During App Authenticity testing in MobileFirst 8.0, I found a strange behavior in switching between enable and disable of App Authenticity setting on Console, using an (Android) app's debug package and release package:
Followed the instruction of signing the app (release package) with mfp-app-authenticity-tool.jar tool, registered .authenticity_data file via Console, and set Security-Check Configurations of the app to use appAuthenticity setting with Expiration Period value.
(For initial connection) After installing the release version of the app on a device, the app successfully connects to MFF Server and calls an adapter.
(After removing the release version of the app from the same device) Installed debug version of the app on the device, and the app fails to connect to MFF Server, as expected.
Disabled App Authenticity by deleting Authenticity File on Console, the debug version of the app on the device successfully connects to MFF Server and calls an adapter.
"Re-enabled" App Authenticity with same instructions as the first step, but the debug version of the app still can connect to MFF Server and calls an adapter. I understand that there's Maximum Token-Expiration Period and Expiration Period setting, but I set both value to 60 seconds for just testing. (Reinstalling the debug version of the app and testing the action without changing on Server gives an expected behavior - i.e. not able to connect.)
I'm wondering if this is normal behavior of enabling / disabling App Authenticity setting in real-time on Console.. and if the feature is designed for just one set of actions of Enable -> Disable only.
Any thought?
Thanks!
By default, App Authenticity is only being checked during the client registration process. Which means that the next time you connect to the server, it will not be checked.
In order to run App Authenticity on every token request, add appAuthenticity to the Mandatory scope section on your application in the console. Then set the expirationSec to 60 seconds for example.
The tutorial was adjusted to clarify this: https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/8.0/authentication-and-security/application-authenticity/#configuring-application-authenticity
Related
I have a question regarding to native app version management and direct update on Mobilefirst 8.0.
We may publish native app updates every couple weeks. We want to avoid creating a new app version on mobilefirst console (1.0, 1.1.. etc), unless the update is significant enough for us to force users to update (disabling older version on mfp console.) To achieve that, we have been updating android-versionCode and ios-CFBundleVersion in config.xml while keeping "version" the same. All works fine for previous versions of MFP (6~7). Direct update works as expected.
However, for MFP 8.0 we noticed following scenario behave abnormally.
Package app v1.0 with web_resource v1.0. Submit to app store.
Build web_resource v1.1, upload to MFP console.
--- Download app from app store, direct update triggers without a problem.
Package app v1.2 with web_resource v1.2. Submit to app store. (Note app "version" doesn't change, no new app created on MFP console)
--- new app goes on app store, user receives update notification and decides to ignore it.
Build web_resource v1.3, upload to MFP console.
User decides to open app and receive direct update for web_resource v1.3.
User finally decides to update app through app store.
--- After updating the app, the app runs web_resource v1.2 instead of v1.3. And no direct update triggered. This is not what we expected...
I understand this app version management may not be officially supported but there is an obvious reason we are doing it this way, that is to keep the MFP console app versions from going out of control.
The question becomes.. why didn't app run web_resource v1.3 after step 6? The app storage is never cleared as far as I can tell so web_resource v1.3 should still exist. Even if web_resource v1.3 is invalidated after app update, app should still starts and ping MFP server with web_resource v1.2 and triggers direct update to download web_resource v1.3.
Is there some underlying mechanism that's causing this? I suspect there is another "timestamp/last updated time" stored somewhere that's causing this. I hope this can work as it was in MFP 6~7.
I'm previewing the MobileFirst app (Cordova) on both browser and iOS Emulator but there doesn't seem to be any response when I call WLAuthorizationManager.obtainAccessToken().
I've tried to allow cross origin request but still face the same issue. Does anyone have any suggestions for what I should look at?
I had a similar issue on the iOS emulator. I even used Wireshark to see what was happening and the app never fired the authorisation request.
In the end I found that if you're running XCode 8.x, you have to enable keychain sharing by selecting the project -> Capabilities -> Keychain Sharing, and setting it to On.
After that I had to register the app again and all worked fine.
