Worklight Authenticity - ibm-mobilefirst

We are developing a hybrid application on Worklight, and we need to implement the app authenticity.
We are using Worklight Enterprise edition 6.2.0.1 with IBM app centre.
However, We are seeing the following error on the server log when we launch the app on Android (iOs the same too, but will provide Android log).
[1/19/15 15:25:05:388 EST] 00000254 WLNewAuthenti E com.worklight.core.auth.ext.appauth.WLNewAuthenticityScheme isInvalidAndroidParams FWLSE0260E: Missing or empty packageName for android authenticity check, cannot test authenticity. If App Authentication is not set to 'Disabled' or 'Enabled, servicing' in Worklight Console the request will fail. [project MobileApp]
[1/19/15 15:25:05:388 EST] 00000254 WLNewAuthenti E com.worklight.core.auth.ext.appauth.WLNewAuthenticityScheme isInvalidAndroidParams FWLSE0260E: Missing or empty publicsigningkey for android authenticity check, cannot test authenticity. If App Authentication is not set to 'Disabled' or 'Enabled, servicing' in Worklight Console the request will fail. [project MobileBanking].
The security test on authenticationConfig.xml is :
<securityTests>
<mobileSecurityTest name="MobileAppTestMobile">
<testAppAuthenticity/>
<testDeviceId provisioningType="auto" />
<testUser realm="MobileAppRealm" />
<testDirectUpdate mode="perSession" />
</mobileSecurityTest>
<webSecurityTest name="MobileAppTest">
<testUser realm="MobileAppRealm" />
</webSecurityTest>
<customSecurityTest name="SubscribeServlet">
<test realm="SubscribeServlet" isInternalUserID="true"/>
</customSecurityTest>
</securityTests>
The application-descriptor.xml:
<iphone bundleId="ca.company.MobileApp" securityTest="MobileAppTestMobile" version="1.0">
<worklightSettings include="false"/>
<security>
<encryptWebResources enabled="true"/>
<testWebResourcesChecksum enabled="true" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
</security>
</iphone>
<android securityTest="MobileAppTestMobile" version="1.0">
<worklightSettings include="false"/>
<security>
<encryptWebResources enabled="true"/>
<testWebResourcesChecksum enabled="true" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
<publicSigningKey>"We have added our public signing key here by extracting it from our keystore file"</publicSigningKey>
</security>
</android>
We have deployed all the app from scratch after updating the WAR file.
The worklight console shows the three values for the authenticity "Disable - Enabled, servicing - Enabled , Blocking"
When we put "Enabled, Blocking" or "Enabled , servicing" we are getting the error log on the server that shared at the top of the post.
On the app screen we are getting an error " an error was encountered while processing the request from the application".
Please advise.
Thank you

The problem has been fixed.
Solution:
1- we changed the MobileSecurityTest in authenticationConfig.xml to be customSecurityTest as the following, AND redeployed the WAR file:
<customSecurityTest name="MobileSecurityTest">
<test realm="wl_antiXSRFRealm" step="1"/>
<test realm="wl_authenticityRealm" step="1"/>
<test realm="wl_remoteDisableRealm" step="1"/>
<test realm="wl_directUpdateRealm" mode="perSession" step="1"/>
<test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/>
<test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
</customSecurityTest>
2- In application-descriptor.xml:
For android, I used what Idan said about adding the <packageName> property.
<android securityTest="MobileSecurityTest" version="1.0">
<worklightSettings include="false"/>
<security>
<encryptWebResources enabled="true"/>
<testWebResourcesChecksum enabled="true" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
<publicSigningKey>"Our public signing Key placed here"</publicSigningKey>
<packageName>ca.company.MobileTest</packageName>
</security>
</android>
For iOS, the issue was in the applicationId, we thought the applicationId value is the last section of the bundleId,
for example: if the bundleId is "com.company.Myapp" that's mean the applicaiotnId is "Myapp", which is not true.
This is incorrect definition:
<iphone bundleId="ca.company.MobileTestiPhone" applicationId="MobileTestiPhone" securityTest="MobileSecurityTest" version="1.0" >
The applicationId is the value inside the worklight.plist file, which is located inside the iPhone or iPad native folder and this file is generated after doing the build.
AND for our appliction it has a totally different value.
The correct one was:
<iphone bundleId="ca.company.MobileTestiPhone" applicationId="MobileTest" securityTest="MobileSecurityTest" version="1.0" >
That's why the app was being blocked from our WL server when we put the App authenticity value to "Enable,Blocking".
Thank you #Idan for your help.

