1 KOBIL Brief and Philosophy
1.1 KOBIL Company
KOBIL is one of the most innovative developers of secure App Platforms Solutions bringing 12 years of mobile banking and health app security know-how. Historically KOBIL comes from the high security field (Trust center/smartcard development) field, having experiences in qualified signatures, common criteria, GDPR, secure banking, secure health data. In these field KOBIL has developed a unique skillset that manages security as well as useability.
1.2 KOBILs experience and references
KOBIL has over 30 years security development experience in countless projects all over the world. Please find a subset of our references here: https://www.kobil.com/en/our-cases.html
1.3 KOBIL Philosophy
From KOBILs long standing experience in (high) security and customers projects KOBIL believes that good solutions have two cornerstones:
- Security has to be highly userfriendly and therefore useable.
- Security has to have a holistic approach.
Based on this approach KOBIL offers 3 levels of integration of its Shift solution each using the previous as starting point:
- Application Shielding, Strong Customer Authentication (SCA) and Authorisation via digital signatures
- Secure Identity Managenment
- Secure Ecosystem/SuperApp (currently not covered in the API documentation)
2 KOBIL Shift
2.2 Architecture and Components
The KOBIL Shift solution provides
-
a standardized interface for authentications (OIDC) and authorisations via apps
-
app security
- RASP (Runtime application self-protection)
- Integrity protection
- version management
- device risk policies
It consist of the components
- KOBIL IDP (identity provider)
- KOBIL AST Services (PSD2 certified 2FA authentication and security control server)
- KOBIL App MC SDK (app hardening and client component of the PSD2 certified 2FA)
- KOBIL/Portal Services (Support Console)
Solution Architecture
KOBIL IDP Services is a platform to allow Single Sign On (SSO) with Identity and Access Management (IDP) aimed at modern applications and services. You will be able to add Multi-Factor Authentication (MFA) solutions to applications and secure services using standard SSO protocols. There is no need to deal with storing users or authenticating users. It is all available out of the box through KOBIL IDP. You will get advanced integration features such as Identity Provisioning via industry standard protocols and Intelligent Authentication via KOBIL specific authentication methods.
The main functionalities are:
- User management
- Management of registration/de-registration processes
- 2FA device management
- Authentication (1FA/2FA)
- Authorisation (2FA)
KOBIL AST Services is the control and security server for all KOBIL authentication clients. The KOBIL product portfolio covers a wide range of security solutions, from One-Time Password (OTP) solutions to the cutting-edge technology in Two-Factor Authentication (2FA). You will be able to manage all authentication token, may they be app or hardware based through a central management system, without exposing any of your business logic and data to security risks.
The main features of AST Services are:
- PSD2 certified security and control server for all KOBIL clients/token
- Device management
- App management
- Certificate Management with internal Public Key Infrastructure (PKI) and Certification Authority (CA)
KOBIL Portal provides an easy to use support interface for user and device managent.
KOBIL SCP Notifier is the solutions pushnotification sender (for iOS/Android) apps.
KOBIL MC SDK: The Software Development Kit (SDK) is a mobile device software platform that provides developers of Android and iOS mobile apps with a secure execution environment (RASP) and device binding. Various mechanisms are implemented in the SDK to ensure the integrity of the code to be executed. This includes a specially secured sub-environment "Virtual Smart Card" (vSC), which is secured with the help of the KOBIL Shift backend. Before activation takes place, the AST Services evaluates the data from several security sensors provided by the SDK. This allows the AST Services to verify the health and device binding of the app.
2.2 Integration Options
KOBIL offers two integrations options for our customers which are not mutually exclusive but mainly differ in the respective project efforts and the feature scope available:
- Integration with predefined onboarding and login flows
- Dynamic integration via custom onboarding and login flows
2.2.1 Predefined onboarding, login and authorisation flows
There are [predefined] flows for the following use cases:
- App Shielding (including RASP, Server Sided Integrity Check)
- 2FA Onboarding
- 2FA Mobile Login
- 2FA Browser Login
- 2FA Authorisation
Use Case | Predefined Flows |
---|---|
App Shielding | Activate Runtime Application Self-Protection (RASP) Integrity check against KOBIL Shift backend - Add a version to the KOBIL Shift backend system - Register your app against the KOBIL Shift backend - Validate your app against the registered version |
2FA Onboarding | Create an user id (or LDAP import) + activation code at the KOBIL Shift backend Enter user id + activation code and desired password in the app during activation |
2FA Mobile Login | Login using userid + password/biometry into the KOBIL Shift backend Change password |
2FA Browser Login | Trigger a confirmation by a mobile application via a REST call against the KOBIL Shift backend Confirm the confirmation request via digital signature in the mobile application (after 2FA SCA) |
2FA Authorisation | Trigger a confirmation by a mobile application via a REST call against the KOBIL Shift backend Confirm the confirmation request via digital signature in the mobile application (after 2FA SCA) |
For easier handling all mobile flows are available as a native mobile SDK integration clearly separating the presentation layer and the security layer.
The predefined flows can on a project basis be extended to a dynamic integration.
