All Products
Search

This Product

    Mobile Platform as a Service:General FAQ

    Document Center

    Mobile Platform as a Service:General FAQ

    Last Updated:Feb 02, 2026

    Does signature verification for offline packages require a network connection?

    Answer: No, it does not. Signature verification for offline packages is performed locally.

    When does signature verification occur? Is the package verified automatically after download and decompression, or only when it is called?

    Answer: Verification occurs after the offline package is downloaded but before it is decompressed. If verification fails, the package fails to load, and the application falls back to the online page.

    When a new offline package is opened using the startapp JSAPI, does the TitleBar become transparent automatically?

    Answer: You can control the TitleBar behavior by passing the transparentTitle parameter. The available options are AUTO, YES, and NO. For more information, see the startup parameter document.

    What is the process for offline package signature verification?

    Answer: The signature verification feature ensures the security of offline packages. This process guarantees the integrity of the package content and verifies its source.

    1. You configure the private and public keys. The private key is configured on the server-side to sign the offline package. The public key is configured on the client to verify the signature.

    2. In the mPaaS console, you download the .amr file from Real-time Release. If a private key is configured, the downloaded .amr file contains signature information. This information is the ciphertext created by encrypting the hash value of the offline package with the private key.

    3. After the client receives and decompresses the .amr package, it uses the public key embedded in the project to verify the signature. The client decrypts the ciphertext from Step 2 to obtain a hash value. It then calculates the hash value of the offline package locally. If the two hash values match, the verification passees.

    Important

    Although offline package signature verification ensures that packages are not tampered with during transfer and loading, it cannot completely prevent malicious attacks. Users have full control of the client, which allows for cracking and tampering with H5 logic. Be aware of potential frontend security risks. For example, access control must be verified on the backend. Activities such as flash sales require backend cooperation for timestamp validation.

    What is Mobile Gateway Service and what does it do?

    Mobile Gateway Service (MGS) Remote Procedure Call (RPC) is a component of mPaaS that connects mobile clients to servers. It simplifies data and communication protocols between the client and server, which improves development efficiency and network performance. MGS acts as a bridge, allowing mobile clients to access backend service interfaces through the gateway. For more information, see Introduction to Mobile Gateway Service.

    Using Mobile Gateway Service lets you do the following:

    • Encapsulate communication between the client and server using a dynamic proxy.

    • If the server and client define a consistent interface, the server can automatically generate and export code for the client.

    • Handle RpcException uniformly with features such as dialog boxes and toast messages.

    • MGS provides server-side HTTP service signature verification to improve data security between the gateway and the server.

    • After you enable signature verification for an API group in the gateway console, MGS creates a signature for each API request in that group. You can create the public and private keys for signing in the gateway console.

    • The server reads the signature string from the request. It then generates a local signature and compares it with the received signature to validate the request.

    • Verify signatures on requests from the client to MGS to authenticate the caller and ensure security. This feature is enabled by default. You can disable it by changing the setting in the configuration file.

    What is the gateway signature verification process?

    To prevent client requests from being tampered with or forged, RPC requests use a signature mechanism. The RPC module automatically signs requests. The basic signing and verification process is as follows:

    1. Convert the content of the requestBody to a string.

    2. Use the Security Guard module to sign the string. The signing uses an encryption key stored in an encrypted image, also known as the Security Guard image.

    3. Add the encrypted signature to the request and send it to the gateway.

    4. The gateway generates its own signature using the same method and verifies that the two signatures match.

    What are the similarities and differences between offline package signature verification and gateway signature verification?

    • Similarities:

      • Both offline package and gateway signature verification aim to ensure client security and protect content from tampering.

      • Both methods perform data validation.

    • Differences:

      • The validation outputs differ:

        • Offline package verification checks if the package was modified after download but before decompression.

        • Gateway verification checks if the requestBody was modified.

      • Signing methods:

        • For offline packages, signing is performed by configuring a public and private key pair in the backend.

        • For gateway requests, the signature is obtained through Security Guard.

      • The results of a failed signature verification vary:

        • If offline package verification fails, the H5 page is not disabled. The page data is loaded from the network instead, and normal use is not affected.

        • If gateway verification fails, backend validation or frontend data decryption also fails. As a result, the app's page data cannot be displayed correctly, which affects normal use.

    When the client makes an RPC call, gateway signature verification is performed. If the call does not return the expected result, what do the error codes in the console mean?

    Error code

    Description

    Cause

    7000

    Public key not set

    The Security Guard in the mobile app does not have a key for the appId, or the gateway cannot get the signature key for the appId.

    7001

    Insufficient parameters for verification

    Signature verification failed on the gateway server.

    7002

    Verification failed

    Signature verification failed on the gateway server.

    7003

    Verification expired

    The ts timestamp in the API request is outside the valid time window set by the system. Check if the client's clock is synchronized with the system time.

    7007

    Missing ts parameter

    The API request is missing the ts parameter required for verification.

    7014

    Missing sign parameter

    The API request is missing the sign parameter required for verification. This usually happens when the client fails to sign the data. Check that the client's Security Guard image is correct.

    For more information, see How to troubleshoot Mobile Gateway Service call errors.

    With a network connection, my offline package application opens correctly. Without a network connection, it fails to open. How can I troubleshoot this?

    For more information, see How to troubleshoot Mobile Gateway Service call errors.

    My HTML5 application loads slowly when offline package signature verification is enabled. How can I troubleshoot this?

    For more information, see How to troubleshoot Mobile Gateway Service call errors.

    How do I troubleshoot an abnormal RPC request?

    If an exception occurs when you call a resource using an RPC request, see Security Guard result code descriptions to troubleshoot the issue.