Make sure when you register or push the app and you're prompted for the version number, that you enter x.x.x instead of x.x - otherwise the server will not recognise the app.
Another thing to double check is the mfp:server runtime and url values in the config.xml file, if your pc's ip address has changed then the url value could be incorrect.
Have changed the status of my app to Active notifying in mobilefirst console, and I have tried to send custom notification message to app, but the application on device is not receiving the message sent from mobilefirst console.
In the app, we are using WL.Client.connect, and we are using adapters as well, any suggestions ?
Where can we check whether this feature is disabled in worklight?
Any mobilefirst trace that we can enable to identify the issue?
Kindly suggest.
You cannot disable the feature, it's either used (by setting the app version to Remote Notify) or not used.
The message appears only once during the application lifecycle (unless you send a different message), so make sure you didn't miss it.
Additionally, make sure that in case you have multiple versions of your app, that you are looking at the correct app version that you've sent the message to.
mfp -v 7.1.0.00.20160401-2108
wladm -version 7.1.0.00.20160323-1606
WL.Device.getId sometimes returns different id on the same device with app reinstallation or update from Store.
It happens both on Android and iPhone.
It happens only when app is reinstalled (updated), or switched from debug to release.
When installed the ID is persistent.
We use LDAP server where DeviceID is login value. So when ID changes I see the completely new login value from same device.
What could be reason of this behavior?
Background information:
The device id generated by the MobileFirst SDK for android is stored in KeyStore file, and in iOS in keychain file. Both of these are not 100% guaranteed to keep the original stored values in cases such as application uninstallation/reinstallation/upgrade, end-user changing the device security settings or doing a factory reset.
For these reasons it is not a recommended pattern to use the WL.Device.getId value as the principal login value.
The recommended pattern is to use a unique user identity such as email, or username. Please note that future version of MFP may discontinue support for the WL.Device.getId API method.
When looking at the contents of Version 6.1.0 Fix Pack 1, it doesn't appear to list PI06519 as one of it's constituents, yet when applying the fix pack in a bid to address the slow start up issue, it appears to fix the problem.
Is this supposed to be the definitive list of the contents of the fix pack and is simply an oversight, or should I be looking somewhere else for the full contents of it?
There is some problem with listing this APAR in the list of fixes which has yet to be resolved.
Here is a copy of the fixed APARs in Worklight 6.1.0.1:
Changes since: 6.1.0.0
Fixes (APARs):
PI12596 A HYBRID APPLICATION MAY FORCE CLOSE OR FAIL TO CAPTURE DATA WHEN RETURNING FROM THE CAMERA VIEW.
PI12471 RICH PAGE EDITOR'S PERFORMANCE SUFFERS WHILE TYPING.
PI12337 WHITE LINE AT THE BOTTOM IN IOS 7.1
PI11962 SECURITY ISSUE WITH WORKLIGHT CONSOLE
PI11561 STUCK IN A DIALOG ENDLESS LOOP IN ECLIPSE WORKLIGHT PREFERENCES
PI11502 EVENT LISTENERS ATTACHED WHEN CONNECT() IS INVOKED BUT NEVER UNBOUND.
PI11350 IN THE WL STUDIO WITH BUILT-IN SERVER, THE FEATURE OPEN WORKLIGHT CONSOLE DOES NOT START THE SERVER AUTOMATICALLY.
PI11168 WORKIGHT PAGE DOES NOT RESPOND TO CHANGING RICH PAGE EDITOR DEVICE ORIENTATION TO PORTRAIT
PI10959 JSONSTORE FAILS TO REMOVE ALL DOCS IN THE DOC ARRAY WHEN A DOC ARRAY IS PASSED
PI10818 FAILURE WHEN DEPLOYING WORKLIGHT APPLICATION ON WORKLIGHT PUREAPPLICATION PATTERN WHEN SCALING POLICY IS IN EFFECT
PI10775 SERVER CONFIGURATION TOOL DEPLOYMENT CAN NOT PROCEED WHEN USING DB2 DATABASE IF DB2 INSTANCE OWNER ID DOES NOT HAVE SSH ACCESS
PI10398 PROBLEM CUSTOMIZING TIMEOUTS WITH WL.CLIENT.CONNECT API.
