For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.
What's new in MobileFirst security
The security framework in IBM MobileFirst™ Platform Foundation was entirely redesigned. New security features were introduced, and some modifications were made to existing features.
Security framework overhaul
The MobileFirst security framework was redesigned and reimplemented to improve and simplify security development and administration tasks. The framework is now inherently based on the OAuth model, and the implementation is session-independent. See Overview of the MobileFirst security framework.
On the server side, the multiple building blocks of the framework were replaced with security checks (implemented in adapters), allowing for simplified development with new APIs. Sample implementations and predefined security checks are provided. See Security checks. Security checks can be configured in the adapter descriptor, and customized by making runtime adapter or application configuration changes, without redeploying the adapter or disrupting the flow. The configurations can be done from the redesigned MobileFirst Operations Console security interfaces. We can also edit the configuration files manually, or use the MobileFirst Platform CLI or mfpadm tools. See Security-checks configuration.
See the other security release notes for specific changes and additions that are also the result of the security-framework redesign.
Application-authenticity security check
MobileFirst application-authenticity validation is now implemented as a predefined security check that replaces the previous "extended application authenticity checking". We can dynamically enable, disable, and configure application-authenticity validation by using either MobileFirst Operations Console or mfpadm. A stand-alone MobileFirst application-authenticity Java™ tool (mfp-app-authenticity-tool.jar) is provided for generating an application-authenticity file. See Application-authenticity security check.
Confidential clients
The support for confidential clients was redesigned and reimplemented using the new OAuth security framework. See Confidential clients.
Web-applications security
The revised OAuth-based security framework supports web applications. We can now register web applications with MobileFirst Server to add security capabilities to our application and protect access to your web resources. For more information about developing MobileFirst web applications, see Develop web applications. The application-authenticity security check is not supported for web applications.
Cross-platform applications (Cordova apps), new and changed security features
Additional security features are available to help protect your Cordova app. These features include the following:
- Web resources encryption: Use this feature to encrypt the web resources in your Cordova package to help prevent someone from modifying the package. For more information, see Encrypting the web resources of your Cordova packages.
- Web resources checksum: Use this feature to run a checksum test that compares the current statistics of the web resources of the app with the baseline statistics that were established when it was first opened. This check helps to prevent someone from modifying the app after it is installed and opened. For more information, see Enabling the web resources checksum feature.
- Certificate pinning: Use this feature to associate the certificate of an app with a certificate on the host server. This feature helps to prevent information that is passed between the app and the server from being viewed or modified. For more information, see Certificate pinning.
- Support for the Federal Information Processing Standard (FIPS) 140-2: Use this feature to ensure that data that is transferred is compliant with the FIPS 140-2 cryptography standard. For more information, see Enabling FIPS 140-2.
- OpenSSL: To use OpenSSL data encryption and decryption with your Cordova app for the iOS platform, we can use the cordova-plugin-mfp-encrypt-utils Cordova plug-in. For more information, see Cordova plug-ins for MobileFirst features and Enabling OpenSSL for Cordova iOS.
Device Single Sign-On (SSO)
Device single sign-on (SSO) is now supported by way of the new predefined enableSSO security-check application-descriptor configuration property. See Configure device single sign-on (SSO).
Direct Update
In contrast to earlier versions of MobileFirst, starting with V8.0.0:
- If a client application accesses an unprotected resource, the application does not receive updates, even if an update is available on MobileFirst Server. See Update Cordova client apps directly.
- After it has been activated, Direct Update is enforced on every request for a protected resource.
External-resources Protection
The supported method and provided artifacts for protecting resources on external servers were modified:
- A new, configurable MobileFirst Java Token Validator access-token validation module is provided for using the MobileFirst security framework to protect resources on any external Java server. The module is provided as a Java library (mfp-java-token-validator-8.0.0.jar), and replaces the use of the obsolete MobileFirst Server token-validation endpoint to create a custom Java validation module. See MobileFirst Java Token Validator.
- The MobileFirst OAuth Trust Association Interceptor (TAI) filter, for protecting Java resources on an external WebSphere® Application Server or WebSphere Application Server Liberty server, is now provided as a Java library (com.ibm.imf.oauth.common_8.0.0.jar). The library uses the new Java Token Validator validation module, and the configuration of the provided TAI changed. See MobileFirst OAuth Trust Association Interceptor (TAI) for protecting resources on WebSphere Java servers.
The server-side MobileFirst OAuth TAI API is no longer required and was removed.- The passport-mfp-token-validation MobileFirst Node.js framework, for protecting Java resources on an external Node.js server, was modified to support the new security framework. See MobileFirst Node.js resource protection.
- We can also write your own custom filter and validation module, for any type of resource server, which uses the new introspection endpoint of the authorization server. See External resources protection.
Integration with WebSphere DataPower as an authorization server
We can now select to use WebSphere DataPower® as the OAuth authorization server, instead of the default MobileFirst Server authorization server. We can configure DataPower to integrate with the MobileFirst security framework. See Configure IBM® WebSphere DataPower as the OAuth authorization server.
LTPA-based single sign-on (SSO) security check
Support for sharing user authentication among servers that use WebSphere light-weight third-party authentication (LTPA) is now provided by using the new predefined LTPA-based single sign-on (SSO) security check. This check replaces the obsolete MobileFirst LTPA realm, and eliminates the previous required configuration. See LTPA-based single sign-on (SSO) security check.
Mobile-application management with MobileFirst Operations Console
Some changes were made to the support for tracking and managing mobile applications, users, and devices from IBM MobileFirst Platform Operations Console.
Blocking device or application access is applicable only to attempts to access protected resources.
See Mobile-application management.
MobileFirst Server keystore
A single MobileFirst Server keystore is used for signing OAuth tokens and Direct Update packages, and for mutual HTTPS (SSL) authentication. We can dynamically configure this keystore by using either MobileFirst Operations Console or mfpadm. See Configure the MobileFirst Server keystore.
Native encryption and decryption for iOS
OpenSSL has been removed from the main framework for iOS and replaced by a native encryption/decryption. OpenSSL can be added as a separate framework. See Enabling OpenSSL for iOS. For iOS Cordova JavaScript, OpenSSL is still embedded in the main framework. For both APIs, both native and OpenSSL encryption are available.
Parent topic: What's new in V8.0.0