Behavior change for secured APIs
09-Feb-2021
An upcoming behavior change to the security defaults in Here Core 20 release, targeted for June 2021, may require changes to your configuration.
With targeted release Here Core 20, we are further tightening our API security stance by changing from a “default allow” paired with a block list to a “default prevent” coupled with an allow list. Any Application using a Secured API need to be allowed in order to use the API. If an application attempts to use a secure API and that usage has not been allowed, the callback for the API returns an error.
Why is Here™ making this change?
Security is our top priority for both application providers and desktop owners. We work closely with IT security teams to ensure Here™ meets rigorous security standards. Through these collaborations we’ve collectively agreed to address a migration path for Here Core APIs with a higher security profile.
Our continued commitment to a security-first environment
Here™ introduced its initial layer of API security in Here Core 12, requiring application providers to declare usage of a secured API via its application manifest.
The upfront affirmation assisted desktop owners by informing them of an application’s intent to use a secured API.
Additionally, desktop owners have the ability to disable an application’s usage of an API via a permissions configuration in their DOS file.
In Here Core 16, we tightened API security by adding sensitive web APIs to our secured API designation (audio, video, geolocation, etc.) and requiring applications to declare intent to use a sensitive web API in their application manifest as well as providing desktop owners the ability to manage an application’s usage of these APIs.
Here COre 20 is the next step in enhancing application security.
Who is affected?
Application providers who upgrade to Here Core 20 and leverage one or more of the secured APIs (for example, launchExternalProcess).
My application is dependent on a secured API. What do I need to do?
Application providers wishing to upgrade to Here 20 and leveraging a secure API have the following options:
Desktop owner settings management
- Desktop owners can manage a Here DOS file to enable secured API usage. See desktop owner settings for further details.
End-user click-through
- In the event a DOS file has not been established, Here Core prompts the application end-user for authorization to use the secured API (similar to the “Ask before accessing” option in Chrome’s privacy and security settings).
Additional details on the specific changes in the desktop owner secured API will be provided prior to the release.
When is enhanced security being implemented?
Here Core 20, June 2021
Can applications continue to use secured APIs on older Here Core versions?
Yes. Secured APIs will continue to work in Here Core versions 19 and older until we have the larger Here™ community ready to turn on backwards enforcement. You still need to declare secured API usage in your application manifest, and desktop owners will continue to have the ability to prevent usage if they so choose by disabling those APIs across their desktops.
Please be advised that security features, enhancements and bug fixes from the Chromium, Electron, and Here™ teams will be applied to future versions of Here Core.