Security Additions for Smartphone Mobiliser Services

This procedure is required when upgrading from Mobiliser Platform 5.1 SP01 or earlier. If upgrading from 5.1 SP02, these steps are already included in your installation scripts.

To address some potential security gaps in the current services that are exposed for Sybase® Smartphone Mobiliser, some of the existing services are now protected with a new privilege by default. The standard Smartphone Mobiliser application does not use these services and should not be affected.

In case the project is using any of the services, you can make them available again by adding the privileges to the database. Run the necessary scripts on a case-by-case basis as required. 

     GetCustomerResponse getCustomer(final GetCustomerRequest request);
INSERT INTO MOB_UMGR_PRIVILEGES (ID_PRIVILEGE, STR_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('WS_SPM_GET_CUSTOMER', 'Allows to call the SPM web service getCustomer', 0);
INSERT INTO MOB_UMGR_ROLE_PRIVILEGES (ID_ROLE, ID_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('STANDARD_CONSUMER','WS_SPM_GET_CUSTOMER', 0);
-- 
      DeleteCustomerResponse deleteCustomer(DeleteCustomerRequest request);
INSERT INTO MOB_UMGR_PRIVILEGES (ID_PRIVILEGE, STR_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('WS_SPM_DELETE_CUSTOMER', 'Allows to call the SPM web service deleteCustomer', 0);
INSERT INTO MOB_UMGR_ROLE_PRIVILEGES (ID_ROLE, ID_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('STANDARD_CONSUMER', 'WS_SPM_DELETE_CUSTOMER', 0);
-- 
     GetCustomerByIdentificationResponse getCustomerByIdentification(
INSERT INTO MOB_UMGR_PRIVILEGES (ID_PRIVILEGE, STR_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('WS_SPM_GET_CUST_BY_ID', 'Allows to call the SPM web service getCustomerByIdentification', 0);
INSERT INTO MOB_UMGR_ROLE_PRIVILEGES (ID_ROLE, ID_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('STANDARD_CONSUMER', 'WS_SPM_GET_CUST_BY_ID', 0);
-- 
     PickupMoneyResponse pickupmoney(final PickupMoney request);
INSERT INTO MOB_UMGR_PRIVILEGES (ID_PRIVILEGE, STR_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('WS_SPM_PICKUP', 'Allows to call the SPM web service pickupmoney', 0);
INSERT INTO MOB_UMGR_ROLE_PRIVILEGES (ID_ROLE, ID_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('STANDARD_CONSUMER', 'WS_SPM_PICKUP', 0);
-- 
     SetCredentialResponse setCredential(final SetCredentialRequest request);
INSERT INTO MOB_UMGR_PRIVILEGES (ID_PRIVILEGE, STR_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('WS_SPM_SET_CREDENTIAL', 'Allows to call the SPM web service setCredential', 0);
INSERT INTO MOB_UMGR_ROLE_PRIVILEGES (ID_ROLE, ID_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('STANDARD_CONSUMER', 'WS_SPM_SET_CREDENTIAL', 0);
-- 
     CreateIdentificationResponse createIdentification(
INSERT INTO MOB_UMGR_PRIVILEGES (ID_PRIVILEGE, STR_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('WS_SPM_CREATE_IDENT', 'Allows to call the SPM web service createIdentification', 0);
INSERT INTO MOB_UMGR_ROLE_PRIVILEGES (ID_ROLE, ID_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('STANDARD_CONSUMER', 'WS_SPM_CREATE_IDENT', 0);
-- 
     UpdateIdentificationResponse updateIdentification(
INSERT INTO MOB_UMGR_PRIVILEGES (ID_PRIVILEGE, STR_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('WS_SPM_UPDATE_IDENT', 'Allows to call the SPM web service updateIdentification', 0);
INSERT INTO MOB_UMGR_ROLE_PRIVILEGES (ID_ROLE, ID_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('STANDARD_CONSUMER', 'WS_SPM_UPDATE_IDENT', 0);
-- 
     CaptureResponse capture(final Capture request);