Typical integration project flow is affected by usage of KOBIL SaaS or not:
Item | Content |
---|---|
Integration Workshop | Presentation of the KOBIL Shift solution - KOBIL Shift backend - KOBIL MC SDK - KOBIL IDP SDK Presentation of the available predefined flows |
Preparation of the environmental requirements (not required for SaaS) | Setup of the required components for installation of the KOBIL Shift Backend |
Installation of KOBIL Shift Backend (not required for SaaS) | Installation of the KOBIL Shift backend components for app integration by your DevOPS team with the consulting from KOBIL |
Integration of the KOBIL SDKs into your mobile app | Implementation of the KOBIL MC SDK and IDP SDK for predefined flows. |
Pre-live staging | Integration tests |
Go-live | - |
For backend installation and SDK integration please see the installation and API documentation.
2.2.2 Dynamic integration
In the dynamic integration the mentioned flows can be defined as you decide. The presentation to the customer is implemented by using the KOBIL IDPs web interface which can be branded or customized to fullfill your requirements.
A dynamic integration project has in addition to the pure deployment and integration steps of a project with predefined workflows several design steps
Item | Content |
---|---|
Integration Workshop | Presentation of the KOBIL Shift solution - KOBIL Shift Backend - KOBIL MC SDK - KOBIL IDP SDK Presentation of the available predefined flows |
(UX) design | Joint design of required flows Implementation of UX designs (if KOBIL IDP flows shall be visible directly in a browser/webview) Setup of a change board to manage changes coming during the project phase |
Preparation of the environmental requirements (not required for SaaS) | Setup of the required components for installation of the KOBIL Shift |
Installation of the KOBIL Shift backend (not required for SaaS) | Installation of the KOBIL Shift backend components for app integration by your DevOps team with the consulting from KOBIL |
Integration of the KOBIL SDKs into your mobile app | Implementation of the KOBIL MC SDK and IDP SDK for predefined flows. |
Pre-live staging | Integration tests |
Go-live | - |
The following is a list of features and integrations KOBIL has in addition to the ones available in the predefined flow section implemented with customers during dynamic integration projects:
Category | Features | Description | Predefined onboarding and login flows | Dynamic integration |
---|---|---|---|---|
Design | Custom Web Design | Customer specific web designs and flows for browser or mobile webview. This is normally done when the IDP is being used by end users via a browser for classic OIDC based authentication. The same applies to webviews used by apps. | X | |
Registration | User data import/interaction | Besides integrating your enrollment system using the KOBIL REST APIs of the IDP to create/delete a user, user data can reside in an external LDAPv3 (RFC 2251) compatible directory service like (e.g. MS AD) | X | |
User data import/interaction | Import/Sync of current user data from other systems has been implemented in the past during various projects. These implementations depending on project also included data updates using data the customer uses during the registration process. | X | ||
KOBIL Consent Manager | KOBIL has developed a Consent Manager to manage and enforce different types and versions of customer consents (e.g. terms and conditions). It can be adapted during projects to fullfill individual needs. | X | ||
Custom Consent Manager | KOBIL has during projects also integrated our customers existing consent managent systems. | X | ||
Email Gateway | As a part of an initial onboarding or step-up process KOBILSending of verification code to the end-customer to verify his email. Clicking on the code completes the verification process. | X | ||
SMS (OTP) Gateway | Sending of verification code to the end-customer to verify his phone number with other gateway. Mostly used as part of an initial identification or as step-up from an existing 1FA (e.g. password only) authentication. Previous gateway examples: Twilio | X | ||
Print Activation Letters | Sending of activation code to be printed by your systems to be send to the end-customer. Primarily used during initial onboarding. Target of the message including the activation does not necessarily have to be a print street system but can also be a generic end point on your side. | X | ||
Video Ident Provider | To be able to real-time authenticate new users, VideoIdent systems can be used. They can be integrated into initial onboarding or step-up flows. Previous examples: idNow and NECT | X | ||
Authentication | 2FA native Mobile Login | Mobile Authentication w. Password/Biometry + KOBIL Device Binding and token based login to backend ressources. Guarded by KOBIL App Shielding Technology by KOBIL MC SDK based app: completed the onboarding flow, 2 factor authentication, up and running RASP, integrity check and device risk analysis. This option allows for a complete native mobile login integration without using the webview based flow. Predefined flows allow for maximum efficiency in integration. | X | |
2FA for Browser Login | Confirmation signature via app based authentication. Triggered via REST API from your login portal. the signature request including the details is send by KOBIL AST Security Services to a logged in app. Confirmation signature can only be presented and completed in a KOBIL MC SDK based app after completing the onboarding flow, 2 factor authentication, up and running RASP, integrity check and device risk analysis. To notify the user about pending signature requests a pushnotification is send to the user's registered devices. | X | ||
