You are here: Adding Functionality > Two-way SSL/Mutual Authentication

Apply Application Security

Quantum Visualizer protects all applications using methods like design time security, critical business logic security, and on-device encryption. All the applications developed through Quantum Visualizer are compliant with Payment Card Industry Data Security Standard (PCI DSS), HIPAA/HITECH, SOC2 Type II, ISO 270001:2013, and address OWASP top 10 mobile vulnerabilities, support Single Sign-On (SSO), and Multi-Factor Authentication (MFA), Federal Information Processing System (FIPS) 140-2. Standards followed by Quantum Visualizer adhere to Microsoft Security Development Lifecycle (SDLC) for product development, Open Web Application Security Project (OWASP) for secure coding and testing, Web Application Security Consortium (WASC) guidelines for threat modeling, coding, and testing, and follow Application Security Verification Standard (ASVS) for testing security controls.

For enhanced security, Quantum provides strong application protection solutions by using anti-tampering mechanisms, White Box Cryptography (WBC), Cryptography and Encryption APIs, and also can secure network communications. Following are two methods you can use to enhance security in your application.

This topic covers the following:

Build Runtime Security in the Application

Protect the Application Binaries

Protection Mechanisms Provided by Quantum Visualizer

RSA Public/Private Key Pair Generation, Encryption, and Usage

Configure Project Settings in Quantum Visualizer

Impact on App's Performance

Application Security Guidelines

Build Runtime Security in the Application

You can build runtime security in your application using the following Quantum Visualizer features and API's: 

SSL Pinning - Windows Limitation

For Windows devices, when SSL pinning is implemented, and the HTTPRequest initiates, if a Man in the Middle (MitM) attack accesses the HttpRequest (for example, fiddler), the HttpRequest goes to the server through the MitM and comes with a response. However, the client does not receive the response as the MitM attack corrupts the certificate of the response during the communication process. This applies to all windows channels.

In case of Android and iOS platforms, if there is a MitM attach, the HttpRequest aborts.

Protect the Application Binaries

In Quantum Visualizer, Protected Mode option enables several security features that secure the binary at build time by including multiple self-protection security mechanisms. To use the option, enable the Protected Mode check box in the Project Settings dialog. If an application attack is observed, the security mechanism exits the application.

In this section, you will learn about: 

  1. Protection Mechanisms Provided by Quantum Visualizer
  2. RSA Key Pair Generation, Encryption, and Usage

Protection Mechanisms Provided by Quantum Visualizer

Quantum provides the following application and code-level mechanisms to protect your application: 

  1. Anti-tamper Protection - Following are the application self-protection security mechanisms used by Quantum Visualizer that react by exiting application on detecting an attack: 
    • Tamper Protection - Fights against application compromise by detecting modifications in the application.
    • Jailbreak / Root detection – Resists runtime attacks by preventing app from running on a rooted or jailbroken device. For more information on, click here.
    • Swizzling detection – Prevents the abuse/misuse of the swizzling feature to override methods at runtime. This attack is specific to Objective C in iOS.
    • Anti-debugging - Prevents debugging of a production application to prevent attackers from analyzing the application at runtime.
  2. Protecting Cryptographic Keys using White Box Cryptography (WBC) - Cryptographic keys are critical to securing systems such as applications and communications, and therefore must be protected at all times. Quantum provides powerful secure cryptographic capability beyond the native operating system’s capabilities. Quantum's encryption and decryption uses a secure process known as White Box Cryptography to perform encryption and decryption while keeping the keys safe. The keys are never present in static form or in memory at runtime. WBC is a secure implementation of cryptographic algorithms in a system that employs cryptographic algorithm and keys. Strong algorithms are used for encryption and decryption, insecure, and deprecated algorithms are not used.

RSA Key Pair Generation, Encryption, and Usage

Prerequisites

For OpenSSL command to work, for the Windows environment, you can use a couple of different third-party tools, such as Git Bash, which is available here, and Cygwin, which is available here.

To generate, encrypt, and use the RSA key pair, follow these steps: 

  1. Open a terminal (Git Bash or Cygwin terminal in Windows ) and type openssl.
  2. Generate RSA public/private key pair using OpenSSL.
    1. Generate a 2048-bit RSA key using this command.
    2. openssl genrsa -out private_key.pem 2048

    3. Extract public key from RSA key pair using this command.

      openssl rsa -pubout -in private_key.pem -out public_key.pem

    4. View the private key using this command.
      openssl rsa -text -in private_key.pem
    5. To use private keys use the following commands.
      1. less private_key.pem to verify that it starts with a -----BEGIN RSA PRIVATE KEY-----.
      2. less public_key.pem to verify that it starts with a -----BEGIN PUBLIC KEY——.
  3. Send your public key and Quantum Visualizer version to licensing@kony.com. This step is applicable for Android and iOS platforms.
    For the Responsive Web/SPA platform, you must raise a Kony customer service ticket and provide your public key and Quantum Visualizer version details in the ticket.

    Important: Public key must not be shared with anyone except Quantum.

  1. For Android and iOS platforms, Quantum's security team validates the details and encrypts your public key.
    For the Responsive Web/SPA platform, Quantum's security team validates the information and shares the unique clientID and clientSecret in the same customer service ticket that you had raised. You must then use these details to create a postbuild task.
  2. Quantum's security team then returns the encrypted public key to you through email.
    1. For iOS, Quantum provides a set of fin keys along with the public key to protect iOS applications.
  3. Note: Starting with Quantum Visualizer V8 SP3, fin keys are not applicable. Kony will not provide the fin keys folder if your Visualizer version is V8 SP3 or later.

