MobileFirst application authenticity overview

An overview of application authenticity features and procedures within IBM MobileFirst™ Platform Foundation

IBM MobileFirst Platform Foundation framework provides a number of security mechanisms. One of them is a security test for application authenticity. Most IBM MobileFirst Platform Foundation security mechanisms are based on the same concept: obtaining identity through challenge handling. Just as the user authentication realm is used to obtain and validate the identity of a user, an application authenticity realm is used to obtain and validate the identity of an application. Therefore, this process is referred to as application authenticity.

Any entity can access HTTP services (APIs) that are available from MobileFirst Server by issuing an HTTP request. Therefore, it is suggested that you protect relevant services with a number of security tests. Application authenticity makes sure that any application that tries to connect to MobileFirst Server is authentic and was not tampered with or modified by some attacker.

Starting with IBM MobileFirst Platform Foundation V7.0, you can enable one of three levels of authentication for your app: none, basic, and extended. For more information about enabling extended app authentication, see Configuring extended app authenticity checking. Extended application-authenticity validation is not supported for iOS apps that are installed from the Apple app store. See the Extended application authenticity for iOS known limitation.

Note: This authenticity feature is not available if you use the internal MobileFirst Development Server that is embedded in MobileFirst Studio. For more information, see Installing MobileFirst Studio.

Authenticity process

Application authenticity checks use the same transport protocol as other authentication framework realms:
  1. The application makes an initial request to MobileFirst Server.
  2. MobileFirst Server goes through the authentication configuration and finds that this application must be protected by an application authenticity realm.
  3. MobileFirst Server generates a challenge token and returns it to application.
  4. The application receives the challenge token.
  5. The application processes the challenge token and generates a challenge response.
  6. The application submits the challenge response to MobileFirst Server.
  7. If the challenge response is valid, MobileFirst Server serves the application with the required data.
  8. If the challenge response is invalid, MobileFirst Server refuses to serve the application.

Authenticity considerations during migration to MobileFirst Server V7.0

In versions earlier than MobileFirst Platform Foundation V7.0, there was an option to control application authenticity from the MobileFirst Operations Console. This option is no longer available starting from V7.0. Existing applications configured with an authenticity realm and a security test in authenticationConfig.xml and a security test and security attributes in the application-descriptor.xml file are checked for authenticity at runtime when migrated to MobileFirst Server V7.0, ignoring any previous authenticity control mode that was specified in an older version of MobileFirst Operations Console.

Enabling an application authenticity check (example)

Currently, basic application authenticity is supported only in iOS, Android, Windows Phone Silverlight 8, and Windows 8 Universal environments.

The following example shows the steps for enabling basic application authenticity on iOS, Android, Windows Phone Silverlight 8, and Windows 8 Universal:

  1. Modify the authenticationConfig.xml file to add relevant authenticity realms to your security tests:
    • If you use <mobileSecurityTest>, you must add the <testAppAuthenticity/> child element to this file.
    • If you use <customSecurityTest>, you must add <test realm=wl_authenticityRealm/> child element to the file.
    After you have updated your authenticationConfig.xml file, rebuild, and redeploy the .war file.
  2. Modify the application-descriptor.xml file of your application.
    Remember: In the application-descriptor.xml file, you must also define a security test. For more information, see Security tests.
    The procedure is different for iOS, Android, Windows Phone Silverlight 8, and Windows 8 Universal environments.
    For iOS
    1. Specify the bundleId attribute of your application exactly as you defined it in the Apple Developer portal:
      Specifying the bundleID for an iOS application authenticity check

      For example:

      <iphone bundleId="com.worklight.MyBankApp" version="1.0">
    <worklightSettings include="false"/>
    <security>
        <encryptWebResources enabled="false"/>
        <testWebResourcesChecksum enabled="false" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
    </security>
</iphone>
    2. Add the applicationId attribute to the iPhone or iPad element in the application-descriptor.xml file. The applicationId value must match the value of the application id property, which you can find in the worklight.plist file. For example: 
      <iphone bundleId="com.worklight.MyBankApp" applicationId="MyBankApp" version="1.0">
      Note: If you decide to change the value of the application ID, ensure that you change it both in the application-descriptor.xml file and in the worklight.plist file.
    3. In addition, for a native iOS app, in your XCode project, under Build Settings > Linking > Other Linker Flags, add the -ObjC flag.
    For Android
    1. Extract the public signing key of the certificate that is used to sign the application bundle (.apk file).
      MobileFirst Studio provides tools to simplify this process.
      • If you are building your application for distribution (production), you must extract the public key from the certificate that you are using to sign your production-ready application.
      • If you are building your application in a development environment, you can use the public key from a default development certificate that is supplied by Android. You can find the development certificate in a keystore under {user-home}/.android/debug.keystore.
      You can either extract the public key manually or use a wizard that is provided by MobileFirst Studio. If you use the wizard, proceed as follows:
      1. Right-click your Android environment and select Extract public signing key.
      2. Specify the location and password of the keystore file and click Load Keystore. The default password for debug.keystore is android.
      3. Select key alias and click Next.
      Extracting the public key for an Android application authenticity, step 1

      The public key is displayed on a window:

      Extracting the public key for an Android application authenticity, step 1

      When you click Finish, the public key is automatically pasted into the relevant section of application-descriptor.xml.

    2. Add the application package name to the application-descriptor.xml file in either of the following ways:
      • In the Application Descriptor editor (accessible from the design view), in the Application package name field, add the value of the package attribute of the <manifest> element in the AndroidManifest.xml file.
        Adding the package name in the Application Descriptor editor
      • Use your preferred text editor to edit the application-descriptor.xml file directly. For example: 
        <android securityTest="customTests" version="1.0">
    <worklightSettings include="false"/>
    <security>
        <encryptWebResources enabled="false"/>            
        <testWebResourcesChecksum enabled="false" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
        <publicSigningKey>my-very-long-public-key</publicSigningKey>
        <packageName>com.myPackageName</packageName>
    </security>
</android>
      Note: If you decide to change the application package name, ensure that you change it both in the application-descriptor.xml file and in the AndroidManifest.xml file.
    For Windows Phone Silverlight 8
    1. Add the productId element to the security element that is defined in the application-descriptor.xml file. The productId value is mentioned in Properties/WMAppManifest.xml:
      Windows Phone application manifest file
    2. Add the applicationId element to the security element that is defined in the application-descriptor.xml file. The applicationId value must match the value of the wlAppId property, which you can find in the wlclient.properties file. For example: 
      <windowsPhone8 version="1.0">
  <uuid>89836575-5405-4fa7-94b2-45f300201a1c</uuid>
  <security>
    <productId>fca81480-7b4a-4ed0-b387-078e8fa0c3d5</productId>
    <applicationId>HelloWorklight</applicationId>
  </security>
</windowsPhone8>
      For more information about the security element, see The application descriptor.
    For Windows 8 Universal
    1. Add the packageName element to the security element that is defined in the application-descriptor.xml file. The packageName value is mentioned in package.appxmanifest file:
      Windows 8 Universal package manifest file
    2. Add the applicationId element to the security element that is defined in the application-descriptor.xml file. The applicationId value must match the value of the wlAppId property, which you can find in the wlclient.properties file. For example: 
      <windows8 version="1.0">
  <uuid>89836575-5405-4fa7-94b2-45f300201a1c</uuid>
  <security>
    <packageName>462711a3-65f4-4685-b60e-6227ea763713_vr9ykqv283qqw</packageName>
    <applicationId>HelloWorklight</applicationId>    
  </security>
</windows8>
      For more information about the security element, see The application descriptor.
  3. After you have updated the required elements, rebuild and redeploy your application to MobileFirst Server.
Parent topic: Classic security model