How can I verify app authentication on Worklight 5.0.5

Question

I am using WL 5.0.5 Server and Studio.

Now I am verifying an app authentication. But I can't do it.

I made an android app for using WL studio 5.0.5. I tried to fake app for using apktool and motizen tool(It's a faking signing tool).

• Decompiling an app.
• Modifying Androidmanifest.xml (added some permissions)
• Rebuilding
• Faking signing with motizen tool

I was expecting to prevent to execute faked app because of auto provisioning that is a feature on WL 5.5.

But it was working well. I don't know why it did it.

Please let me know how to detect an app forgery on WL 5.0.

Answer 1

Its important to understand that authenticity will only work in commercial versions of Worklight. The version downloaded from the IBM developerWorks site does not have this feature active

Answer 2

If you want your publickSigningKey to be checked you have to specify wl_authenticityRealm in your security tests. For example:

<customSecurityTest name="authenticity">
    <test realm="wl_antiXSRFRealm" step="1"/>
    <test realm="wl_authenticityRealm" step="1"/>
    <test realm="wl_remoteDisableRealm" step="1"/>
    <test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/>
<test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
</customSecurityTest>

Note, your application will be running run on a device as expected until it attempts to connect to the server. Then connection should fail and you'll be notified about that in WLResponseListener.onFailure.