You are here: Adding Functionality > Two-way SSL/Mutual Authentication

Apply Application Security

Applies to Kony Visualizer Classic.

Kony protects all applications using methods like design time security, critical business logic security, and on-device encryption. All the applications developed through Kony are compliant with Payment Card Industry Data Security Standard (PCI DSS), HIPAA/HITECH, SOC2 Type II, ISO 270001:2013, and address OWASP top 10 mobile vulnerabilities, support Single Sign-On (SSO), and Multi-Factor Authentication (MFA), Federal Information Processing System (FIPS) 140-2. Standards followed by Kony adhere to Microsoft Security Development Lifecycle (SDLC) for product development, Open Web Application Security Project (OWASP) for secure coding and testing, Web Application Security Consortium (WASC) guidelines for threat modeling, coding, and testing, and follow Application Security Verification Standard (ASVS) for testing security controls.

For enhanced security, Kony provides strong application protection solutions by using anti-tampering mechanisms, White Box Cryptography (WBC), Cryptography and Encryption APIs, and also can secure network communications. Following are two methods you can use to enhance security in your application.

This topic covers the following:

Build Runtime Security in the Application

Protect the Application Binaries

Protection Mechanisms Provided by Kony

RSA Public/Private Key Pair Generation, Encryption, and Usage

Configure Project Settings in Kony Visualizer

Impact on App's Performance

Application Security Guidelines

Build Runtime Security in the Application

You can build runtime security in your application using the following Kony features and API's: 

SSL Pinning - Windows Limitation

For Windows devices, when SSL pinning is implemented, and the HTTPRequest initiates, if a Man in the Middle (MitM) attack accesses the HttpRequest (for example, fiddler), the HttpRequest goes to the server through the MitM and comes with a response. However, the client does not receive the response as the MitM attack corrupts the certificate of the response during the communication process. This applies to all windows channels (Windows Phone8.1, Windows 8.1, Windows 10, Windows 10 mobile & Windows Desktop).

In case of Android and iOS platforms, if there is a MitM attach, the HttpRequest aborts.

Protect the Application Binaries

In Kony Visualizer, Protected Mode option enables several security features that secure the binary at build time by including multiple self-protection security mechanisms. To use the option, enable the Protected Mode check box in the Project Settings dialog. If an application attack is observed, the security mechanism exits the application.

In this section, you will learn about: 

  1. Protection Mechanisms Provided by Kony
  2. RSA Key Pair Generation, Encryption, and Usage
  3. Configure Project Settings

Protection Mechanisms Provided by Kony

Kony provides the following application and code-level mechanisms to protect your application: 

  1. Anti-tamper Protection - Following are the application self-protection security mechanisms used by Kony that react by exiting application on detecting an attack: 
    • Tamper Protection - Fights against application compromise by detecting modifications in the application.
    • Jailbreak / Root detection – Resists runtime attacks by preventing app from running on a rooted or jailbroken device. For more information on, click here.
    • Swizzling detection – Prevents the abuse/misuse of the swizzling feature to override methods at runtime. This attack is specific to Objective C in iOS.
    • Anti-debugging - Prevents debugging of a production application to prevent attackers from analyzing the application at runtime.
  2. Protecting Cryptographic Keys using White Box Cryptography (WBC) - Cryptographic keys are critical to securing systems such as applications and communications, and therefore must be protected at all times. Kony provides powerful secure cryptographic capability beyond the native operating system’s capabilities. Kony's encryption and decryption uses a secure process known as White Box Cryptography to perform encryption and decryption while keeping the keys safe. The keys are never present in static form or in memory at runtime. WBC is a secure implementation of cryptographic algorithms in a system that employs cryptographic algorithm and keys. Strong algorithms are used for encryption and decryption, insecure, and deprecated algorithms are not used.

RSA Key Pair Generation, Encryption, and Usage

Prerequisites

For OpenSSL command to work, for the Windows environment, you can use a couple of different third-party tools, such as Git Bash, which is available here, and Cygwin, which is available here.

To generate, encrypt, and use the RSA key pair, follow these steps: 

  1. Open a terminal (Git Bash or Cygwin terminal in Windows ) and type openssl.
  2. Generate RSA public/private key pair using OpenSSL.
    1. Generate a 2048-bit RSA key using this command.
    2. openssl genrsa -out private_key.pem 2048

    3. Extract public key from RSA key pair using this command.

      openssl rsa -pubout -in private_key.pem -out public_key.pem

    4. View the private key using this command.
      openssl rsa -text -in private_key.pem
    5. To use private keys use the following commands.
      1. less private_key.pem to verify that it starts with a -----BEGIN RSA PRIVATE KEY-----.
      2. less public_key.pem to verify that it starts with a -----BEGIN PUBLIC KEY——.
  3. Raise a customer support ticket and provide your public key and Kony Visualizer version details in the ticket.
  4. Important: The Public key must not be shared with anyone except Quantum Support.

  5. The Quantum security team validates the information and encrypts your public key.
  6. The Quantum security team shares the encrypted public key with the unique clientID and clientSecret in the same customer support ticket that you had raised.

    • For iOS, Quantum provides a set of fin keys along with the public key to protect iOS applications.
    • Note: Starting with Quantum Visualizer V8 SP3, fin keys are not applicable. Quantum support will not provide the fin keys folder if your Visualizer version is V8 SP3 or later.

