IC5Notice: We have upgraded developerWorks Community to the latest version of IBM Connections. For more information, read our upgrade FAQ.
Topic
  • 4 replies
  • Latest Post - ‏2013-02-08T00:23:40Z by SystemAdmin
SystemAdmin
SystemAdmin
2327 Posts

Pinned topic Testing a App forgery

‏2013-01-31T08:05:05Z |
I want to know how to prevent executing's forgery(fake) android app.

I knew WL 5.0 support a mobile device provisioning. So, I was trying to verify it. Since I tried to do, I can't find its feature.
I tried to do the below

==========================================

1. creation new project(added android environment)

2. Added a my signed key in<publicSigningKey> with using menu.

3. build and deploy(also android)

4. I made a apk file(It contains a my signed key(android tools > Export Signed Applicaiton Package..)

5. 4' apk file was decompiled with using apktool.

6. I modified AndroidManifest.xml file. I added some permissions for modifying app.

7. I did repackaging 6's result.

8. I did faking a signing with motizen tool(It's a utility for fake signing)

9. upload 8's result to my android phone.

10. I verified modified app.

==================================================================

I want to know how to work an auto-provisioning feature.

Is my step correct for verifying it? What do I do for verifying it?
  • IdanAdar
    IdanAdar
    741 Posts

    Re: Testing a App forgery

    ‏2013-02-03T09:31:39Z  
    Hi,

    Simply adding the signing key to your application-descriptor.xml will not add any safe-guards to your application.
    To properly secure your application, in order to prevent or drastically minimize the chance for this, I would use a combination of the following:

    1. Encrypt web resources - this feature will prevent modifying the application's web resources
    2. Authenticity - by using a special key stored on both the client and server, and compared upon the first request the application sends to the Worklight Server, starting the app will fail if the check fails...
    3. Custom provisioning

    Please read the following to know more about the above:
    Custom Provisioning: ftp://public.dhe.ibm.com/software/mobile-solutions/worklight/docs/v505/Module_25_-_Custom_Device_Provisioning.pdf
    Encrypt web resouces: the toggle is in application-descriptor.xml
    Authenticity: explained in a previous correspondence: https://www.ibm.com/developerworks/forums/message.jspa?messageID=14931540
    Idan Adar
    QA Engineer
    IBM Worklight Mobile Platform
  • SystemAdmin
    SystemAdmin
    2327 Posts

    Re: Testing a App forgery

    ‏2013-02-04T06:58:52Z  
    • IdanAdar
    • ‏2013-02-03T09:31:39Z
    Hi,

    Simply adding the signing key to your application-descriptor.xml will not add any safe-guards to your application.
    To properly secure your application, in order to prevent or drastically minimize the chance for this, I would use a combination of the following:

    1. Encrypt web resources - this feature will prevent modifying the application's web resources
    2. Authenticity - by using a special key stored on both the client and server, and compared upon the first request the application sends to the Worklight Server, starting the app will fail if the check fails...
    3. Custom provisioning

    Please read the following to know more about the above:
    Custom Provisioning: ftp://public.dhe.ibm.com/software/mobile-solutions/worklight/docs/v505/Module_25_-_Custom_Device_Provisioning.pdf
    Encrypt web resouces: the toggle is in application-descriptor.xml
    Authenticity: explained in a previous correspondence: https://www.ibm.com/developerworks/forums/message.jspa?messageID=14931540
    Idan Adar
    QA Engineer
    IBM Worklight Mobile Platform
    Thanks for your answer.

    Now my concern is a second one(Authenticity).

    I don't know a special key's meaning. Is it a android sign key(for example, debug.keystore)?

    If it were true, What do I do ?

    I tried to save a sign key's passwd and path into worklight.properties.

    But I couldn't succeeded.

    Please let me know how to save a special key into client and server?
  • IdanAdar
    IdanAdar
    741 Posts

    Re: Testing a App forgery

    ‏2013-02-04T07:14:24Z  
    I don't know a special key's meaning. Is it a android sign key(for example, debug.keystore)?
    The Android keystore you provide is part of of the validation process. You may provide Androi'd debug.keystore, and should provide one of your own once moving on to Production. For testing purposes you can use the default one provided by Google - debug.keystore.

    If it were true, What do I do ?
    I tried to save a sign key's passwd and path into worklight.properties.
    But I couldn't succeeded.
    Please let me know how to save a special key into client and server?
    I'm not quite sure what do you mean here... you do not save any username and password in worklight.properties.

    Please follow the steps I have provided in the thread I linked to. I am copying the steps to here as well:
    1. Create a new Worklight project and application
    2. Uncomment the securityTests element in your-project\apps\your-app\server\conf\authenticationConfig.xml

    It should look like this:
    
    <securityTests> <!-- <customSecurityTest name=
    "WorklightConsole"> <test realm=
    "WorklightConsole" isInternalUserID=
    "true"/> </customSecurityTest> <mobileSecurityTest name=
    "mobileTests"> <testAppAuthenticity/> <testDeviceId provisioningType=
    "none" /> <testUser realm=
    "myMobileLoginForm" /> </mobileSecurityTest>   <webSecurityTest name=
    "webTests"> <testUser realm=
    "myWebLoginForm"/> </webSecurityTest> --> <customSecurityTest name=
    "customTests"> <test realm=
    "wl_antiXSRFRealm" step=
    "1"/> <test realm=
    "wl_authenticityRealm" step=
    "1"/> <test realm=
    "wl_remoteDisableRealm" step=
    "1"/> <test realm=
    "wl_anonymousUserRealm" isInternalUserID=
    "true" step=
    "1"/> <test realm=
    "wl_deviceNoProvisioningRealm" isInternalDeviceID=
    "true" step=
    "2"/> </customSecurityTest> <!-- <customSecurityTest name=
    "SubscribeServlet"> <test realm=
    "SubscribeServlet" isInternalUserID=
    "true"/> </customSecurityTest> --> </securityTests>
    


    3. Add the Android environment
    4. Add securityTest='customTests' to the android element in your-project\apps\your-app\application-descriptor.xml
    5. Right-click on the android folder and choose Extract public signing key. Follow the instructions in the wizard.

    For the sake of the example, use Google's provided keystore.
    Google's provided key is located at: C:\Users\your-user\.android\debug.keystore; the password is 'android'.

    6. Build all deploy

    ^ This will save the authenticity key in the database

    7. Launch app on device

    The authenticity check should now pass when set to "Enabled, Blocking" (done via Worklight Console).

    Idan Adar
    QA Engineer
    IBM Worklight Mobile Platform
  • SystemAdmin
    SystemAdmin
    2327 Posts

    Re: Testing a App forgery

    ‏2013-02-08T00:23:40Z  
    Thanks for your answer.

    Now my concern is a second one(Authenticity).

    I don't know a special key's meaning. Is it a android sign key(for example, debug.keystore)?

    If it were true, What do I do ?

    I tried to save a sign key's passwd and path into worklight.properties.

    But I couldn't succeeded.

    Please let me know how to save a special key into client and server?
    Note: IBM forums are in the process of migrating to a new format. During migration the forums will be frozen and in read-only mode. If you wish to continue this thread discussion please post it on stackoverflow, where the Worklight team and others can respond.

    See the Forum Migration announce post for more details. Thank you.

    Barbara Hampson, Manager, IBM Worklight