We are developing a hybrid application on Worklight, and we need to implement the app authenticity. We are using Worklight Enterprise edition 6.2.0.1 with IBM app centre. However, We are seeing the following error on the server log when we launch the app on Android (iOs the same too, but will provide Android log).

[1/19/15 15:25:05:388 EST] 00000254 WLNewAuthenti E com.worklight.core.auth.ext.appauth.WLNewAuthenticityScheme isInvalidAndroidParams FWLSE0260E: Missing or empty packageName for android authenticity check, cannot test authenticity. If App Authentication is not set to 'Disabled' or 'Enabled, servicing' in Worklight Console the request will fail. [project MobileApp] [1/19/15 15:25:05:388 EST] 00000254 WLNewAuthenti E com.worklight.core.auth.ext.appauth.WLNewAuthenticityScheme isInvalidAndroidParams FWLSE0260E: Missing or empty publicsigningkey for android authenticity check, cannot test authenticity. If App Authentication is not set to 'Disabled' or 'Enabled, servicing' in Worklight Console the request will fail. [project MobileBanking].

The security test on authenticationConfig.xml is :

<securityTests>
    <mobileSecurityTest name="MobileAppTestMobile">
        <testAppAuthenticity/>
        <testDeviceId provisioningType="auto" />
        <testUser realm="MobileAppRealm" />
        <testDirectUpdate mode="perSession" />
    </mobileSecurityTest>

    <webSecurityTest name="MobileAppTest">
        <testUser realm="MobileAppRealm" />
    </webSecurityTest>
    <customSecurityTest name="SubscribeServlet">
        <test realm="SubscribeServlet" isInternalUserID="true"/>
    </customSecurityTest>           

</securityTests> 

The application-descriptor.xml:

<iphone bundleId="ca.company.MobileApp" securityTest="MobileAppTestMobile" version="1.0">
    <worklightSettings include="false"/>
    <security>
        <encryptWebResources enabled="true"/>
        <testWebResourcesChecksum enabled="true" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
    </security>
</iphone>
<android securityTest="MobileAppTestMobile" version="1.0">
    <worklightSettings include="false"/>
    <security>
        <encryptWebResources enabled="true"/>
        <testWebResourcesChecksum enabled="true" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
        <publicSigningKey>"We have added our public signing key here by extracting it from our keystore file"</publicSigningKey>
    </security>
</android>

We have deployed all the app from scratch after updating the WAR file. The worklight console shows the three values for the authenticity "Disable - Enabled, servicing - Enabled , Blocking"

When we put "Enabled, Blocking" or "Enabled , servicing" we are getting the error log on the server that shared at the top of the post. On the app screen we are getting an error " an error was encountered while processing the request from the application".

Please advise. Thank you

The problem has been fixed.

Solution:

1- we changed the MobileSecurityTest in authenticationConfig.xml to be customSecurityTest as the following, AND redeployed the WAR file:

<customSecurityTest name="MobileSecurityTest">
        <test realm="wl_antiXSRFRealm" step="1"/>
        <test realm="wl_authenticityRealm" step="1"/>
        <test realm="wl_remoteDisableRealm" step="1"/>
        <test realm="wl_directUpdateRealm" mode="perSession" step="1"/>
        <test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/>
        <test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
    </customSecurityTest>

2- In application-descriptor.xml:

For android, I used what Idan said about adding the <packageName> property.

<android securityTest="MobileSecurityTest" version="1.0">
    <worklightSettings include="false"/>
    <security>
        <encryptWebResources enabled="true"/>
        <testWebResourcesChecksum enabled="true" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
        <publicSigningKey>"Our public signing Key placed here"</publicSigningKey>
        <packageName>ca.company.MobileTest</packageName>
    </security>
</android>

For iOS, the issue was in the applicationId, we thought the applicationId value is the last section of the bundleId,

for example: if the bundleId is "com.company.Myapp" that's mean the applicaiotnId is "Myapp", which is not true.

This is incorrect definition:

<iphone bundleId="ca.company.MobileTestiPhone" applicationId="MobileTestiPhone" securityTest="MobileSecurityTest" version="1.0" >

The applicationId is the value inside the worklight.plist file, which is located inside the iPhone or iPad native folder and this file is generated after doing the build. AND for our appliction it has a totally different value.

The correct one was:

<iphone bundleId="ca.company.MobileTestiPhone" applicationId="MobileTest" securityTest="MobileSecurityTest" version="1.0" >

That's why the app was being blocked from our WL server when we put the App authenticity value to "Enable,Blocking".

Thank you @Idan for your help.

Per the error message, you are missing the Android Package Name (in application-descriptor.xml).

This is the Authenticity tutorial for Hybrid apps for v6.3, but it's the same for 6.2. From the Android instructions:

Take the Application package name value from the package attribute of the manifest node in the AndroidManifest.xml. If you decide to change the value to another, verify that you change it in both locations.You can also directly edit application-descriptor.xml and add a packageName:

<android version="1.0">
        <worklightSettings include="false"/>
        <security>
            <encryptWebResources enabled="false"/>
            <testWebResourcesChecksum enabled="false" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
            <publicSigningKey>MIGff ...</publicSigningKey>
            <packageName>com.MyBankApp</packageName>
        </security>
</android>