Skip to main content

Behavior change for secured APIs in Here Core 24

31-Jan-2022

We are informing you of an upcoming behavior change to the Secured API defaults in our upcoming Here Core 24 release, targeted for February 2022.

With targeted release Here Core 24, Here™ is further tightening our API security stance by requiring application providers utilizing Here Core 24 and a secured API to also have RVM 6.5, or newer, on the end-user’s desktop. If an application attempts to use a secured API in Here Core 24 and an RVM older than 6.5 is on the machine, the application’s attempt to use the secured API will fail. Similarly, if a Here Core Runtime is attempted to be used directly without an RVM present then secured APIs will not be available.

Why is Here™ making this change?

Security is our top priority for both application providers and desktop owners. We work closely with IT Security teams to ensure OpenFin meets rigorous security standards. Through these collaborations we’ve collectively agreed to address a migration path for Here Core APIs with a higher security profile.

Our continued commitment to a security-first environment

At the direction of our customers' security teams, Here™ first introduced API security in July 2019 with Here Core 12. With Here Core 16 (May ‘20), and then again Here Core 20 (June ‘21), we further tightened controls around secured APIs while enabling customers an opportunity to plan and adapt to these changes.

Here COre 24 is the next step in ensuring applications are "secure by default."

Who is impacted?

Application providers who upgrade to Here Core 24 and leverage one or more of the secured APIs (for example, video, audio, launchExternalProcess).

My application is dependent on a secured API, what do I need to do?

Application providers wishing to upgrade to Here Core 20+ (including Here Core 24) and leveraging a secured API continue to have the following options for their applications to access secured APIs:

Desktop owner settings management

Desktop owners can manage a desktop owner settings (DOS) file to enable Secured API.

End-user click-through

In the event a DOS file has not been established, Here Core prompts the application end-user for authorization to use the secured API (similar to “Ask before accessing” option in Chrome’s privacy and security settings).

Additionally, Here Core 24+ will require that RVM 6.5+ is also present on the desktop when an application requests to use a secured API.

When are these changes being implemented?

Here Core 24, March 2022

Can applications continue to use secured APIs on older Here Core versions?

Yes. Secured APIs will continue to work in Here COre versions 19 and older until we have the larger Here™ community ready to turn on backwards enforcement. You still need to declare secured API usage in your application manifest, and desktop owners will continue to have the ability to prevent usage if they so choose by disabling those APIs across their desktops.

Please be advised that security features, enhancements and bug fixes from the Chromium, Electron, and Here™ teams will be applied to future versions of Here Core.

Table of Contents