topic Re: Security of Mobile OneAgent and beacon endpoint in Real User Monitoring

Security of Mobile OneAgent and beacon endpoint

benjamin-st_lai — Wed, 20 May 2020 13:50:22 GMT

Hi all,

I am currently evaluating the security of the Mobile OneAgent (for Mobile Application Monitoring) and the beacon for my company, and here are what I understand so far:

I can configure the beacon endpoint per mobile application being monitored (Application -> [MyApp] -> Mobile App Settings -> Instrumentation Settings.
For beacon endpoint can either be a Cluster ActiveGate (for SaaS deployment it is automatically generated) or a custom endpoint that as specific technologies and has OneAgent instrumentation. The custom endpoint must have the path "/mbeacon" (reference).
In Android you may configure security settings when communicating with the OneAgent (link) - such as custom certificates, certificate validation, certification pinning and custom authentication headers.
For iOS OneAgent you can also configure similar security settings (link), but it appears that injection of custom headers is not available.

My company is concerned that an malicious party may decompile the mobile app and extract the application id and beacon endpoint for future attacks. Thus I have the following questions:

Is it possible to inject custom headers in the iOS OneAgent so we get feature parity with the Android?
How can we secure the beacon endpoint so it will only accept requests from "known" or "authenticated" clients? Will it require bespoke implementation on the customer side to enable?

Thank you in advance.

Re: Security of Mobile OneAgent and beacon endpoint

Patrick_H — Wed, 20 May 2020 14:30:00 GMT

custom beacon endpoint changed to /dtmb instead of /mbeacon for compatibility reasons when running an agent on an AG host (documentation update in progress)

setting custom header on iOS is also possible - it was brought to our attention that this is missing from the documentation some days ago and a documentation update also is in progress. To check how that API to add beacon headers and listen for communication problems looks like please take a look at the header file shipped with the iOS agent Dynatrace.h:

/*!
 @brief Sets a dictionary of custom headers to be included in all OneAgent data transmissions.
 
 The Dynatrace OneAgent sends data to the server via HTTP or HTTPS. If your infrastructure requires
 custom headers to be added to HTTP requests in order for them to pass you can use this method to provide
 them. This method needs to be called as early as possible to ensure that the headers are available for the first communication with the server.
 It can be called again later to change or to remove the headers.

 @param beaconHeaders The headers dictionary. Pass nil to remove all headers from future requests.
 The headers will be inspected for invalid or not allowed values.
     Limitations:
     - max number of headers: 10
     - max header len: 4096 bytes
     - max total size: 8192 bytes
 
 @return YES if the headers where successfully set, NO otherwise.
 */
+ (BOOL)setBeaconHeaders:(NULLABLE NSDictionary*)beaconHeaders;

/**
 @return the dictionary of custom headers that was set with setBeaconHeaders: method
 */
+ (NULLABLE NSDictionary*)beaconHeaders;

/**
 In order to receive notifications about the network errors occurred in the agent
 subscribe to the notification center using this as name.
 
 e.g.: [[NSNotificationCenter defaultCenter] addObserverForName:[Dynatrace getCommunicationProblemNotificationName] ... ];
 */
+ (NONNULL NSString *)getCommunicationProblemNotificationName;

Re: Security of Mobile OneAgent and beacon endpoint

Thomas_Wirth1 — Wed, 20 May 2020 14:32:58 GMT

Hi Benjamin,

1. Is it possible to inject custom headers in the iOS OneAgent so we get feature parity with the Android?

This feature is also available for iOS. Unfortunately the documentation for this feature is missing in the Dynatrace documentation. Currently the feature is only described in the AppMon documentation. We will ensure that this documentation segment is also added to the Dynatrace pages.

How can we secure the beacon endpoint so it will only accept requests from "known" or "authenticated" clients? Will it require bespoke implementation on the customer side to enable?

Yes, you need a customer side implementation. Currently Dynatrace does not offer this feature. You would have to implement your own solution for verifying the data source and adjust OneAgent accodingly to your solution.

Re: Security of Mobile OneAgent and beacon endpoint

Patrick_H — Wed, 20 May 2020 14:47:48 GMT

a short usage example in Swift:

//set headers onto beacon
Dynatrace.setBeaconHeaders(["X-MyHeader1" : "true", "someOtherHeader" : "aa-bb-cc-dd"])
//request the headers that have been set
let headers: Dictionary? = Dynatrace.beaconHeaders()
//listen for communication problems (e.g. if beacon heder contains a token that can expire required to pass a firewall)
NotificationCenter.default.addObserver(forName: NSNotification.Name(rawValue: Dynatrace.getCommunicationProblemNotificationName()), object: nil, queue: nil) { _ in
    //e.g. update beacon header with new token
}

Re: Security of Mobile OneAgent and beacon endpoint

benjamin-st_lai — Wed, 20 May 2020 14:59:03 GMT

As an follow on question: is the custom headers feature available for React Native mobile apps?

Re: Security of Mobile OneAgent and beacon endpoint

Thomas_Wirth1 — Wed, 20 May 2020 15:47:52 GMT

The API methods are currently not exposed and therefore not usable in the ReactNative components of your app. The feature is accessible in the native components of the app.

Re: Security of Mobile OneAgent and beacon endpoint

Fabien — Wed, 17 Aug 2022 14:27:07 GMT

Hi Thomas,

I am bumping on the authentication of the flow between the mobile and our activegate beacon. You mentioned it's up to the client to implement it's own authentication mechanism. Do you have some example? basic authen (user/pwd), certificate, OAuth2/OIDC access token, other? Do you have some client experimentation feedback?

Looking forward hearing from you