HID Approve SDK Release Notes

This page provides the latest information about the HID Approve SDK.

HID Approve SDK 6.0 for iOS/macOS

What's New

  • Pending transactions can be canceled by the SDK

    If the container associated with the transaction is protected by a user password, this password is not required to cancel the transaction (HIDTransaction.cancel).

  • When canceling a transaction, a flag can be set and shared with the service to indicate that the user is flagging suspicious activity

    Based on the service configuration, specific actions may be triggered server-side to handle this flag (HIDTransaction.cancel).

  • Direct Client Signature (DCS) Authentication enables integrators to use asymmetric private keys to sign authentication requests directly

    This improves the workflow and security of authentication processes within applications using the HID Approve SDK (HIDContainer.generateAuthenticationRequest).

    Additionally, this eliminates reliance on symmetric keys (e.g., OTP) for such workflows.

Note: These new features are only available with the HID Authentication Service. They are not supported by the ActivID Authentication Server or ActivID Appliance (all versions).

Improvements and Bug Fixes

  • HIDDevice.deleteContainer() now supports an optional parameter to specify the reason for deletion

  • HIDDevice.createContainer() and HIDContainer.renew() now gracefully close sessions with the service

  • HIDContainer.findKeys() now returns a single object for RSA key pairs

  • HIDDevice.newInstance() now throws explicit exception HIDLostCredentials (106) when irrecoverable error is detected

  • HIDDevice.retrieveActionInfo() and HIDTransaction.setStatus() now throw HIDTransactionExpired (1000) when transactions are no longer valid

  • Fix some use cases with incorrect transaction message maximum length

  • Fix a crash when SDK used without internet connection and SDK logs enabled

  • Fix use cases where data were unexpectedly backed up in Apple iCloud

  • Updated Runtime Application Self-Protection (RASP) solution

Important: Version 6.0 introduces a new Runtime Application Self-Protection (RASP) solution. While this enhancement should not impact your current integration, please note that this change will shorten the lifecycle of the previous 5.x versions of the SDK.

In practice, you may continue using v5.x SDK in your integration until you choose to migrate to version 6.0 of the HID Approve SDK. However, if you open a support case related to a v5.x SDK and a patch is necessary, the patch will be applied to version 6. This will require you to upgrade your application at that time.

HID Approve SDK 6.0 for Android

What's New

  • Pending transactions can be canceled by the SDK

    If the container associated with the transaction is protected by a user password, this password is not required to cancel the transaction (Transaction.cancel).

  • When canceling a transaction, a flag can be set and shared with the service to indicate that the user is flagging suspicious activity

    Based on the service configuration, specific actions may be triggered server-side to handle this flag (Transaction.cancel).

  • Direct Client Signature (DCS) Authentication enables integrators to use asymmetric private keys to sign authentication requests directly

    This improves the workflow and security of authentication processes within applications using the HID Approve SDK (Container.generateAuthenticationRequest).

    Additionally, this eliminates reliance on symmetric keys (e.g., OTP) for such workflows.

Note: These new features are only available with the HID Authentication Service. They are not supported by the ActivID Authentication Server or ActivID Appliance (all versions).

Improvements and Bug Fixes

  • Device.deleteContainer() now supports an optional parameter to specify the reason for deletion

  • Device.createContainer() and Container.renew() now gracefully close sessions with the service

  • Container.findKeys() now returns a single object for RSA key pairs

  • Device.retrieveActionInfo() and Transaction.setStatus() now throw TransactionExpiredException (1000) when transactions are no longer valid

  • Fix some use cases with incorrect transaction message maximum length

  • Improve error handling by throwing more meaningful exceptions (see Updates to the HID Approve SDK for Google Android for more details)

  • BioPasswordPolicy.resetBiometricPrompt() now cancels the biometric prompt

Security and Compliance

Replace a deprecated third-party handling regular expression management (see Updates to the HID Approve SDK for Google Android for more details).