    Important: You must not share your private key with anyone including Kony, Inc. In case of a key compromise, generate a new set of keys and send the public key via a Quantum customer support ticket.

  7. Navigate to your Kony workspace and create a __encryptionkeys folder.
  8. Place the following keys received from Kony in __encryptionkeys folder.
    1. Your private key. The private key must be named as private_key.pem.
    2. Encrypted Public keys provided by Kony.

      Note: Starting with Kony Visualizer V8 SP3, fin keys are not applicable. Once you have updated your Visualizer version to V8 SP3 or later, you can delete the fin keys folder from your __encryptionkeys folder.

    3. For iOS, the fin keys provided by Kony. These keys are provided for protecting iOS applications.

Configure Project Settings in Kony Visualizer

To enable Protected Mode in Project Settings, follow these steps:

  1. In Kony Visualizer, click Project Settings.
  2. Go to Native > iPhone/iPad/Watch or Android tab.
  3. Select the Protected Mode option.
  4. Note: The Protected Mode option works only if the application is built in Release mode.

  5. Click Finish.

Note: Before you proceed to build your iOS application, you must first go to Window > Preferences > Kony Visualizer > Devices > iOS and enable automatic builds for iOS. This action ensures that the native XCode project is updated for the app.


  1. Go to Product > Build. The Build Generation for Sample dialog box appears.
  2. Select the required channels and platforms.
  3. In the Build Mode drop-down list, click release.

  4. Click Build.
  5. After the application is built, go to Product > Launch Emulator, and then click the required emulator or device.

Impact on App's Performance

While enabling security features in your application ensures attacks are prevented, your application's start-up time may slow. Following image provides you insight on the performance hit if you enable the Protected Mode option.

Application Security Guidelines

It is recommended that you follow the security guidelines to ensure the application is fully protected.

  1. Data at Rest
  2. Data Protection
  3. Database Security
  4. Input Validation
  5. Output Encoding
  6. Data in Transit
  7. Authentication
  8. Session Management
  9. Access Control
  10. Error Handling and Logging
  11. File Management

Data at Rest

Note: If data must be stored, ensure that it is encrypted by leveraging Kony’s Cryptographic APIs. In addition, Kony recommends building the application in Protected Mode for additional protection of the binary. Although Kony provides many security features and layers of defense, we cannot guarantee that your application will remain secure if best practices and secure design principles are not followed.

Data Protection

Database Security

Input Validation

Output Encoding

Data in Transit

Authentication

Session Management

Access Control

Error Handling and Logging

File Management

Note: For a more comprehensive list, Kony recommends the secure coding checklists and best practices maintained by the Open Web Application Security Project (OWASP).

Jailbroken and Rooted Device Detection

Android

On Android devices, root detection dialog displays when the app is launched in the foreground. The detection happens through the Kony auto-generated launcher activity using KonyMain. If a user writes custom activities using FFI and Framework, root detection does not happen.

If an app is triggered by background sources (Push, GeoFence, SMS, etc.,) root detection dialog does not display. However, a process is created in the background for this app with no application data loaded in memory.

Default Error Message: This device does not meet the minimum security requirements for this application. Please contact the app publisher for more details. The application will exit when you press OK.

You can modify the Default Error Message using the i18N string defined with key ROOT_DETECTION_MESSAGE. If you do not have an i18n string, default standard error message appears.

Visualizer tries to respect the i18N key defined in a locale which matches current device locale and then the i18N key defined in a locale which matches Visualizer/IDE set default locale and then the Default Error Message in order of preference.

The following APIs are not respected as they are available only when JavaScript is loaded and JavaScript is never loaded when rooting of a device is detected.

Important: You must define your locate specific error message with i18n key ROOT_DETECTION_MESSAGE.

To modify the default error message for Android, do the following:

  1. Create a stringconstants.xml file with the following content.
    <?xml version="1.0" encoding="utf-8"?>
    <resources>
    <string name="default_root_detetection_message">Custom Root Detection Message</string>
    </resources>
  2. Modify the Custom Root Detection Message as per your requirement
  3. Copy the file in the following folders as required

    For mobile - <WorkSpace>\<Application>\resources\mobile\native\android\values

    For tablet - <WorkSpace>\<Application>\resources\tablet\native\androidtab\values

iOS

Visualizer tries to respect the i18N key defined in a locale which matches current device locale and then the i18N key defined in a locale which matches Visualizer/IDE set default locale and then the Default Error Message in order of preference.

Whenever an app is launched on a jailbroken iOS device, a jailbroken detection dialog will appear.

To customize the jailbroken dialog in i18n keys manually, do the following:

  1. In Kony Visualizer, on the Edit menu (the Project menu for Kony Visualizer), click Internationalization (i18n). The Configure Internationalization dialog box displays.
  2. In the Configure Internationalization dialog box, an initial row for an i18n key and the locales you want your app to support is displayed. In the Key field, type the name for your jailbroken key, ROOT_DETECTION_MESSAGE.
  3. In each locale's field for the ROOT_DETECTION_MESSAGE key, enter the word or phrase. Here, for English locale, define your message.
  4. Click Finish.

For more information on how to manually add keys in i18N, click here.

 

 

 

 

Rev Author Edits
8.0 PG PG
7.0 NMK NMK
Copyright © 2013 Kony, Inc. All rights reserved.