PI10149 MOBILE BROWSER SIMULATOR IS BLOCKED IN BROWSER WHEN USING ORACLE JAVA 7 UPDATE 51 WITH "HIGH" SECURITY SETTING
PI10127 NATIVEPAGE FEATURE DOES NOT WORK PROPERLY ON WINDOWS PHONE 8
PI09913 WORKLIGHT UNDER HIGH VOLUMES SHOWS MEMORY INCREASE WHEN REPORTING ENABLED
PI09863 IF REMOVING THE OPTIONAL FIELD "BADGE", AN ERROR IS RECEIVED: "MANDATORY FIELD 'BADGE' NOT FOUND."
PI09770 IOS PUSH NOTIFICATION ERROR AFTER UPGRADING OR APPLYING FIX
PI09711 [WINDOWS 8] - CANNOT OPEN A WL.SIMPLEDIALOG AFTER IT WAS OPENED AND CLOSED
PI09666 ADDING ENVIRONMENT WAITS ON "BUILD PREVIEW PAGES"
PI09569 WHEN BACKEND IS STALE/SLOW UNDER LOAD THEN GOES BACK TO NORMAL SERVER CANNOT RECOVER UNTIL RESTART
PI09530 ADAPTER INVOCATION IS FAILING IN IOS 5 IN WORKLIGHT 6.1 ENVIRONMENT.
PI09432 CALLING ACQUIREPOSITION AFTER STARTACQUISITION HAS BEEN CALLED WITH A GEO POLICY, MAY NOT ACTIVATE TRIGGERS FOR NEW POSITIONS.
PI09373 RARELY, ON NATIVE ANDROID, MULTIPLE SUCCESS CALLBACK EXECUTIONS CAN TAKE PLACE FOR WLDEVICE.ACQUIREGEOPOSITION.
PI09372 IN NATIVE ANDROID, USE OF THE WLGEOACQUISITIONPOLICY MUST BE DONE IN A LOOPER THREAD.
PI09370 WHEN USING GEO DWELL TRIGGERS, WLGEOFAILURECALLBACK INSTANCES MAY BE EXECUTED AFTER WLDEVICE.STOPACQUISITION() IS CALLED.
PI09356 ADAPT APPLICATION CENTER PUBLISH SHORTCUT TO HANDLE XAP FILES
PI09349 WHEN IMPORTING THE IBMAPPCENTER HYBRID PROJECT, AN INCORRECT WARNING SUGGESTS TO INCREASE THE VERSION
PI09326 APPCENTER OTA INSTALLER: TITLE TRUNCATION ON DETAILS VIEW
PI09325 APPCENTER CLIENT TABLET PORTRAIT, BUTTON TRUNCATION ON DETAILS VIEW
PI09324 APPCENTER CLIENT IOS: DATES APPEAR A PHONE NUMBERS
PI09323 APPCENTER OTA CAN START IN TABLET MODE ON A PHONE IN LANDSCAPE ORIENTATION.
PI09321 WORKLIGHT APPCENTER MOBILE CLIENT: AFTER SENDING A REVIEW, THE APP IS MISSING FROM LISTS IF ITS POSITION CHANGED
PI09315 APPLICATION CENTER MOBILE CLIENT ON TABLET: SOME APPLICATIONS MAY NOT BE DISPLAYED IN CATALOG.
