Updating the BlackBerry
Dynamics application policy file
BlackBerry Dynamicsapplication policy file
Play Integrityattestation process,
BlackBerry UEMuses the app response to verify that it is communicating with the official version of the app. You must provide this information in the application policy file.
In order to configure
Play Integrity, you will need to provide a Play App signing key. You have two options for a Play app signing key: you can use the
Google Playgenerated app signing key or upload your own private app signing key. For information on finding your app signing keys in your
Google PlayConsole, see Prerequisites for Play Integrity attestation. The digest hash in your application policy file must correspond to your Play app signing key in your
Consider the following example from the Greetings Client sample app in the
BlackBerry Dynamics SDK:
<?xml version="1.0" encoding="utf-8"?> <apd:AppPolicyDefinition xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:apd="urn:AppPolicySchema1.good.com" xsi:schemaLocation="urn:AppPolicySchema1.good.com AppPolicySchema.xsd" > <pview> <pview> <sendto client="None" /> <desc>Play Integrity Attestation Supported</desc> <pe ref="apkCertificateDigestSha256"/> <pe ref="apkPackageName" /> <pe ref="Description" /> </pview> </pview> <setting name="apkCertificateDigestSha256"> <hidden> <key>blackberry.appMetadata.android.apkCertificateDigestSha256</key> <value>DD:83:CA:47:09:FA:C5:33:75:FE:F4:A1:B5:FB:F4:A8:E8:C2:7A:DF:AF:24: 0D:7B:E3:BA:BD:FB:A9:2B:F9:D6</value> </hidden> </setting> <setting name="apkPackageName"> <hidden> <key>blackberry.appMetadata.android.apkPackageName</key> <value>com.good.gd.example.services.greetings.client</value> </hidden> </setting> <setting name="Description" > <text> <key>snet</key> <label>Play Integrity</label> <value>Play Integrity</value> </text> </setting> </apd:AppPolicyDefinition>
The app is uniquely identified by the combination of the official package name (in the example above, blackberry.appMetadata.android.apkPackageName) and the digest hash of the official signing key (in the example above, blackberry.appMetadata.android.apkCertificateDigestSha256). If the app is not publicly listed in the
Google PlayStore, you may extract the certificate using keytool. To determine the digest hash, you can use the following keytool command, specifying the keystore and key name that was used to sign the app:
keytool -list -v -keystore <KEYSTORE_NAME> -alias <KEY_NAME>
This command will provide a response like the following:
Creation date: 4-Sep-2018 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate: Owner: CN=Sample Issuer: CN=Sample Serial number: 27c738c9 Valid from: Tue Sep 04 08:28:10 BST 2018 until: Wed Aug 22 08:28:10 BST 2068 Certificate fingerprints: MD5: 4C:30:85:93:5E:96:12:90:CF:A0:77:48:A5:CA:63:8F SHA1: 3C:52:A0:2A:76:63:15:C9:20:C1:06:D9:4D:75:7C:14:D6:7C:30:BC SHA256: DD:83:CA:47:09:FA:C5:33:75:FE:F4:A1:B5:FB:F4:A8:E8:C2:7A:DF:AF:24:0D:7B:E3: BA:BD:FB:A9:2B:F9:D6 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key
After you update the application policy file, coordinate with the
BlackBerry UEMadministrator to upload the app to
UEM(see Deploying your BlackBerry Dynamics app) and to upload the application policy file in the management console (see Manage settings for a BlackBerry Dynamics app in the UEM Administration Guide). Before the administrator uploads the application policy file, verify that the
Androidapp package ID has been specified or that the app source file has been uploaded; both settings are configured in the app entitlement settings (
Androidtab) in the management console.
UEMvalidates the format of the input package name and digest hash. If you update the application policy file and upload the app again, it can take up to 24 hours for the change to synchronize to all
UEMinstances. When the app is uploaded again, it is removed from the current list of apps that are enabled for attestation and must be added again.