For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.


What's new in MobileFirst security

The security framework in IBM MobileFirst™ Platform Foundation was entirely redesigned. New security features were introduced, and some modifications were made to existing features.


Security framework overhaul

The MobileFirst security framework was redesigned and reimplemented to improve and simplify security development and administration tasks. The framework is now inherently based on the OAuth model, and the implementation is session-independent. See Overview of the MobileFirst security framework.
On the server side, the multiple building blocks of the framework were replaced with security checks (implemented in adapters), allowing for simplified development with new APIs. Sample implementations and predefined security checks are provided. See Security checks. Security checks can be configured in the adapter descriptor, and customized by making runtime adapter or application configuration changes, without redeploying the adapter or disrupting the flow. The configurations can be done from the redesigned MobileFirst Operations Console security interfaces. We can also edit the configuration files manually, or use the MobileFirst Platform CLI or mfpadm tools. See Security-checks configuration.
See the other security release notes for specific changes and additions that are also the result of the security-framework redesign.


Application-authenticity security check

MobileFirst application-authenticity validation is now implemented as a predefined security check that replaces the previous "extended application authenticity checking". We can dynamically enable, disable, and configure application-authenticity validation by using either MobileFirst Operations Console or mfpadm. A stand-alone MobileFirst application-authenticity Java™ tool (mfp-app-authenticity-tool.jar) is provided for generating an application-authenticity file. See Application-authenticity security check.


Confidential clients

The support for confidential clients was redesigned and reimplemented using the new OAuth security framework. See Confidential clients.


Web-applications security

The revised OAuth-based security framework supports web applications. We can now register web applications with MobileFirst Server to add security capabilities to our application and protect access to your web resources. For more information about developing MobileFirst web applications, see Developing web applications. The application-authenticity security check is not supported for web applications.


Cross-platform applications (Cordova apps), new and changed security features

Additional security features are available to help protect your Cordova app. These features include the following:


Device Single Sign-On (SSO)

Device single sign-on (SSO) is now supported by way of the new predefined enableSSO security-check application-descriptor configuration property. See Configuring device single sign-on (SSO).


Direct Update

In contrast to earlier versions of MobileFirst, starting with V8.0.0:


External-resources Protection

The supported method and provided artifacts for protecting resources on external servers were modified:


Integration with WebSphere DataPower as an authorization server

We can now select to use WebSphere DataPower® as the OAuth authorization server, instead of the default MobileFirst Server authorization server. We can configure DataPower to integrate with the MobileFirst security framework. See Configuring IBM® WebSphere DataPower as the OAuth authorization server.


LTPA-based single sign-on (SSO) security check

Support for sharing user authentication among servers that use WebSphere light-weight third-party authentication (LTPA) is now provided by using the new predefined LTPA-based single sign-on (SSO) security check. This check replaces the obsolete MobileFirst LTPA realm, and eliminates the previous required configuration. See LTPA-based single sign-on (SSO) security check.


Mobile-application management with MobileFirst Operations Console

Some changes were made to the support for tracking and managing mobile applications, users, and devices from IBM MobileFirst Platform Operations Console.
Blocking device or application access is applicable only to attempts to access protected resources.
See Mobile-application management.


MobileFirst Server keystore

A single MobileFirst Server keystore is used for signing OAuth tokens and Direct Update packages, and for mutual HTTPS (SSL) authentication. We can dynamically configure this keystore by using either MobileFirst Operations Console or mfpadm. See Configuring the MobileFirst Server keystore.


Native encryption and decryption for iOS

OpenSSL has been removed from the main framework for iOS and replaced by a native encryption/decryption. OpenSSL can be added as a separate framework. See Enabling OpenSSL for iOS. For iOS Cordova JavaScript, OpenSSL is still embedded in the main framework. For both APIs, both native and OpenSSL encryption are available.

Parent topic: What's new in V8.0.0