HID Approve SDK Release Notes

Security Updates - this release includes important security updates and third-party component updates.

We strongly recommend updating to this version for the most robust security.

Additional Updates and Fixes

• Adopted Apple's privacy manifest practice (for further details, see https://developer.apple.com/support/third-party-SDK-requirements/)

• The Non-Production SDK can now run Xcode Simulator on macOS with Apple processors

• SDK initialization issues now throw explicit exceptions instead of crashing

• The SDK now includes a setting (HIDGlobal.ActivIDMobileSDK.Logging.Level) to define the logging level when troubleshooting the application

  Note: The SDK default logging level (INFO) is less verbose than in previous versions of the SDK. Logging verbosity can be adapted using the new logging level setting.

• Client-Synchronized TOTP

  To accommodate end users who manually adjust their mobile system clock ahead or behind the actual time, the SDK will adapt to the time offset. This reduces the number of failed authentications due to incorrect Secure Codes (Time-based OTPs).

  This will reduce both failed authentication attempts and help-desk calls for device re-syncronizaton.

  The benefits of this feature are immediate and do not require any configuration by the client or server, nor can this feature be disabled. All containers, both newly activated and existing ones, including those created with a previous version of the SDK, will benefit from this feature.

  This client TOTP synchronization relies on network communication between the client and the authentication backend to accommodate time offsets. This means that for the client offset to take effect, an operation must be performed with the SDK that requires communication with the authentication backend (such as Container.retrieveTransactionIds, HIDServerActionInfo.getAction, etc).

• UserID-less Authentication

  UserID-less authentication allows integrators to implement authentication flows without the need for a user ID. The authentication backend provides a signed challenge, which is then consumed and signed by the HID Approve SDK.

  Subsequently, the authentication backend associates the appropriate user with the session, based on the details inferred from the transaction and the successful verification of the user's digital signature.

  This allows for a more user-friendly end user authentication process (fewer steps) and fewer help-desk calls for forgotten user IDs.

  Further information, see Transaction Signing.

  Note: This feature is currently only available for use with the HID Authentication Service and will be included in future releases of the HID Appliance.

Enhacments

• Bitcode support has been removed from our Apple SDKs

• XCframework - Production (Prod)

  Safeguarded against attached debuggers.

  Package changes - simulator support has been removed and shifted to the NonProd package.

• XCframework - Non-Production (NonProd)

  Introducing a new Non-Production variant of the SDK with reduced security controls intended to facilitate debugging.

  Note: This version is not shielded against attached debuggers or method swizzling.
  Important: As an integrator, you are responsible for ensuring that the Non-Production version of the SDK is not deployed in production. Using this version might compromise security and introduce potential attack vectors.

• Mobile Transaction Context - a new capability that allows for the provision of additional context from the client authentication device when accompanying a signed transaction

  For further details, see HIDTransaction.setStatus in the API documentation.

• Platform compatibility:

  • iOS - minimum target version raised to iOS 13

  • macOS - minimum target version raised to 10.15

Enhancements

• Extended userid inputval to offer better flexibility and alignment with the authentication back-end

• Sequential passwords are prohibited unless explicitly authorized with password policy parameters [P2124-460]

• Runtime application self-protection (RASP) has been updated (reduced XCFramework binary size) [P2124-348]

Enhancements

Add/remove system biometrics data enhanced management [P2124-471, P2124-466]

• The SDK End User License Agreement (EULA) has been updated

• The SDK samples have been updated to demonstrate usage of the new API entry points

• The SDK online documentation has been enriched with new code snippets (Swift/Objective-C)

• Modulemap - to support framework target integrations, the XCFramework package now includes a clang modulemap header

• XCFramework - the SDK now supports bitcode

Enhancements

• SSL sessions are now gracefully closed in case of failure during container creation or renewal

• Several deprecated API has been removed from this release. For further information, see Updates to the HID Approve SDK for Apple iOS/macOS.

• To simplify the integration of applications leveraging this SDK, the HID Approve SDK for iOS is now delivered in a single XCFramework bundle instead to two separate frameworks (respectively for iOS and iOS simulator). For more information, see Add the SDK to Your App
• Support of iOS simulator running on Apple M1 chip has been added.