Custom webflow based OIDC Authentication (2FA) for Mobile Login | Authentication w. Username/Password/Device via OIDC triggered 2FA (implicit, code flow, hybrid). Guarded by KOBIL App Shielding Technology by KOBIL MC SDK based app: completed the onboarding flow, 2 factor authentication, up and running RASP, integrity check and device risk analysis. | X | ||
Custom webflow based OIDC Authentication (2FA) for Browser Login/Webview Login | Authentication w. Username/Password/Device via OIDC triggered: Confirmation signature based authentication or QR based autentication. Guarded by KOBIL App Shielding Technology by KOBIL MC SDK based app: completed the onboarding flow, 2 factor authentication, up and running RASP, integrity check and device risk analysis. | X | ||
Authentication step up | Can be achieved with any of the mentioned regristration techniques (see registration) or newly defined during the project: SMS (OTP) Gateway or Video Ident Provider. Guarded by KOBIL App Shielding Technology by KOBIL MC SDK based app: completed the onboarding flow, 2 factor authentication, up and running RASP, integrity check and device risk analysis. | X | ||
Authentication via SAML | SAML can also be used alternatively to OIDC on a project basis. | X | ||
Authorisation | Confirmation/Transaction Signature | Transaction/confirmation signature initiation and processing. Triggered via REST API from your login portal. the signature request including the details is send by KOBIL AST Security Services to a logged in app. Confirmation signature can only be presented and completed in a KOBIL MC SDK based app after completing the onboarding flow, 2 factor authentication, up and running RASP, integrity check and device risk analysis. To notify the user about pending signature requests a pushnotification is send to the user's registered devices. | X | |
Identity Management | KOBIL Portal | KOBIL Shift Portal can be used to manage all end users and their devices. It is being used by support agents and administrators.Features include: App version management covering creation/locking/deletion of new app versions and configuration of forced update User management covering user creation/locking/deletion etc..., user audit trail for support purposes, user device overview. The Device management covering device locking/deletion etc... and device audit trail for support purposes | X | |
KOBIL Portal APIs | The functionality implemented by KOBIL portal can also be implemented into other customer management systems via the existing REST APIs. | X | ||
End User Self Service | Self services covering Change Password | X | ||
Change Username, Change Email, Change Mobile Phone Number (if applicable), Other personal data changes | X | |||
End User Recovery Service | Recovery method: Forgot Password (via new userid/activation code) | |||
End User Recovery Self Service | The following recovery self services flows have been implemented for customers in the past: Forgot Password, Forgot Username, Unlock Username, Deleted App (Devicebinding lost), Lost Phone Hardware (Get new SIM card with same number), New Phone Number (Prepaid card, New number), Lost Email Access, Did not receive letter, Contact Help Desk via Callcenter, Contact Help Desk via Email | X | ||
Security | HSM Support | KOBIL offers HSM/Keymanagement for OIDC token signature for additional security. Amazon HSM, IBM Keyprotect, PKCS 11 Compatible HSM | X | |
Policies | Device Policies | KOBIL device risk based authentication and authorisation policies. Allows restriction of registration/login based on device security issues e.g.: Jailbreak, Detection of known attack frameworks (EXposed, Magisk...), Custom Android versions (ROMs), Emulators | X | |
User Policies | User profile based authorisation and authentication policies based on the data avaible to the IDP or via external interfaces | X | ||
Support | KOBIL Portal | Web unterface for direct usage by support agents (1st/2nd level) | X |
2.3 App SDK Features
The following features are available out of the box:
Features | MC SDK for Mobile Native Apps | White Label Apps |
---|---|---|
App Security (RASP, Integrity check, Anti-Jailbreak and device risks) | X | X |
Device Binding | X | X |
Confirmation/Transaction Signature | X | X |
Offline Authentication (via OTP) | X | N/A |
Force Update Mechanism | X | X |
GettingStarted Apps | X | N/A |
Online Documentation | X | N/A |
2.4 System requirements:
2.4.1 Backend Component Requirements
Environment (Version numbers as of date: 1.7.2023) Please always check for current KOBIL Shift chart README covering most current details.
- Kubernetes version 1.24+.
- Helm version 3.10.
- Postgres version 13 for all services except SCP. Note: scram-sha-256 password hashing is NOT supported.
- Redis 6.2.
- Istio. Currently tested with v0.13.3.
- Strimzi Kafka Operator with support for Kafka 3.0.0 (0.26.0 - 0.29.0). Currently tested with v0.27.0.
- ElasticSearch 8.0
(Supported versions numbers will change over time. For currently supported version numbers see README.)
2.4.2 Requirements for App SDK
2.4.2.1 Requirements Android
Requirements for current version (Version numbers as of date: 2023-11-25)
CPU: ARMv7a, ARMv8; Intel x86 (Supported only for internal debugging and testing purposes on an emulator) Operating system: Android Android v9 [until 2024-04-04], v10, v11, v12, v13, v14
(Supported versions numbers will change over time. For currently supported version numbers see the respective component readme.)
2.4.2.2 Requirements iOS
Requirements for current version (Version numbers as of date: 2023-11-25)
Operating system: iOS v15 [until 2024-03-18], v16, v17
Note: The SDK does not support App-Thinning. To prevent error messages it is necessary to change the Build-Setting flag 'Enable Bitcode' to 'No'. This blocks the reduction of the binary codes, not the reduction of the GUI resources
(Supported versions numbers will change over time. For currently supported version numbers see the respective component readme.)