PI09233 WORKLIGHT SERVER THROWS EXCEPTION WHEN RE-AUTHENTICATING WITH THE ANTIXSRF REALM
PI09224 WHEN MIGRATING A PROJECT FROM WORKLIGHT 6.0 TO 6.1, AN ERROR OCCURS STATING THAT THE UPGRADE PATH IS NOT SUPPORTED
PI09029 IOS APP LINK FAILS WHEN SETTING IOS DEPLOYMENT TARGET TO 7.0
PI08960 WL RUNTIME LOGS THE FULL CLIENT REQUEST WHEN AN ERROR HAPPENS
PI08819 INCORRECT DATA MAY RETURNED WHEN SUBSCRIBING/UNSUBSCRIBING FOR SMS EVENTS
PI08807 DESIGN PANE FOR JSF PAGES FAILS TO UPDATE
PI08806 INACCURATE JSP VALIDATION
PI08789 FIX WLJQ.JS TO SUPPORT WINDOWS 8 AND WINDOWS PHONE 8
PI08777 "ITMS-SERVICES" PROTOCOL DOES NOT WORK
PI08689 INCORRECT DATA MAY BE RETURNED FROM THE SERVER TO THE APPLICATION
PI08685 IMPROVE PERFORMANCE WHEN USING THE IBM SDK FOR JAVA
PI08632 APP CLIENT CLOSES WHEN CONNECTING TO SERVER WITH ANALYTICS ENABLED.
PI08609 CLUSTER SYNC TASK REPEATEDLY TRIES TO DEPLOY OLD APP FROM THE DB TO A NEW PROJECT
PI08601 WL.SERVER.INVOKEHTTP WITH DELETE METHOD DOESN'T ACCEPT QUERY PARAM
PI08583 BLACK LINE APPEARS AT TOP OF SPLASH SCREEN ON IPAD RUNNING IOS7
PI08580 ECLIPSE CRASHES WHEN OPENING WORKLIGHT APPLICATION FRAMEWORK VIEW.HTML ON WINDOWS
PI08574 FAILURE TO MIGRATE WORKLIGHT PRE-5.0.5.0 APPLICATIONS TO WORKLIGHT 6.1.0.0
PI08511 OLD LTPA TOKEN IS BEING USED WHEN USER LOGIN AGAIN WITHIN A MINUTE OF LOGOUT
PI08189 ERROR WHEN CONNECTING TO SERVER AFTER SETTING APP TO ACTIVE IN THE CONSOLE.
PI08127 SLOW SERVER PERFORMANCE AND REPEATED DATABASE QUERIES WHEN REMOTE DISABLE IS ENABLED
PI07660 MISSING API GETDEFAULTMOBILECONFIGURATION4ANDROID_IOS() IN LOGINCONFIGURATIONSERVICE INTERFACE
PI07549 SHELL COMPONENT CHANGES ARE NOT SHOWN PROPERLY IN BROWSER DURING PREVIEW
PI07263 SCREEN TURNS BLACK ON IPAD DURING DIRECT UPDATE
PI07256 INAPPBROWSER NOT ABLE TO OPEN LOCAL URL LINKS ON ANDROID 4.4
PI06943 DIRECT UPDATE NOTIFICATION WHEN NONE AVAILABLE, THEN FAILS UPON UPDATE ATTEMPT
PI06828 ANT DEPLOMENT TASKS DON'T WORK WHEN CONSOLE IS PROTECTED WITH LTPA AUTHENTICATION
PI06652 DIRECT UPDATE ALLOWS USERS TO KEEP USING OUTDATED VERSIONS.
PI06586 INCORRECT PUSH NOTIFICATION RECEIVED WHEN MULTIPLE WL APPS ON AN ANDROID DEVICE
PI06568 DIFFERENT VERSIONS OF A WORKLIGHT APPLICATION ENVIRONMENT GET WR ONG SECURITY TEST IF SECURITY TEST IS CHANGED BETWEEN VERSIONS.
PI05454 WORKLIGHT APPLICATION CENTER ON LIBERTY PROFILE 8.5.5 PRODUCES "LAST-MODIFIED" DATES IN BAD FORMAT.
PI05447 NULLPOINTEREXCEPTION OCCURS WHEN CALLING WL.SERVER.LOGACTIVITY.
Status: Fix Pack
Additional Information: Please see http://www-01.ibm.com/support/docview.wss?uid=swg27028172 for information on installing the fix.