    Important: You must not share your private key with anyone including Kony. In case of a key compromise for the Android and iOS platforms, generate a new set of keys and send the public key to licensing@kony.com. If a key compromise occurs for the Responsive Web/SPA platform, generate a new set of keys and send the public key via a Kony customer service ticket.

  4. Navigate to your Quantum Visualizer workspace and create a __encryptionkeys folder.
  5. Place the following keys received from Kony in __encryptionkeys folder.
    1. Your private key. The private key must be named as private_key.pem.
    2. Encrypted public keys provided by Quantum Visualizer.

      Note: Starting with Quantum Visualizer V8 SP3, fin keys are not applicable. Once you have updated your Visualizer version to V8 SP3 or later, you can delete the fin keys folder from your __encryptionkeys folder.

    3. For iOS, the fin keys provided by Quantum Visualizer. These keys are provided to protect iOS applications. fin keys are applicable until the Quantum Visualizer V8 SP2 version.

Configure Project Settings in Quantum Visualizer

To enable Protected Mode in Project Settings, follow these steps:

  1. In Quantum Visualizer, click Project Settings.
  2. Click Protected Mode.
  3. Under Encryption Keys, provide the Public Key and the Private key.
    You can read the information on the screen on how to procure the keys.
  4.  
  1. Click Finish.

Note: Before you proceed to build your iOS application, you must first go to Window > Preferences > Quantum Visualizer > Devices > iOS and enable automatic builds for iOS. This action ensures that the native XCode project is updated for the app.

Note: In XCode, under Targets, you must select the KProtected option; not the KRelease option.

  1. From the Build menu, select Build and Publish Native .
    The Build and Publish Native dialog box appears.
  2. Select the required channels and platforms.
  3. In the Build Mode drop-down list, click release.

  4. Click Build.
  5. After the application is built, you can preview it on your device.

Impact on App's Performance

While enabling security features in your application ensures attacks are prevented, your application's start-up time may slow. Following image provides you insight on the performance hit if you enable the Protected Mode option.

Application Security Guidelines

It is recommended that you follow the security guidelines to ensure the application is fully protected.

  1. Data at Rest
  2. Data Protection
  3. Database Security
  4. Input Validation
  5. Output Encoding
  6. Data in Transit
  7. Authentication
  8. Session Management
  9. Access Control
  10. Error Handling and Logging
  11. File Management

Data at Rest

Note: If data must be stored, ensure that it is encrypted by leveraging Kony’s Cryptographic APIs. In addition, Quantum Visualizer recommends building the application in Protected Mode for additional protection of the binary. Although Quantum provides many security features and layers of defense, we cannot guarantee that your application will remain secure if best practices and secure design principles are not followed.

Data Protection

Database Security

Input Validation

Output Encoding

Data in Transit

Authentication

Session Management

Access Control

Error Handling and Logging

File Management

Note: For a more comprehensive list, Quantum Visualizer recommends the secure coding checklists and best practices maintained by the Open Web Application Security Project (OWASP).

Jailbroken and Rooted Device Detection

Android

On Android devices, root detection dialog displays when the app is launched in the foreground. The detection happens through the Quantum Visualizer auto-generated launcher activity using KonyMain. If a user writes custom activities using FFI and Framework, root detection does not happen.

If an app is triggered by background sources (Push, GeoFence, SMS, etc.,) root detection dialog does not display. However, a process is created in the background for this app with no application data loaded in memory.

Default Error Message: This device does not meet the minimum security requirements for this application. Please contact the app publisher for more details. The application will exit when you press OK.

You can modify the Default Error Message using the i18N string defined with key ROOT_DETECTION_MESSAGE. If you do not have an i18n string, default standard error message appears.

Visualizer tries to respect the i18N key defined in a locale which matches current device locale and then the i18N key defined in a locale which matches Visualizer/IDE set default locale and then the Default Error Message in order of preference.

The following APIs are not respected as they are available only when JavaScript is loaded and JavaScript is never loaded when rooting of a device is detected.

Important: You must define your locate specific error message with i18n key ROOT_DETECTION_MESSAGE.

To modify the default error message for Android, do the following:

  1. Create a stringconstants.xml file with the following content.
    <?xml version="1.0" encoding="utf-8"?>
    <resources>
    <string name="default_root_detetection_message">Custom Root Detection Message</string>
    </resources>
  2. Modify the Custom Root Detection Message as per your requirement
  3. Copy the file in the following folders as required

    For mobile - <WorkSpace>\<Application>\resources\mobile\native\android\values

    For tablet - <WorkSpace>\<Application>\resources\tablet\native\androidtab\values

iOS

Visualizer tries to respect the i18N key defined in a locale which matches current device locale and then the i18N key defined in a locale which matches Visualizer/IDE set default locale and then the Default Error Message in order of preference.

Whenever an app is launched on a jailbroken iOS device, a jailbroken detection dialog will appear.

To customize the jailbroken dialog in i18n keys manually, do the following:

  1. In Quantum Visualizer, navigate to Project > Settings > Application, under the Internationalization (i18n) section, select the Enable checkbox.
  2. Click Configure.
    The Configure Internationalization dialog box displays.
  3. In the Configure Internationalization dialog box, an initial row for an i18n key and the locales you want your app to support is displayed. In the Key field, type the name for your jailbroken key, ROOT_DETECTION_MESSAGE.
  4. In each locale's field for the ROOT_DETECTION_MESSAGE key, enter the word or phrase. Here, for English locale, define your message.
  5. Click Finish.

For more information on how to manually add keys in i18N, click here.

 

 

 

 

 

Rev Author Edits
8.0 PG PG
7.0 NMK NMK
Copyright © 2020 Temenos. All rights reserved.