To properly secure your application, enable the predefined MobileFirst application-authenticity security check (
appAuthenticity). When enabled, this check validates the authenticity of the application before providing it with any services. Applications in production environment should have this feature enabled.
To enable application authenticity, you can either follow the on-screen instructions in the MobileFirst Operations Console → [your-application] → Authenticity, or review the information below.
- Application authenticity is available in all supported platforms (iOS, Android, Windows 8.1 Universal, Windows 10 UWP) in both Cordova and native applications.
- Application authenticity does not support Bitcode in iOS. Therefore, before using application authenticity, disable Bitcode in the Xcode project properties.
- Application Authenticity flow
- Enabling Application Authenticity
- Configuring Application Authenticity
- Build Time Secret (BTS)
Application Authenticity Flow
The application-authenticity security check is run during the application’s registration to MobileFirst Server, which occurs the first time an instance of the application attempts to connect to the server. By default the authenticity check does not run again.
See Configuring application authenticity to learn how to customize this behavior.
Enabling Application Authenticity
For application authenticity to be enabled in your application:
- Open the MobileFirst Operations Console in your favorite browser.
- Select your application from the navigation sidebar and click on the Authenticity menu item.
- Toggle the On/Off button in the Status box.
Disabling Application Authenticity
Some changes to the application during development might cause it to fail the authenticity validation. Accordingly, it is recommended to disable application authenticity during the development process. Applications in production environment should have this feature enabled.
To disable application authenticity, toggle back the On/Off button in the Status box.
Configuring Application Authenticity
By default, Application Authenticity is checked only during client registration. However, just like any other security check, you can decide to protect your application or resources with the
appAuthenticity security check from the console, following the instructions under Protecting resources.
You can configure the predefined application-authenticity security check with the following property:
expirationSec: Defaults to 3600 seconds / 1 hour. Defines the duration until the authenticity token expires.
After an authenticity check has completed, it does not occur again until the token has expired based on the set value.
To configure the
Load the MobileFirst Operations Console, navigate to [your application] → Security → Security-Check Configurations, and click on New.
Search for the
Set a new value in seconds.
Build Time Secret (BTS)
The Build Time Secret (BTS) is an optional tool to enhance authenticity validation, for iOS applications only. The tool injects the application with a secret determined at build time, which is later used in the authenticity validation process.
The BTS tool can be downloaded from the MobileFirst Operations Console → Download Center.
To use the BTS tool in Xcode:
- Under the Build Phases tab click the + button and create new Run Script Phase.
- Copy the path of BTS Tool and paste in the new “Run Script Phase” you have created.
- Drag the run script phase above the Compile sources phase.
The tool should be used when building a production version of the application.
The application authenticity algorithm uses application data and metadata in its validation. The first device to connect to the server after enabling application authenticity provides a “fingerprint” of the application, containing some of this data.
It is possible to reset this fingerprint, providing the algorithm with new data. This could be useful during development (for example after changing the application in Xcode). To reset the fingerprint, use the reset command from the mfpadm CLI.
After resetting the fingerprint, the appAuthenticity security check continues to work as before (this will be transparent to the user).
By default, when application authenticity is enabled it uses the dynamic validation algorithm. The dynamic application authenticity validation uses mobile platform specific features to determine the authenticity of the application. Accordingly it might be affected if non backward compatible changes are introduced to the mobile operating system, which could result in preventing authentic applications from connecting to the server.
To mitigate such potential issues, the static validation algorithm is available. This validation type is less sensitive to OS specific changes.
To switch between validation types, use the mfpadm CLI:
mfpadm --url= --user= --passwordfile= --secure=false app version [RUNTIME] [APPNAME] [ENVIRONMENT] [VERSION] set authenticity-validation TYPE
TYPE can either be
Support for SDK versions 220.127.116.11-MFPF-IF201701250919 or earlier
The dynamic and static validation types are only supported by client SDKs released in February 2017 or later. For SDK versions 18.104.22.168-MFPF-IF201701250919 or earlier, use the legacy application authenticity tool:
The application binary file must be signed by using the mfp-app-authenticity tool. Eligible binary files are:
ipa for iOS,
apk for Android, and
appx for Windows 8.1 Universal & Windows 10 UWP.
- Download the mfp-app-authenticity tool from the MobileFirst Operations Console → Download Center.
Open a Command-line window and run the command:
java -jar path-to-mfp-app-authenticity.jar path-to-binary-file
java -jar /Users/your-username/Desktop/mfp-app-authenticity.jar /Users/your-username/Desktop/MyBankApp.ipa
This command generates an
MyBankApp.authenticity_data, next to the
- Upload the
.authenticity_datafile using the mfpadm CLI:
app version [RUNTIME-NAME] APP-NAME ENVIRONMENT VERSION set authenticity-data FILE