type (e.g., SOAP or

REST), service ports, etc. Thats often the

case when the backend is a commercial

cloud-based app (again, SalesForce is an

example), where the selections involved

would mostly already be done.

from high-level architectural decisions (like how to implement client-side caching, if at all) to more granular decisions such as whether the data passed from backend to frontend will come over the link in an array.

In this example, one decision to make right at the outset is whether to bind directly to the SalesForce SOAP API or create an intermedi-ate layer (like in a BaaS). Binding directly to the SOAP API takes less development time, but also creates a tighter coupling between the mobile app and the backend application. Why does that matter? Lets say the organization wishes to change the name of a field in Sales-Force (e.g., sales lead to prospect). With a tight coupling, that single change means the client app must be rewritten, regenerated and redeployed for all platforms running the mo-bile app. The same would be true if new fields

are added on the backend. So, what perhaps looked like a way to reduce development time and cost actually turns out to be just the oppo-site.

Once you have decided on an interface strate-gy, the next step is to decide how to implement that strategy for example, whether to pass an entire record or only pieces of it as request-ed over the link.

Page 16 of 27

Rather than define all this manually sim-

ply to retrieve specific fields the de-

veloper just lists the fields to be retrieved

by name and the BaaS stages the data

from the selected fields in the cloud for

delivery to the mobile device. To enable

delivery, the frontend developer needs

to have included the relevant libraries

and also have included the names of the

fields to be imported. Compared to the

DIY case, thats a lot fewer items for the

frontend and backend teams to agree on,

and far simpler too.

In a homegrown app, however, the BaaS

may not have already mapped to the na-

tive backend interface. But even here,

plugging into the BaaS from the enter-

prise side is simpler than when going the

DIY route. The BaaS API already exists

and is well documented so there should

be no guesswork by the backend team

about whether its code will agree with

the frontend. Then once the BaaS stages

the data all the frontend team must do

(once the relevant libraries are installed

in the app) is write in the names of the

fields to be accessed.

Take a scenario in which a sales rep working in the field needs to pull a sales opportunity re-cord from an enterprise CRM application back at headquarters. Suppose that Opportunity is an object containing 100 fields, such as the

name of a sales prospect, the persons con-tact information, the type of opportunity (e.g., high value, low value) and so on. The backend developer might have decided that the most efficient way to deliver sales oppor-tunities to requesting clients is simply to bring the entire 100 fields of all 1,200 active oppor-tunities over the link. This developer may also have had no other choice, depending on which client-side development tools were selected. Either way, it is then left up to the mobile app to parse whichever fields the user wants to

see from the opportunity which means the client-side developer knows to implement the client code required to do that parsing a fact the backend developer may assume, but which may not necessarily be true.

Thats also assuming that the client would even know how to call the backend data in the first

place that the client-side developer would write the call the way the backend developer expects the call to be written.

You dont have to be a programmer to see how the two developers might have written

Page 17 of 27

different SOAP interfaces. In SOAP, a WSDL (web service description language) file con-tains XML syntax essentially a header that sets up the call by telling the compiler what metadata to expect. So if the client is getting all sales opportunities in one call (as the back-end developer expects) then the WSDLs XML syntax might look like this:

If, on the other hand, the frontend developer expects to be able to pull only certain fields

across the link (perhaps to conserve limited CPU or link bandwidth) then the actual WSDL (not expected by the backend developer) might look like this:

Here only data from a specific opportunity

object would be passed based on an ID the user input (not all 1,200) and, in fact, only one field, OpportunityType, would be passed

from the object (not all 100). From the fron-tend developers viewpoint, this might be the most efficient way to request specific data from

a specific record from the backend, given the

clients resource constraints. But obviously if

Page 18 of 27

we finished pages ago

the backend developer did not agree on this approach (or it hadnt been discussed), the app wouldnt work.

