By issuing an HTTP request, an application can access corporate HTTP services (APIs) that MobileFirst Server provides access to. The predefined application-authenticity security check ensures that an application that tries to connect to a MobileFirst Server instance is the authentic one.
To enable application authenticity, you can either follow the on-screen instructions in the MobileFirst Operations Console → [your-application] → Authenticity, or review the information below.
- Application authenticity is available in all supported platforms (iOS, Android, Windows 8.1 Universal, Windows 10 UWP) in both Cordova and native applications.
- Application authenticity does not support Bitcode in iOS. Therefore, before using application authenticity, disable Bitcode in the Xcode project properties.
- Application Authenticity flow
- Enabling Application Authenticity
- Configuring Application Authenticity
Application Authenticity Flow
By default, the application-authenticity security check is run during the application’s runtime registration to MobileFirst Server, which occurs the first time an instance of the application attempts to connect to the server. The authenticity challenge does not occur again.
See Configuring application authenticity to learn how to customize this behavior.
Enabling Application Authenticity
For application authenticity to be enabled in your Cordova or native application, the application binary file must be signed by using the mfp-app-authenticity tool. Eligible binary files are:
ipa for iOS,
apk for Android, and
appx for Windows 8.1 Universal & Windows 10 UWP.
- Download the mfp-app-authenticity tool from the MobileFirst Operations Console → Download Center.
Open a Command-line window and run the command:
java -jar path-to-mfp-app-authenticity.jar path-to-binary-file
java -jar /Users/your-username/Desktop/mfp-app-authenticity.jar /Users/your-username/Desktop/MyBankApp.ipa
This command generates an
MyBankApp.authenticity_data, next to the
- Open the MobileFirst Operations Console in your favorite browser.
- Select your application from the navigation sidebar and click on the Authenticity menu item.
- Click on Upload Authenticity File to upload the
.authenticity_data file is uploaded, application authenticity is enabled.
Disabling Application Authenticity
To disable application authenticity, click the Delete Authenticity File button.
Configuring Application Authenticity
By default, Application Authenticity is checked only during client registration. Just like any other security check, you can decide to protect your application or resources with the
appAuthenticity security check from the console, following the instructions under Protecting resources.
You can configure the predefined application-authenticity security check with the following property:
expirationSec: Defaults to 3600 seconds / 1 hour. Defines the duration until the authenticity token expires.
After an authenticity check has completed, it does not occur again until the token has expired based on the set value.
To configure the
Load the MobileFirst Operations Console, navigate to [your application] → Security → Security-Check Configurations, and click on New.
Search for the
Set a new value in seconds.