Per the error message, you are missing the Android Package Name (in application-descriptor.xml).
This is the Authenticity tutorial for Hybrid apps for v6.3, but it's the same for 6.2. From the Android instructions:
Take the Application package name value from the package attribute of
the manifest node in the AndroidManifest.xml. If you decide to change
the value to another, verify that you change it in both locations.You
can also directly edit application-descriptor.xml and add a
packageName:
<android version="1.0">
<worklightSettings include="false"/>
<security>
<encryptWebResources enabled="false"/>
<testWebResourcesChecksum enabled="false" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
<publicSigningKey>MIGff ...</publicSigningKey>
<packageName>com.MyBankApp</packageName>
</security>
</android>

Related

IBM MobileFirst direct update and security tets

I am using the IBM MobileFirst studio plugin 7.0 and following the documentation here:Link to documentation on how to configure a direct update. I’m trying to understand how the pieces work together but I am not able to grasp the concept.
Using the code sample that is provided along with the tutorial, I see that the "mobileSecurityTest" is commented out and the "customSecurityTest" element present is also commented out.
Another thing I noticed is that in that application-descriptor.xml, there is no security test for the added environments?
How will the application know which securityTest to use at the app level app?
Does the securityTest need to be placed on the environment in general and specifically for a direct update?
The direct update wasn't getting triggered when running the sample and following the instructions on the app
Any advice is appreciated.
You specify what security test you want to use in the application-descriptor of you app.
Inside my application descriptor I have an iPhone app with customSecurityTest:
<iphone bundleId="com.PhoneUp" version="1.0" securityTest="customSecurityTests">
<worklightSettings include="false"/>
<security>
<encryptWebResources enabled="false"/>
<testWebResourcesChecksum enabled="false" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
</security>
</iphone>
Inside my authentication config I have:
<customSecurityTest name="customSecurityTests">
<test realm="wl_antiXSRFRealm" step="1"/>
<test realm="wl_authenticityRealm" step="1"/>
<test realm="wl_remoteDisableRealm" step="1"/>
<test realm="wl_directUpdateRealm" mode="perSession" step="1"/>
<test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/>
<test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
</customSecurityTest>
Now the security test that is protecting my application has a mapping to the security test in my authentication-config (security file on the server)
No a security test does not need to be placed on the application to trigger a direct update.
You may trigger the direct update just by the user trying to "login" to that realm.
WL.Client.login("wl_directUpdateRealm", {onSuccess:..., onFailure:...});
Direct update is a realm you can read more about that here.
The sample project from here does not have the security test commented in or a security test protecting the application. You are going to have to uncomment and add a security test in your appliation descriptor as described in the answer to number one.

