Prepation checklist for the App Store certification test

In this article

    "My app is ready, what should I consider before I ask for a certification test?"

    Before you complete the form to start the certification process, please consider the things which we will test for:

    1. Security
    2. Provisioning
    3. Handle potential errors
    4. Protect your web panels
    5. Cookies
    6. Limit your searches
    7. System user and important rules
    8. GDPR - creating persons
    9. GDPR - e-marketing consents
    10. Language support
    11. Logging
    12. Maintenance windows
    13. Tenant status

    Please note that this is a living document, last updated January 8th 2019.

    1. Security 

    During the certification tests we will check your site, all urls that are used for callback or any added as a webpanel during provisioning. You should run these through Qualys SSL Labs - SSL Server tests and aim for an A. 

    • We will not accept any sites where SSL2 or SSL3 is supported.
    • You must support TLS 1.2.

    Also - make sure you validate all data on input and escape it on output. Our test database have security test records in both names and list items, and your app may be getting back something like  "><img src=x onerror=alert(100)>  or {{ {Name: '<Script>Alert(Document.Cookie)</Script>'} }},  or it may be added to any of your input boxes by the user. If you do not handle this securely it is seen as a red flag and you will not be published in our app store.

    • You must use federated authentication and validate all tokens you receive back from us. 
    • You may not store any user credential authentication information in your application. If you want to be able to write to the database when the user is not logged in then you must use a system user.

    Data: SuperOffice allow users to set visibility restrictions for entities like appointment, tasks, documents, sales and selections so that the entity is visible only for specific user-groups and/or users. If you copy data, you need to make sure you keep this visibility restriction intact to avoid your app compromise the security or the users' trust in the data. More info in the helpfile

    2. Provisioning

    During provisioning of your app the customers administrator must authorize the app, this is a requirement and is not optional. If for any reason a consultant must configure the application, they may not ask for the customers username and password but the following flow must be implemented. 

    Customers administrator must autorize the app

    Note that a customers administrator may authorize the app by clicking a link that includes your app_id: https://online.superoffice.com/login/app_id=<app_id> This will show the concent dialog for the app and as an administrator, he/she may approve it.

    Installer: If an installer must be run on the client's computer make sure installed files do not compromise security. The installer should be finished before the certification process starts up since it will be tested.

    3. Handle potential errors

    Consider the possibility that your app no longer has access to the customer database, you should provide an error message instead of the "Yellow screen of death" which will reveal where your code is located on your server. During the test, we will revoke the app authorization on the tenant to see how your app handles it when it e.g no longer have access to list items (if you have an admin site that configures data for the customer database).

    4. Protect your web panels

    Partner defined web panels are great but are also where we find the most vulnerabilities. They may be opened in separate windows, and we will not allow information to be leaked via web panels which are forwarded to others who have not authenticated. Take a close look at the top ten list here: https://www.owasp.org/index.php/Top_10_2013-Top_10  

    Also, make sure to include the context identifier template variable as part of the URL's all partner web panels you add to the database. Working in the user's context, then include the associate id too.: 

    uctx Database context (tenant name) for the logged in user. Used with multi tenant NetServer to distinguish between different databases used by the different tenants. Each database context can have separate configuration. 
    usid User login associate id (hidden id). The associate id of the currently logged in user. Is not affected by the selected diary user, unlike alid.


    Never include usec as a parameter in the URL. The URL is saved in the browser history and on the web server, in addition, all web panels may be opened in a separate window and forwarded to anyone. The ticket will be valid for up to 6 hours and anyone with access to this URL will have limited access to the tenant's database based on that user's rights. We recommend using OAUTH2 and including uctx as described here

    Also, remember that your customer may have enabled Grouping and filtering on all list items and it may be user friendly to make them visible for all by default. Our example applications have code that implements this.

    Enable grouping and filtering on this list in Maintenance client

    Include information about which app or at least your company name in the description, so the customer's administrator easily can identify which web panel belongs to which app.

     

    5. Cookies

    Protect your cookies by setting the Secure and HttpOnly flag

    6. Limit your searches

    During the certification test, we will use a huge database to test your application. This database may return hundreds of thousands of rows unless you limit your search. E.g you should make sure the user types at least 3 characters before you start searching for contacts, persons, email addresses, selections and so on. 

    7. System user and important rules

    Note - a system user will bypass all our sentry mechanisms, meaning you have to protect the customer database from "total destruction" which will require Online Operations to update the database manually.

    Owner company - never rename the field contact.name for the company with contact_id found in the database table Company. Renaming the company name here will make sure our license check fails and all users are locked out.

    Associates email addresses - email addresses is an online users login name, so do not update a persons email address if he also has a row in the associate-table. Also, do not add the same email address to multiple persons who are associates.

    8. GDPR - creating persons

    To meet the GDPR requirements for documenting consents, the Consent Management features in SuperOffice CRM allow a company to document:

    • the reason why they want to store personal information (called "purpose");
    • the lawfulness of processing information (called “legal basis”);
    • how the personal information entered SuperOffice (called the "Privacy - source");
    • the date and time; and
    • who entered the information.

    The default purpose in SuperOffice is called "Sales and service" and all new contacts stored in SuperOffice are assigned this purpose with the legal base as "legitimate interest" unless the company has changed the default setting. The source is also automatically set, and if your app creates new contact persons then you should allow the customer to choose from their own list of Privacy - Source, but set a default value - Other integration with key API so it is never left as unknown.

    9. GDPR - e-marketing consents

    The GDPR regulation states that an individual has the right to object to receiving marketing materials. For this reason, SuperOffice enables companies to store and track the consent for “E-marketing” as a specific purpose, meaning that the company wants to send e-marketing mailings to a person and tracks the consent for doing so.  In this way, the company can keep track of if and when consent has been withdrawn. In addition, in several European countries, local marketing laws require the legal basis for this purpose to be an "explicit consent" given by the individual and not set by the company. This applies especially when sending marketing materials to prospects. If your app is used for sending out e-marketing mailings then you must make sure you check for the contact persons e-marketing consent. 

    10. Language support

    When adding list items like web panels or user-defined fields, consider adding language support to more than just English. Adding list items where you specify EN:"English name";NO:"Norsk navn";SW:"Svensk namn" will pick the correct translation for the language the client runs SuperOffice CRM Online in.

    11. Logging

    You must keep logs for at least 6 months - preferably 12 if possible. This way we may trace what has happened if the customer later reports a problem.

    Log entries should show:

    • when was the change done (date and time)
    • who requested the change, customer tenant and associate who requested the change
    • what did it change FROM
    • what did it change TO

     If the customer raises any questions, SuperOffice CRM Online Operations may request these logs to compare to the data we have here.

    12. Maintenance windows

    Will you handle that CRM Online is not available?

    We maintain our production environment regularly and have dedicated times set aside for this. At these times your app may not get access to the tenant(s) and you should handle this so no data is lost.

    All times below are Norwegian time GMT + 1/summer GMT +2

    • The maintenance window is Saturday between 20.00 and Sunday 06.00.  
    • There is also a patch window when servers may reboot on Thursdays between 22.00 and Friday 06.00.
    • SuperOffice also upgrades our customers on Tuesdays and Fridays every three weeks, info regarding this will be given on the login page only. The window here is from 20.00 and may last until 05:00. 
    • Every night between 01.00 and 03.00 we recycle the application pools for all customers.

    13. Tenant status 

    All standard apps in the app store must be able to check the status of customers prior to performing actions. To do that, all tenants expose a status page that applications access to ensure stability. Read more here

    Ready?

    Complete this form to start the certification process.