MobileFirst application authenticity overview
An overview of application authenticity features and procedures within IBM MobileFirst™ Platform Foundation
IBM MobileFirst Platform Foundation framework provides a number of security mechanisms. One of them is a security test for application authenticity. Most IBM MobileFirst Platform Foundation security mechanisms are based on the same concept: obtaining identity through challenge handling. Just as the user authentication realm is used to obtain and validate the identity of a user, an application authenticity realm is used to obtain and validate the identity of an application. Therefore, this process is referred to as application authenticity.
Any entity can access HTTP services (APIs) that are available from MobileFirst Server by issuing an HTTP request. Therefore, it is suggested that you protect relevant services with a number of security tests. Application authenticity makes sure that any application that tries to connect to MobileFirst Server is authentic and was not tampered with or modified by some attacker.
Starting with IBM MobileFirst Platform Foundation V7.0, you can enable one of three levels of authentication for your app: none, basic, and extended. For more information about enabling extended app authentication, see Configuring extended app authenticity checking. Extended application-authenticity validation is not supported for iOS apps that are installed from the Apple app store. See the Extended application authenticity for iOS known limitation.
Authenticity process
- The application makes an initial request to MobileFirst Server.
- MobileFirst Server goes through the authentication configuration and finds that this application must be protected by an application authenticity realm.
- MobileFirst Server generates a challenge token and returns it to application.
- The application receives the challenge token.
- The application processes the challenge token and generates a challenge response.
- The application submits the challenge response to MobileFirst Server.
- If the challenge response is valid, MobileFirst Server serves the application with the required data.
- If the challenge response is invalid, MobileFirst Server refuses to serve the application.
Authenticity considerations during migration to MobileFirst Server V7.0
In versions earlier than MobileFirst Platform Foundation V7.0, there was an option to control application authenticity from the MobileFirst Operations Console. This option is no longer available starting from V7.0. Existing applications configured with an authenticity realm and a security test in authenticationConfig.xml and a security test and security attributes in the application-descriptor.xml file are checked for authenticity at runtime when migrated to MobileFirst Server V7.0, ignoring any previous authenticity control mode that was specified in an older version of MobileFirst Operations Console.Enabling an application authenticity check (example)
Currently, basic application authenticity is supported only in iOS, Android, Windows Phone Silverlight 8, and Windows 8 Universal environments.
The following example shows the steps for enabling basic application authenticity on iOS, Android, Windows Phone Silverlight 8, and Windows 8 Universal:
- Modify the authenticationConfig.xml file
to add relevant authenticity realms to your security tests:
- If you use <mobileSecurityTest>, you must add the <testAppAuthenticity/> child element to this file.
- If you use <customSecurityTest>, you must add <test realm=wl_authenticityRealm/> child element to the file.
- Modify the application-descriptor.xml file
of your application.Remember: In the application-descriptor.xml file, you must also define a security test. For more information, see Security tests.The procedure is different for iOS, Android, Windows Phone Silverlight 8, and Windows 8 Universal environments.
- For iOS
-
- Specify the bundleId attribute of your application
exactly as you defined it in the Apple Developer portal:
For example:
<iphone bundleId="com.worklight.MyBankApp" version="1.0"> <worklightSettings include="false"/> <security> <encryptWebResources enabled="false"/> <testWebResourcesChecksum enabled="false" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/> </security> </iphone>
- Add the applicationId attribute to the iPhone
or iPad element in the application-descriptor.xml file.
The applicationId value must match the value
of the application id property, which you can
find in the worklight.plist file. For example:
<iphone bundleId="com.worklight.MyBankApp" applicationId="MyBankApp" version="1.0">
Note: If you decide to change the value of the application ID, ensure that you change it both in the application-descriptor.xml file and in the worklight.plist file. - In addition, for a native iOS app, in your XCode project, under , add the -ObjC flag.
- Specify the bundleId attribute of your application
exactly as you defined it in the Apple Developer portal:
- For Android
-
- Extract the public signing key of the certificate that is used
to sign the application bundle (.apk file). MobileFirst Studio provides tools to simplify this process.
- If you are building your application for distribution (production), you must extract the public key from the certificate that you are using to sign your production-ready application.
- If you are building your application in a development environment, you can use the public key from a default development certificate that is supplied by Android. You can find the development certificate in a keystore under {user-home}/.android/debug.keystore.
You can either extract the public key manually or use a wizard that is provided by MobileFirst Studio. If you use the wizard, proceed as follows:- Right-click your Android environment and select Extract public signing key.
- Specify the location and password of the keystore file and click Load Keystore. The default password for debug.keystore is android.
- Select key alias and click Next.
The public key is displayed on a window:
When you click Finish, the public key is automatically pasted into the relevant section of application-descriptor.xml.
- Add the application package name to the application-descriptor.xml file
in either of the following ways:
- In the Application Descriptor editor (accessible from the design view), in the Application package name field, add the value of the package attribute of the <manifest> element in the AndroidManifest.xml file.
- Use your preferred text editor to edit the application-descriptor.xml file
directly. For example:
<android securityTest="customTests" version="1.0"> <worklightSettings include="false"/> <security> <encryptWebResources enabled="false"/> <testWebResourcesChecksum enabled="false" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/> <publicSigningKey>my-very-long-public-key</publicSigningKey> <packageName>com.myPackageName</packageName> </security> </android>
Note: If you decide to change the application package name, ensure that you change it both in the application-descriptor.xml file and in the AndroidManifest.xml file.
- Extract the public signing key of the certificate that is used
to sign the application bundle (.apk file).
- For Windows Phone Silverlight 8
-
- Add the productId element to the security element that is defined in the application-descriptor.xml file. The productId value is mentioned in Properties/WMAppManifest.xml:
- Add the applicationId element to the security element
that is defined in the application-descriptor.xml file.
The applicationId value must match the value
of the wlAppId property, which you can find in
the wlclient.properties file. For example:
For more information about the security element, see The application descriptor.<windowsPhone8 version="1.0"> <uuid>89836575-5405-4fa7-94b2-45f300201a1c</uuid> <security> <productId>fca81480-7b4a-4ed0-b387-078e8fa0c3d5</productId> <applicationId>HelloWorklight</applicationId> </security> </windowsPhone8>
- For Windows 8 Universal
-
- Add the packageName element to the security element that is defined in the application-descriptor.xml file. The packageName value is mentioned in package.appxmanifest file:
- Add the applicationId element to the security element
that is defined in the application-descriptor.xml file.
The applicationId value must match the value
of the wlAppId property, which you can find in
the wlclient.properties file. For example:
For more information about the security element, see The application descriptor.<windows8 version="1.0"> <uuid>89836575-5405-4fa7-94b2-45f300201a1c</uuid> <security> <packageName>462711a3-65f4-4685-b60e-6227ea763713_vr9ykqv283qqw</packageName> <applicationId>HelloWorklight</applicationId> </security> </windows8>
- After you have updated the required elements, rebuild and redeploy your application to MobileFirst Server.