Enabling the application-authenticity security check

Enable the predefined MobileFirst application-authenticity security check to protect against attempts by fake or tampered applications to access your resources (APIs).

About this task

You enable the application-authenticity security check by creating an application-authenticity file, and deploying the file to MobileFirst Server. You can select whether to separate the file creation and deployment steps, or consolidate them into one step:

One-step authenticity-file generation and deployment with mfpadm
Two-step authenticity-file generation and deployment

Procedure

One-step authenticity-file generation and deployment with mfpadm
Run the app version set authenticity-data command of the mfpadm command line program, or the <app-version> <set-authenticity-data> command through an mfpadm Ant task. Set the command's file argument or attribute to the location of your application binary file. This command will generate an application-authenticity file for your application, and store the file on the server.
Two-step authenticity-file generation and deployment
1. Get the MobileFirst application-authenticity Java™ tool, mfp-app-authenticity-tool.jar, by using either of the following alternative methods:
  - Download the tool from IBM MobileFirst™ Platform Operations Console (the console): from the console Dashboard, select Download Center, and then select the Tools tab. Under Applicaiton-Authenticity Tool, select Download and save the file to your preferred location.
  - Copy the tool from the <product_install_dir>/MobileFirstServer/external-server-libraries/ directory (where <product_install_dir> is the directory in which you installed IBM MobileFirst Platform Foundation).
2. Generate a unique application-authenticity file: from the command line, run the application-authenticity tool with one of the following command variations:
  - ```
  java -jar <path to mfp-app-authenticity-tool.jar> <app_binary> [<authenticity_file>]
```
- ```
java -jar <path to mfp-app-authenticity-tool.jar>
```
    When no parameters are provided, the application-authenticity tool runs in an interactive mode. You are then prompted to enter the path to your application binary file (app_binary), and optionally also the path to your target application-authenticity file (authenticity_file).
    mfp-app-authenticity-tool parameters
    app_binary
    
    Mandatory path to your application binary file.
    For Android, refer to your .apk application file. This file must be signed. For more information about signing Android applications, see the Android documentation: Signing Your Applications.
    Note that the Google Play multiple APK feature cannot be used together with the MobileFirst application-authenticity validation. For information about multiple APK, see the Android documentation: Multiple APK Support.
    
    For iOS, refer to your .ipa application file. If your application must support both 32-bit and 64-bit execution, provide a single .ipa file that includes both 32-bit and 64-bit code.
    Note that bitcode-enabled applications cannot be used together with the MobileFirst application-authenticity validation. See Working with bitcode in iOS apps.
    
    For Windows 10 Universal Windows Platform (UWP) and Windows 8.1 Universal, refer to your .appx application file, or to a .appx file from a bundle.
    
    authenticity_file
    
    Optional path to the generated application-authenticity file. By default, the tool generates an <application-binary base file name>.authenticity_data file in the same directory as the provided application binary file (app_binary).
    Example
    The following command is run from the directory that contains the application-authenticity tool, and does not set the optional authenticity_file parameter. The command generates a my_ios_app.authenticity_data application-authenticity file in the same directory as the input my_ios_app.ipa application binary: /Users/myname/.
```
java -jar mfp-app-authenticity-tool.jar /Users/myname/my_ios_app/my_ios_app.ipa
```
3. Deploy your generated application-authenticity file to MobileFirst Server, by using either MobileFirst Operations Console or mfpadm:
  - In the console,
    1. Select your application version from the Applications section of the console's navigation sidebar, and then select the application Authenticity tab.
    2. Select Upload Authenticity File, browse to your generated application-authenticity file, and upload the file.
  - Run the app version set authenticity-data command of the mfpadm command line program, or run the <app-version> <set-authenticity-data> command through an mfpadm Ant task. Set the command's file argument or attribute to the location of your application-authenticity data file.
  When your application-authenticity file is successfully deployed to the server, a relevant message is displayed in the console.

Results

When your application-authenticity file is deployed to the server, the Status value in the application Authenticity console tab is set to "Enabled", indicating that the security check is enabled for your application.

You can retrieve a copy of the application-authenticity file that is deployed for your application on the server, by running the app version get authenticity-data command of the mfpadm command line program, or the <app-version> <get-authenticity-data> command through an mfpadm Ant task.

You can disable the application-authenticity security check at any time, by using one of the following methods:

In the application Authenticity console tab, select Delete Authenticity File.
Run the app version delete authenticity-data command of the mfpadm command line program, or the <app-version> <delete-authenticity-data> command through an mfpadm Ant task.