HID Approve SDK 5.14 for Windows

What's New

  • The SDK has been migrated to the Microsoft .NET 8.0 unified development platform for Microsoft Windows (previously .NET 6.0)

  • Pending transactions can be canceled by the SDK

    If the container associated with the transaction is protected by a user password, this password is not required to cancel the transaction (ITransaction.cancel).

  • When canceling a transaction, a flag can be set and shared with the service to indicate that the user is flagging suspicious activity

    Based on the service configuration, specific actions may be triggered server-side to handle this flag (ITransaction.cancel).

  • Direct Client Signature (DCS) Authentication enables integrators to use asymmetric private keys to sign authentication requests directly

    This improves the workflow and security of authentication processes within applications using the HID Approve SDK (IContainer.GenerateAuthenticationRequest).

    Additionally, this eliminates reliance on symmetric keys (e.g., OTP) for such workflows.

Note: These new features are only available with the HID Authentication Service. They are not supported by the ActivID Authentication Server or ActivID Appliance (all versions).

Additional Updates and Fixes

  • Multiple device type configurations on a single domain with Manual Activation are now supported. [IAHA-1419]

  • IDevice.DeleteContainer() now supports an optional parameter to specify the reason for deletion

  • IDevice.CreateContainer() and IContainer.Renew() now gracefully close sessions with the HID Authentication Service

  • IContainer.FindKeys() now returns a single object for RSA key pairs

Security and Compliance

Code protection has been updated to a new third-party provider.

Documentation

Before you start using the HID Approve SDK, see Getting Started.

For further information about the features and benefits of the advanced authentication solution, see Mobile Authentication & Transaction Signing.

For further information about integration with the HID authentication platform, see:

Deploying the ActivID Push-Based Validation Solution with ActivID AS

Deploying the ActivID Push-Based Validation Solution with ActivID Appliance

Deploying HID Approve with the HID Authentication Service

Limitations and Known Issues

This section describes issues known by HID Global as of the release date, but which have not been addressed in the current product version. When possible, fixes and workarounds are suggested. This section also describes known limitations of this release.

Limitations

HID Approve SDK for iOS/macOS

  • Only "create container" and a few other operations are demonstrated in the macOS Demo App (for a full feature demo, use the iOS Demo App)

HID Approve SDK for Android

None.

HID Approve SDK for Windows

None.

Known Issues

HID Approve SDK for iOS/macOS

  • Non-explicit error when using push-based validation (for authentication or transaction signing) and "silent lock" mode if the user's authentication record becomes blocked on the server-side (perhaps resulting from too many consecutive incorrect PIN/password attempts). [IAHA-2200]

  • HID Approve SDK 6.0 may introduce performance degradation on older iPhone models (8 and earlier), especially when multiple containers are registered

HID Approve SDK for Android

  • Non-explicit error when using push-based validation (for authentication or transaction signing) and "silent lock" mode if the user's authentication record becomes blocked on the server-side (perhaps resulting from too many consecutive incorrect PIN/password attempts). [IAHA-2200]
  • Minor discrepancy for "silent lock" mode configuration validation between iOS/Android. When the lock type policy is set to "silent lock", Android will systematically enforce the presence of the "operation protection" key, while iOS only enforces it if either the "password" or "biometricorpassword" policies are set. In any case, to configure the "silent lock" mode correctly, the protection type should also be specified correctly. [IAHA-2201]

HID Approve SDK for Windows

None.

What Was New in Previous Versions

HID Approve SDK for iOS/macOS

  • The SDK logging mechanism has been updated to leverage the Apple OSLog framework

    The SDK logs are now conveniently display as other Apple logs in the Xcode and Console applications. For further information on how to activate these logs, refer to the Apple online documentation.

  • The iOS minimum supported version has been updated from 13.0 to 15.0

  • The macOS minimum supported version has been updated from 10.15 to 13.0

Additional Updates and Fixes

  • [HIDDeviceFactory reset] method has been reviewed to be more robust

  • SDK logs have been improved

Security Updates - this release includes important security updates and third-party component updates.

We strongly recommend updating to this version for the most robust security.

