Our customers have built great mobile apps with Onegini's mobile SDK. Using our mobile security technology, it is easy to get all the mobile security you need, out of the box. When securing online identities in mobile apps, it's all you really need.
Today we are announcing a major update to the mobile SDK that will change the way we do security. Even though you will likely notice very little change in how you develop your apps, we are sharing how we continue to improve the reliability, security and speed of the mobile SDKs you use. To make use of the changes described in this blog, you should upgrade to the upcoming versions of the Android SDK and upcoming versions of the iOS SDK. We'll be releasing the first upgraded internals as part of version 11 for Android, and version 10 for iOS.
We've designed the upgrading process to be seamless, with minor changes in how you release an app with the Onegini SDK. Furthermore, as of these upcoming releases the Android SDK requires a minimal Android version of 6.0 and the iOS SDK requires an iOS version of 11.0. We set these minimal requirements to make use of the respective platforms' built-in security features, and set these lower limits based on data we have on the real world use of the SDK. As with any new SDK version, you may need to upgrade your Onegini Identity Cloud mobile security components as well.
What does the mobile SDK do for me?
Onegini's mobile SDK is there to provide an out of the box and complete security solution for online identity in your mobile apps. But what does that mean exactly?
The Onegini mobile SDK takes care of the following security aspects so you don't have to:
- Secure identity - seamlessly and securely integrate a user's online identity with a fingerprint, face recognition or PIN code on your device.
- App integrity - is the app installed on users' phones the app I distributed, or a tampered version?
- Device integrity - does the users' phone show evidence of rooting, jailbreaking or hooking features intended to subvert the operating system's security guarantees? This security feature is optional.
- Communication integrity - ensure that mobile apps connect with your backend only, and that these connections cannot be eavesdropped on.
In addition to providing all of this in an easy out-of-the-box package, Onegini keeps these security systems up to date for you, now and in the future.
Local versus remote security
The Onegini mobile SDK's security concept was traditionally built around the concept of "local security". The philosophy was based around that if attackers were targeting a mobile app, we'd need to refuse operation immediately. Moreover, when the SDK went into lockdown mode, it should shut down right away with generic errors and no communication to the server. The downside was that your security preferences had to be baked in the app at release time, and that any changes required an update to your app.
As of the new versions of the SDK we have changed this approach. Since our solution is around mobile identity, we want the server that handles that mobile identity to be in control. As of this release, it is now possible to configure app security policies server side, and to be able to collect indicators of compromise server side as well. If you want to change security features in your app, you can do so by toggling a flag server side instead of releasing a new app. For example, you can configure server side whether to require strict app integrity checks on first launch or which authentication methods you want to choose. A future release of the Onegini Mobile Security Platform will also permit you to dynamically switch your device integrity requirements.
Finally, the SDK logs clear messages when it encounters security problems that you can use to debug your applications more effectively.
Improved reliability, modern technology
In the past, the Onegini mobile SDK's security was organized around something we call the "app thumbprint". The app thumbprint is a cryptographic hash of the components of your app, intended to make it difficult for modified versions of the app to be able to produce this thumbprint.
The reason our SDK was originally set up in this way, was that there was historically no reliable secure credential storage on phones. With the widespread adoption of secure elements over the past years, we believe the market is now ready to build on this feature. This secure credential storage allows storing keys in a way that is very difficult to extract, perfect for proving the authenticity of your app.
Therefore starting from the new version of the SDK, we use a private/public key pair to authenticate every individual installation of the app. The application thumbprint is only used during first installation, and even there you can opt out of using it. After initial registration, we authenticate the mobile app's installation using a private key stored using the device's hardware secure element. As a result, your users' app installations are tied to the actual hardware key store of their individual phones and tablets.
This method is not only more secure because it relies on individual securely stored private keys - it is also much more resistant to any changes to the way the App Store and Play Store distribute apps, and enables faster performance to boot.
Defence in depth for your communicationAn optional feature of the Onegini mobile SDKs is payload encryption. For customers that require additional protection (on top of the pinned TLS connections we enforce by default), we provide an option to add an additional encryption layer in the TLS tunnel. In this release the Onegini mobile SDK replaces the venerable J-PAKE based protocol with a state of the art authenticated Diffie-Hellman protocol, where all individual app installations authenticate to the server using individual credentials.
Foundation for the future
These major changes to the internal working of our SDK will lay the foundation of a more reliable, faster and more intelligent security system for your mobile apps in the future. Moving responsibilities server side will allow for a faster, more flexible system with more insights in the state of security for your apps.
If you have questions about this piece, or feedback on how we can further improve our mobile SDK in the future, please reach out to Sandra Pronk, the product owner of the Onegini mobile SDKs. Are you not yet a customer, but want to get on board of the out-of-the-box security experience for mobile identity? Schedule a demo to see the mobile solutions of the Onegini Identity Cloud in action.