MobileFirst Server preparation for uploaded log data - Security

I am using MobileFirst Server MFPF 7.1, IF20151114-1616
WLClientLogReceiver adapter has the following settings. I tried changing the securityTest value to "LogUploadServlet", I still receive the same error below.
<procedure name="log" securityTest="wl_unprotected" audit="true" />
To enable security that protects the loguploader servlet, I followed the instruction given in the IBM document on step one.
Server preparation for uploaded log data - Security
Configuration in my aunthenticationConfig.xml
Under staticResources
<resource id="logUploadServlet" securityTest="LogUploadServlet">
<urlPatterns>/apps/services/loguploader*</urlPatterns>
</resource>
Under securityTests
<customSecurityTest name="LogUploadServlet">
<test realm="wl_anonymousUserRealm" step="1"/>
<test realm="LogUploadServlet" isInternalUserID="true"/>
</customSecurityTest>
Under realms
<realm name="LogUploadServlet" loginModule="StrongDummy">
<className>com.worklight.core.auth.ext.HeaderAuthenticator</className>
</realm>
Deployed the updated WAR file and adapter in server. I am receiving the below error while client send logs to server by calling send() method.
[2/12/16 14:14:28:768 CST] 0000014d LoginContext W com.worklight.core.auth.impl.LoginContext invokeLoginModule FWLSE0239W: Authentication failure in realm 'LogUploadServlet': Please check the credentials [project usbusiness]
[2/12/16 14:14:28:933 CST] 000000d1 LoginContext W com.worklight.core.auth.impl.LoginContext invokeLoginModule FWLSE0239W: Authentication failure in realm 'LogUploadServlet': Please check the credentials [project usbusiness]
[2/12/16 14:14:30:542 CST] 000000de SystemOut
Not sure what i a missing in this.
To not leave a question unanswered, from the comments section:
Issue is with the realm com.worklight.core.auth.ext.HeaderAuthenticator that I set for logUploadServlet. after removing and make the security as isInternalUserID="true" its working fine.

Can't connect to MobileFirst 7.1 server

We were migrating Worklight 6.2 project to MobileFirst 7.1 project.
We just set connectOnStartup to true.
Our MF7.1 iPhone direct update works fine.
But MF7.1 android app cant connect to worklight server.
We got this info from logcat:
Client registration failed with error:
{"responseHeaders":{},"status":403,"responseText":"/-secure-\n{\"reason\":\"App
authenticity security check failed\"}/","responseJSON":{"reason":"App
authenticity security check failed"},"invocationContext":null}
[/apps/services/api/**/android/init] failure. state: 403, response:
undefined
Our authenticationConfig.xml is shown below.
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<tns:loginConfiguration xmlns:tns="http://www.worklight.com/auth/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<staticResources>
<resource id="receiveSMS" securityTest="SubscribeServlet">
<urlPatterns>/receiveSMS*</urlPatterns>
</resource>
</staticResources>
<securityTests>
<customSecurityTest name="SubscribeServlet">
<test realm="wl_directUpdateRealm" step="1"/>
<test isInternalUserID="true" realm="SubscribeServlet"/>
</customSecurityTest>
</securityTests>
<realms>
<realm loginModule="rejectAll" name="SubscribeServlet">
<className>com.worklight.core.auth.ext.HeaderAuthenticator</className>
</realm>
<realm loginModule="StrongDummy" name="SampleAppRealm">
<className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
</realm>
</realms>
<loginModules>
<loginModule expirationInSeconds="-1" name="rejectAll">
<className>com.worklight.core.auth.ext.RejectingLoginModule</className>
</loginModule>
<loginModule expirationInSeconds="-1" name="StrongDummy">
<className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule>
<loginModule expirationInSeconds="-1" name="requireLogin">
<className>com.worklight.core.auth.ext.SingleIdentityLoginModule</className>
</loginModule>
</loginModules>
</tns:loginConfiguration>
Our Worklight version is : 7.1.0.00-20151107-1647
As I have mentioned in your other question: do not use connecOnStartup! Change to WL.Client.connect in your code.
The error clearly shows that it is the app authenticity check that is failing. Despite what you are showing in your authenticationConfig.xml file, are you 100% that you are using or not using app authenticity - please confirm
If you are using app authenticity, follow the tutorial and make sure that you are following it correctly. You need to make sure the wlapp file, the war and the .apk are all in sync, otherwise it will fail.
Make sure you are not doing any adapter request before properly connected to the server. Once connected, then you can invoke any calls to the server (via the onSuccess callback of the connect API).