Additional Updates and Fixes

  • Adopted Apple's privacy manifest practice (for further details, see https://developer.apple.com/support/third-party-SDK-requirements/)

  • The Non-Production SDK can now run Xcode Simulator on macOS with Apple processors

  • SDK initialization issues now throw explicit exceptions instead of crashing

  • The SDK now includes a setting (HIDGlobal.ActivIDMobileSDK.Logging.Level) to define the logging level when troubleshooting the application

    Note: The SDK default logging level (INFO) is less verbose than in previous versions of the SDK. Logging verbosity can be adapted using the new logging level setting.

  • Client-Synchronized TOTP

    To accommodate end users who manually adjust their mobile system clock ahead or behind the actual time, the SDK will adapt to the time offset. This reduces the number of failed authentications due to incorrect Secure Codes (Time-based OTPs).

    This will reduce both failed authentication attempts and help-desk calls for device re-syncronizaton.

    The benefits of this feature are immediate and do not require any configuration by the client or server, nor can this feature be disabled. All containers, both newly activated and existing ones, including those created with a previous version of the SDK, will benefit from this feature.

    This client TOTP synchronization relies on network communication between the client and the authentication backend to accommodate time offsets. This means that for the client offset to take effect, an operation must be performed with the SDK that requires communication with the authentication backend (such as Container.retrieveTransactionIds, HIDServerActionInfo.getAction, etc).

  • UserID-less Authentication

    UserID-less authentication allows integrators to implement authentication flows without the need for a user ID. The authentication backend provides a signed challenge, which is then consumed and signed by the HID Approve SDK.

    Subsequently, the authentication backend associates the appropriate user with the session, based on the details inferred from the transaction and the successful verification of the user's digital signature.

    This allows for a more user-friendly end user authentication process (fewer steps) and fewer help-desk calls for forgotten user IDs.

    Further information, see Transaction Signing.

    Note: This feature is currently only available for use with the HID Authentication Service and will be included in future releases of the HID Appliance.

Enhacments

  • Bitcode support has been removed from our Apple SDKs

  • XCframework - Production (Prod)

    Safeguarded against attached debuggers.

    Package changes - simulator support has been removed and shifted to the NonProd package.

  • XCframework - Non-Production (NonProd)

    Introducing a new Non-Production variant of the SDK with reduced security controls intended to facilitate debugging.

    Note: This version is not shielded against attached debuggers or method swizzling.
    Important: As an integrator, you are responsible for ensuring that the Non-Production version of the SDK is not deployed in production. Using this version might compromise security and introduce potential attack vectors.

  • Mobile Transaction Context - a new capability that allows for the provision of additional context from the client authentication device when accompanying a signed transaction

    For further details, see HIDTransaction.setStatus in the API documentation.

  • Platform compatibility:

    • iOS - minimum target version raised to iOS 13

    • macOS - minimum target version raised to 10.15

Enhancements

  • Extended userid inputval to offer better flexibility and alignment with the authentication back-end

Note: Bitcode support will be removed from the SDK in a future version. For further details, see Disabling Bitcode.

  • Sequential passwords are prohibited unless explicitly authorized with password policy parameters [P2124-460]

  • Runtime application self-protection (RASP) has been updated (reduced XCFramework binary size) [P2124-348]

Enhancements

Add/remove system biometrics data enhanced management [P2124-471, P2124-466]

Note:  

  • Bitcode support will be removed from the SDK in a future version

    For further information about Bitcode deprecation, refer to the Apple XCode 14 Release Notes (item 86118779)

  • A new user-assigned device name entitlement is required for applications running Apple iOS 16 (or later) in order to identify the device name during activation

  • The SDK End User License Agreement (EULA) has been updated

  • The SDK samples have been updated to demonstrate usage of the new API entry points

  • The SDK online documentation has been enriched with new code snippets (Swift/Objective-C)

  • Modulemap - to support framework target integrations, the XCFramework package now includes a clang modulemap header