Of course, such a discussion only helps if the backend hasnt been finished yet. It could

very well be, for example, that the backend is a commercial cloud-based enterprise applica-tion such as SalesForce. In that case, no back-end developer may be available with whom the frontend developer can negotiate. In cases where the backend does belong to the enter-prise, the backend may still be written before the frontend. So, again, the backend interface might have been written with more of a leg-acy enterprise orientation than a mobile ori-entation likely leading to backend/frontend mismatches such as the one just described. That can sometimes happen even if the mobile app project requires the enterprise to develop new backend code from scratch.

Why would an enterprise actually choose to develop backend code first? One reason is that

backend code runs, by definition, on backend

servers. In other words, it runs where most enterprise code runs so it makes sense that many enterprise developers would start there. They know the tools, the environment, and are highly practiced in both. A substantial portion of the total project might very well appear as

Page 19 of 27

low hanging fruit. The problem is that by building a backend to support a still non-exis-tent frontend, the odds are high that the back-end will have to be redesigned and rebuilt later ultimately extending the project timeline beyond what it would have been if the frontend had been done first.

Even if both the frontend and backend parts of the project are started at the same time, there is still a meet in the middle problem that must be solved which is hard to do in a DIY scenario. Both sides are negotiating decisions about some of the variables in play and making assumptions about others. Many of those as-sumptions will simply be overlooked lead-ing to a protracted back-and-forth between the two sides, perhaps across wide geographic dis-tances and between people who do not speak the same native language. Even if teams agree on fixes, the sequence of when those fixes are

applied can often get out of sync. So one team is applying a patch to its own code so that code can now work with what the team thinks is the current rev of the second teams code by which time the second teams code has also changed based on the last email exchange, so therefore none of the fixes work and neither

team knows why.

Page 20 of 27

But how to move data between the backend and the frontend is merely one set of imple-mentation details on which the frontend and backend must agree. Other areas include the caching and offline operation (to be discussed

later), as well as features such as social logins and security (also discussed later).

DIY BaaS

Page 21 of 27

Handling security

OAuth support generally involves install-

ing both Kinvey library and the OAuth

service providers authentication library.

The providers libraries produce authen-

tication tokens and hand them off to Kin-

vey which creates an identity. Installing

the Kinvey libraries means the mobile

app already has the functionality to en-

crypt user credentials, pass them to the

OAuth authentication service as the ser-

vice prescribes, and handling the three-

way interchange between client, server

and the OAuth service provider.

Handling security

There is a lot to do here in the DIY approach much of it having to do with how the code on both the backend and frontend sides will manage OAuth tokens and provide support for user authentication flow that (in this example)

SalesForce requires.

OAuth is one of the newest measures for in-tegrating security for the enterprise and is currently one of measures being most rapidly adopted for authenticating users of a web ser-vice. Part of OAuths appeal is that it passes encrypted tokens between clients and serv-ers rather than usernames and passwords

Page 22 of 27

and that the tokens are provided by a trusted third-party service. It is that third party that receives, authenticates and stores usernames and passwords not the organizations own server. The benefit is that there is much less ex-posure to man-in-the-middle attacks by which credentials are intercepted and decrypted.

Without going into details, suffice it to say that

if youve never done it before handling this token flow is a complex task, involving among

other details authentication system constraints imposed on both client and server. These con-straints can include such things as how long a token is allowed to live in the client before it is either used to validate some request or ex-pires and whether the token is allowed to be cached either on the client or on the backend.Part of this complexity comes from having to select and manage the middleware involved which requires its own learning curve in addi-tion to the learning curve required for handling the basic interface-to-interface connection setup previously discussed.

DIY BaaS

Page 23 of 27

Caching

Kinvey provides code for in-memory

caching so the only thing the developer

might want to do is tweak the caching

policies that are baked into the Kinvey

library.

Caching

Android (to take one example) requires over 400 lines of code to handle in-memory caching properly and efficiently on the mobile device.

So if one of the implementation decisions is to cache data in memory, writing that much code can take significant time and effort. The code

is also extremely sophisticated since it must be able to handle fairly complex scenarios such as what to do if two threads try to access the same piece of data without locking up the app. And if written incorrectly, the caching code would be extremely difficult to troubleshoot.