• HIDDevice newInstance now return a singleton
• HIDContainer createContainer now contains parameters for context information in the listener
• The SDK cryptography now fully relies on Apple Security Frameworks
• iOS versions 10.0 and 11.0 are no longer supported

Enhancements

• The SDK Sample provides a change password menu to illustrate this feature
• Documentation has been updated to specify possible exceptions on some functions and methods

Security Updates - this release includes important security updates and third-party component updates.

We strongly recommend updating to this version for the most robust security.

Additional Updates and Fixes

• Added support for upgrades from HID Approve SDK for Android version 5.10.0.1084

• Client-Synchronized TOTP

  To accommodate end users who manually adjust their mobile system clock ahead or behind the actual time, the SDK will adapt to the time offset. This reduces the number of failed authentications due to incorrect Secure Codes (Time-based OTPs).

  This will reduce both failed authentication attempts and help-desk calls for device re-syncronizaton.

  The benefits of this feature are immediate and do not require any configuration by the client or server, nor can this feature be disabled. All containers, both newly activated and existing ones, including those created with a previous version of the SDK, will benefit from this feature.

  This client TOTP synchronization relies on network communication between the client and the authentication backend to accommodate time offsets. This means that for the client offset to take effect, an operation must be performed with the SDK that requires communication with the authentication backend (such as Container.retrieveTransactionIds, HIDServerActionInfo.getAction, etc).

• UserID-less Authentication

  UserID-less authentication allows integrators to implement authentication flows without the need for a user ID. The authentication backend provides a signed challenge, which is then consumed and signed by the HID Approve SDK.

  Subsequently, the authentication backend associates the appropriate user with the session, based on the details inferred from the transaction and the successful verification of the user's digital signature.

  This allows for a more user-friendly end user authentication process (fewer steps) and fewer help-desk calls for forgotten user IDs.

  Further information, see Transaction Signing.

  Note: This feature is currently only available for use with the HID Authentication Service and will be included in future releases of the HID Appliance.

Enhancements

Minor bug fixes:

• Support for container creation on mobile devices where the system language is set to Arabic [#03356683 and #03329100]

• Mobile Transaction Context - a new capability that allows for the provision of additional context from the client authentication device when accompanying a signed transaction

  For further details, see Transaction.setStatus in the API documentation.

• Platform compatibility - minimum target version raised to 8.0

Enhancements

• SDK API updates - the API returns the rooted status of the device

• Algorithm update - updated internal algorithms to align with NIST recommendations

• Extended userid inputval to offer better flexibility and alignment with the authentication back-end

• Sequential passwords are prohibited unless explicitly authorized with password policy parameters [P2124-460]

• Optional support for Weak (Class 2) biometric authenticators

Enhancements

• Add/remove system biometrics data enhanced management [P2124-466]

• The SDK End User License Agreement (EULA) has been updated

• Several SDK third parties have been updated

• The SDK samples have been updated to demonstrate usage of new the API entry points

• The SDK online documentation has been enriched with new code snippets (Kotlin/Java)

• Proguard rules - to ease integration with Proguard/DexGuard/D8 obfuscation, a default rules file has been included in the AAR package

• Upgrade from the mobile application using HID Approve SDK version below 5.1 is no longer supported. As a consequence, the issue encountered when migrating from versions earlier than SDK v5.1 no longer applies.

Enhancements

• SSL sessions are now gracefully closed in case of failure during container creation or renewal

• Several deprecated API has been removed from this release. For further information, see Updates to the HID Approve SDK for Google Android.

Simplified integration for applications leveraging this SDK to use biometrics to protect containers (where the container policy is biometric or password). For further information, see Updates to the HID Approve SDK for Google Android.

Bug fixes:

• PasswordPolicy getCurrentAge() now returns a valid value.
• The container registration no longer fails if the TEE is not working on the device. Instead, it now falls back to a software keystore if allowed by the configuration defined in the HID Authentication Service. [P2124-359]

Several SDK third parties have been updated.

Enhancements

• The SDK Sample provides a change password menu to illustrate this feature
• Documentation has been updated to specify possible exceptions on some functions and methods
• Minor bug fixes:
  • Support for Level 3 'Strong' biometry. [IAHA-2266]

  • Support Registration for Arabic Interfaces. [P2124-331]