Trusted Authenticator Registration
Trusted Authenticator Registration Process
BlackBerry Dynamics applications which provide authentication services to other applications, using the authentication delegation mechanism, hold a privileged position within the BD ecosystem. To provide increased assurance for users of such applications, BlackBerry requires that all Trusted Authenticator applications - any BD app which uses the TA API directly or via the Digital Authentication Framework SDK - complete a registration process which includes a design and security review. This process must be completed in order to publish TA applications to the BlackBerry Marketplace.
TA Application development process summary
Developing a Trusted Authenticator application for BlackBerry Dynamics involves the following major steps:
1. Gaining access to resources
Before creating a Trusted Authenticator application, a developer will need to:
- Create an account on the BlackBerry Developer portal; this will require signing up to the BD software license agreement. You should be assigned a contact name and email address for BlackBerry Partner support.
- Request access to the Trusted Authenticator & Digital Authentication Framework (TA-DAF) space. A request should include:
- One or more account names for individuals to be given access.
- An Internet domain name or names which will be used for the application identifiers. BlackBerry will need to able to confirm that the organization owning these domain names matches the associated account names.
- Download the DAF SDK and browse the documentation. Copies of the documentation are available online in the TA-DAF space (see Trusted Authentication Framework application developers), and offline within the SDK.
2. Developing a prototype application
It is strongly recommended that new Trusted Authenticator applications are based around examples from the DAF SDK, and not written directly to the TA API itself. This will simplify migration to future versions of the BD SDK, and will assist the review process.
It is also strongly recommended that you first become familiar with simple examples from the BD SDK. You will need to have an installation of the Good Control and Good Proxy servers available to test against.
DAF SDK examples have application identifiers beginning with com.good.example.daf. You will be able to copy and modify these applications to produce a prototype authenticator application. The example applications will be recognized by the Good Control server and can be rolled out freely for testing within an organization. However, note that:
- You will not be able to publish your application to others via the BlackBerry Marketplace unless you change the application identifier; com.good.* applications cannot be published by organizations other than BlackBerry.
- You will not be able to create applications using different application identifiers until you have completed the registration process.
So, you should proceed to the next stage as soon as you are ready to begin developing a production-quality TA application.
3. Obtaining a TA registration certificate
Developers receive a TA Registration Certificate for their application when they have completed a review process. The certificate is embedded in the application and checked by the BD runtime; the runtime will forbid access to the TA API if a certificate is not found which matches the application identifier.
To start the registration, you will need to make an email request to firstname.lastname@example.org. We will need the following information:
- A copy of the Info.plist (for iOS) or settings.json and AndroidManifest.xml (for Android) files. These should contain the correct native application ID and GD application ID for the released version of the application; the registration certificate will be tied to these values.
- A design overview document. This should include:
- Which DAF class (class 0, class 1, etc) the authentication provider is.
- A description of how the key material used as an authentication secret is produced. This should clearly identify any intermediate cryptographic keys or 'critical security parameters' and how they are used and stored.
- Details of how any passwords or PINs requested from the user are stored and verified.
Typically the design document can be one or two pages of diagrams, with explanatory notes. The aim is to provide a high-level architectural review, and to be able to understand the security properties of the solution as a whole. Proprietary authentication technologies (e.g. biometrics) can usually be treated as a 'black box', and internal algorithmic details are not essential. We are not expecting to perform any source code review.
When the design has been accepted BlackBerry will issue a TA registration certificate. This will need to be embedded into the application source code - for the details of this, see TA Registration Certificate instructions.
4. Prior to publication
When the application reaches the release stage, to complete publication on the BlackBerry Marketplace it will be necessary to complete a final test and review process, including a Veracode scan or similar. This is the same as is applied to other BlackBerry applications.