One reason is that the app is probably written to assume that some operations take time, so

Page 24 of 27

the fact that data is taking longer to retrieve then expected might not immediately suggest an issue with the caching code.

Other implementation details on the DIY route include determining how and which fields

should be cached and the algorithm that de-cides when data is removed from cache (such as a LRU, or least recently used, algorithm). Still another detail is whether the client code needs to explicitly manage the cache on every call or should caching be abstracted (i.e., built into the definition of the call object class).

Just to handle the cache explicitly may require less sophisticated programming (and so seem easier), it can mean that there will be lots of caching code to maintain throughout the app which can ultimately lead to more errors, more rework and a longer project timeline.

DIY BaaS

Page 25 of 27

Offline behavior

The BaaS provider can include in its

downloadable libraries code that works

with the backend to automatically ad-

dress many of these offline-versus-on-

line questions such as whether to

cache a specific piece of data on the lo-

cal device so its available to the backend

when the connection is restored. Ideally,

a client library would monitor the state

of the connection continuously and know

what to do when the connection was lost,

such as to trap any errors occurring be-

cause the app is offline rather than let-

ting the app simply crash.

Offline behavior

This takes 1000+ lines of code and typical-ly requires integration with SQLite. That is something else enterprise developers have not typically had to contend with before, even with respect to web apps. With the web they could pretty much assume that users would always be working in areas with robust Internet connec-tivity. So the question of what happens when the app is not connected to the Internet could usually be ignored without significant conse-quences. Thats no longer the case with mobile apps since users will often be working in plac-es (like airplanes) where Internet connectivity cannot be assured.

Page 26 of 27

So then what?

Will the app crash because some data is no longer available? If the app does not crash, will users be alerted that the backend connection is unavailable? Will the application store user inputs on the mobile device and update the backend once Internet connectivity is restored? How will that update occur? What happens if there have been multiple edits to the same data (perhaps by other users who were also offline

at the same time)? What about operations that do not involve backend data? Will they contin-ue to operate so that the user experience is the same as if connectivity had not been lost? (Ide-ally, yes.)

Taking the DIY approach automatically re-quires enterprise developers to have answers to all these questions and also that they must know how to implement those answers in code even though this may be unfamiliar territory to many of them.

Page 27 of 27

Ultimately, what counts, of course, are not the implementation details but the time and

cost it takes to produce a polished high-quality app. Having many of these details taken

care of with built-in functionality means there is less risk of frontend versus backend

incompatibilities; hence, less time spent by development teams going back and forth

looking to prevent or troubleshoot issues. It also means that developers can avoid han-

dling complex middleware, getting up to speed on the latest OAuth security protocols,

engineering advanced caching policies across potentially dozens of different devices,

solving the offline behavior problem (again for multiple devices) and much more.

Instead they can focus on what truly makes a difference to their organizations the

functionality and experience the mobile app delivers to end-users. A better, more dif-

ferentiating experience delivered at far less cost and on a much shorter timeline. Thats

how you make an enterprise mobile!

Adding it All Up

Page 28 of 27

Written ByMorgan Bickle @morganbicOn any given day youll find Morgan programming mobile SDKs, building

backend APIs, and discussing the future of web and mobile technology. As part of

the core founding team at Kinvey and now the CTO, he owns Kinveys

technology vision. Prior to Kinvey, he wrote enterprise software for a decade.

Randall CronkSince 1990, Randall has helped over 250 high-tech companies convey the value

of what they do through white papers, web content, brochures, case studies

and articles. Based today in downtown Boston, he was previously a vice president

with Regis McKenna where he ran the Digital Equipment account.

Project Managed byKelly Rice @kellyrice88

Designed byJacob McKibben @ez_Jake_oven

What is Kinvey? Kinvey makes a fully-featured Backend as a Service

solution for enterprises, agencies and individual developers. The compa-

nys platform offers 3rd party data integrations, multi-platform support,

push notications, and custom business logic. Enterprise features, such

as Data and Authentication Links to virtually any business system, are

also available for business-to-employee mobile apps.