INSERT INTO MOB_UMGR_PRIVILEGES (ID_PRIVILEGE, STR_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('WS_SPM_CAPTURE', 'Allows to call the SPM web service capture', 0);
INSERT INTO MOB_UMGR_ROLE_PRIVILEGES (ID_ROLE, ID_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('STANDARD_CONSUMER', 'WS_SPM_CAPTURE', 0);
-- 
     UpdateInvoiceConfigurationResponse updateInvoiceConfiguration(
INSERT INTO MOB_UMGR_PRIVILEGES (ID_PRIVILEGE, STR_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('WS_SPM_UPDATE_INVOICE', 'Allows to call the SPM web service updateInvoiceConfiguration', 0);
INSERT INTO MOB_UMGR_ROLE_PRIVILEGES (ID_ROLE, ID_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('STANDARD_CONSUMER', 'WS_SPM_UPDATE_INVOICE', 0);
-- 
     DeleteInvoiceConfigurationResponse deleteInvoiceConfiguration(
INSERT INTO MOB_UMGR_PRIVILEGES (ID_PRIVILEGE, STR_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('WS_SPM_DELETE_INV_CONFIG', 'Allows to call the SPM web service WS_SPM_DELETE_INV_CONFIG', 0);
INSERT INTO MOB_UMGR_ROLE_PRIVILEGES (ID_ROLE, ID_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('STANDARD_CONSUMER', 'WS_SPM_DELETE_INV_CONFIG', 0);
-- 
     AuthorisationCancelResponse authorisationCancel(
INSERT INTO MOB_UMGR_PRIVILEGES (ID_PRIVILEGE, STR_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('WS_SPM_AUTH_CANCEL', 'Allows to call the SPM web service authorisationCancel', 0);
INSERT INTO MOB_UMGR_ROLE_PRIVILEGES (ID_ROLE, ID_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('STANDARD_CONSUMER', 'WS_SPM_AUTH_CANCEL', 0);
-- 
     CaptureCancelResponse captureCancel(final CaptureCancel request);
INSERT INTO MOB_UMGR_PRIVILEGES (ID_PRIVILEGE, STR_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('WS_SPM_CAPT_CANCEL', 'Allows to call the SPM web service captureCancel', 0);
INSERT INTO MOB_UMGR_ROLE_PRIVILEGES (ID_ROLE, ID_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('STANDARD_CONSUMER', 'WS_SPM_CAPT_CANCEL', 0);
-- 
     UpdateWalletEntryResponse updateWalletEntry(UpdateWalletEntryRequest request);
INSERT INTO MOB_UMGR_PRIVILEGES (ID_PRIVILEGE, STR_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('WS_SPM_UPDATE_WALLET', 'Allows to call the SPM web service updateWalletEntry', 0);
INSERT INTO MOB_UMGR_ROLE_PRIVILEGES (ID_ROLE, ID_PRIVILEGE, ID_CUSTOMER_CREATION)
     VALUES ('STANDARD_CONSUMER', 'WS_SPM_UPDATE_WALLET', 0);
--

Some services in Smartphone Mobiliser overwrite fields with default data to prevent a hacker from creating unwanted (privileged) accounts in Mobiliser Platform. You can overwrite the default values in the Preferences configuration. Be sure to understand this behavior to determine if the default values are acceptable in your configuration.

The following fields get overwritten inside the smartphone endpoint: 
updateCustomer Service
customer.customerTypeId = defaultCustomerType
customer.feeSetId = defaultFeeSetId
customer.feeVatPercentage = null
customer.limitSetId = defaultLimitSetId
customer.riskCategoryId = defaultRiskCategoryId

createFullCustomer Service
customer.customerTypeId = defaultCustomerType
customer.feeSetId = defaultFeeSetId
customer.feeVatPercentage = null
customer.limitSetId = defaultLimitSetId
customer.riskCategoryId = defaultRiskCategoryId

createWalletEntry Service
walletEntry.limitSetId = null
The default values are set for the keys in Preferences in the node: com.sybase365.mobiliser.money.services.smartphone.SmartphoneEndpoint.
defaultCustomerType (default="2")
defaultFeeSetId (default=null)
defaultLimitSetId (default=null)
defaultRiskCategoryId (default=null)
Parent topic: Known Issues for Installation and Upgrade