Turning Off Direct Update MobileFirst Platform Foundation 7.1

I have a requirement to turn off direct update for an android app.
I uncomment this line :
<mobileSecurityTest name="mobileTests">
<testAppAuthenticity/>
<testDeviceId provisioningType="none" />
<testUser realm="myMobileLoginForm" />
<testDirectUpdate mode="perSession" />
</mobileSecurityTest>
and change <testDirectUpdate mode="perSession" /> with <testDirectUpdate mode="disabled" /> in authenticationConfig.xml.
Then i add securityTest="mobileTests" on application-descriptor.xml. So it looked like this :
<android version="1.2" securityTest="mobileTests">
...
</android>
The direct update stopped, but then an alert pops up saying :
An error was encountered while processing the requested from the application.
That error happened every time the app tries to access backend server in the adapter.
Anyone has any idea how to resolve this error?
The error is due to the inclusion of the <appAuthenticity> test. You cannot add this test w/out first properly configuring your application to use Application Authenticity Protection.
You can learn more about this here: https://developer.ibm.com/mobilefirstplatform/documentation/getting-started-7-1/foundation/authentication-security/application-authenticity-protection/
If you do not require authenticity, simply remove that line from the security test in authenticationConfig.xml.

Worklight app authenticity is failing for some situations

We are developing WL application using WL enterprise ver (6.2.0.1) fix pack 1.
We have implemented the App authenticity correctly 3 months ago and everything was working (No changes been made on authenticationConfig.xml).
Today, all our applications are failing on App authenticity for both environments (Dev,QA), error on WL server:
[3/10/15 14:13:43:821 EDT] 000000d3 AuthenticityL I
com.worklight.core.auth.ext.appauth.AuthenticityLoginModuleImpl login FWLSE0127E:
Authenticity check failed for application 'APPNAME'. sharedData = ca.company.AppIDiPhone , challengeData = 514738N882129N341449C605766C744589X0355BCA6S214650C169432N928395XEDA8943BS085337C264942N797462X2B0C6AA2S462207X9035E6C7S . [project Name]
[3/10/15 14:13:43:853 EDT] 000000d3 LoginContext W com.worklight.core.auth.impl.LoginContext invokeLoginModule FWLSE0239W: Authentication failure in realm 'wl_authenticityRealm': login fail [project Name]
The error appears on the time of launching the app and it is inconsistent, it happens (1/10)times.
AuthenticationConfig.xml:
<securityTests>
<customSecurityTest name="CompanyTestmobile">
<test realm="wl_antiXSRFRealm" step="1"/>
<test realm="wl_authenticityRealm" step="1"/>
<test realm="wl_remoteDisableRealm" step="1"/>
<test realm="wl_directUpdateRealm" mode="perSession" step="1"/>
<test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/>
<test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
</customSecurityTest>
<webSecurityTest name="CompanyTest">
<testUser realm="CompanyRealm" />
</webSecurityTest>
<customSecurityTest name="SubscribeServlet">
<test realm="SubscribeServlet" isInternalUserID="true"/>
</customSecurityTest>
</securityTests>
Application-descriptor.xml (For iPhone):
<iphone applicationId="AppID" bundleId="ca.company.AppIDiPhone" securityTest="CompanyTestMobile" version="1.0">
<worklightSettings include="false"/>
<security>
<encryptWebResources enabled="true"/>
<testWebResourcesChecksum enabled="true" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
</security>
</iphone>
All our configuration is matching the WL document.
PS1: according to my understanding that the appAuthenticity will fail always or will not fail at all. why it is failing sometimes and working other times.
PS2: the deployment on our servers are not touchable and can't be modified once we deploy. That's a confirmation that the environment is stable and secured.
Thank you.
From the PMR this appeared to have happened due to a race condition triggered by applicative code calling to adapter requests simultaneously , which led to infrequent failures of the authenticity tests.
The customer adjusted their code to not cause a race condition after which the issue could no longer be reproduced.