  • XCFramework - the SDK now supports bitcode

Enhancements

  • To simplify the integration of applications leveraging this SDK, the HID Approve SDK for iOS is now delivered in a single XCFramework bundle instead to two separate frameworks (respectively for iOS and iOS simulator). For more information, see Add the SDK to Your App
  • Support of iOS simulator running on Apple M1 chip has been added.
  • HIDDevice newInstance now return a singleton
  • HIDContainer createContainer now contains parameters for context information in the listener
  • The SDK cryptography now fully relies on Apple Security Frameworks
  • iOS versions 10.0 and 11.0 are no longer supported

Enhancements

  • The SDK Sample provides a change password menu to illustrate this feature
  • Documentation has been updated to specify possible exceptions on some functions and methods

HID Approve SDK for Android

Security and Compliance:

  • Third party updates

  • Code protection updates

Additional Updates and Fixes

  • HIDDeviceFactory.reset method has been reviewed to be more robust

  • HIDDeviceFactory.getDevice method has been reviewed to return a singleton instance of the device

  • SDK logs have been improved

Security Updates - this release includes important security updates and third-party component updates.

We strongly recommend updating to this version for the most robust security.

Additional Updates and Fixes

  • Added support for upgrades from HID Approve SDK for Android version 5.10.0.1084

  • Client-Synchronized TOTP

    To accommodate end users who manually adjust their mobile system clock ahead or behind the actual time, the SDK will adapt to the time offset. This reduces the number of failed authentications due to incorrect Secure Codes (Time-based OTPs).

    This will reduce both failed authentication attempts and help-desk calls for device re-syncronizaton.

    The benefits of this feature are immediate and do not require any configuration by the client or server, nor can this feature be disabled. All containers, both newly activated and existing ones, including those created with a previous version of the SDK, will benefit from this feature.

    This client TOTP synchronization relies on network communication between the client and the authentication backend to accommodate time offsets. This means that for the client offset to take effect, an operation must be performed with the SDK that requires communication with the authentication backend (such as Container.retrieveTransactionIds, HIDServerActionInfo.getAction, etc).

  • UserID-less Authentication

    UserID-less authentication allows integrators to implement authentication flows without the need for a user ID. The authentication backend provides a signed challenge, which is then consumed and signed by the HID Approve SDK.

    Subsequently, the authentication backend associates the appropriate user with the session, based on the details inferred from the transaction and the successful verification of the user's digital signature.

    This allows for a more user-friendly end user authentication process (fewer steps) and fewer help-desk calls for forgotten user IDs.

    Further information, see Transaction Signing.

    Note: This feature is currently only available for use with the HID Authentication Service and will be included in future releases of the HID Appliance.

Enhancements

Minor bug fixes:

  • Support for container creation on mobile devices where the system language is set to Arabic [#03356683 and #03329100]

  • Mobile Transaction Context - a new capability that allows for the provision of additional context from the client authentication device when accompanying a signed transaction

    For further details, see Transaction.setStatus in the API documentation.

  • Platform compatibility - minimum target version raised to 8.0

Enhancements

  • SDK API updates - the API returns the rooted status of the device

  • Algorithm update - updated internal algorithms to align with NIST recommendations

  • Extended userid inputval to offer better flexibility and alignment with the authentication back-end

Note: A new runtime permission, POST_NOTIFICATIONS, is required for applications to enable notifications on Android 13 (or later) (API level 33 or later).

  • Sequential passwords are prohibited unless explicitly authorized with password policy parameters [P2124-460]

  • Optional support for Weak (Class 2) biometric authenticators

Enhancements

  • Add/remove system biometrics data enhanced management [P2124-466]

Note:  A new runtime permission, POST_NOTIFICATIONS, is required for applications to enable notifications on Android 13 (or later) (API level 33 or later).

  • The SDK End User License Agreement (EULA) has been updated

  • Several SDK third parties have been updated

  • The SDK samples have been updated to demonstrate usage of new the API entry points

  • The SDK online documentation has been enriched with new code snippets (Kotlin/Java)

  • Proguard rules - to ease integration with Proguard/DexGuard/D8 obfuscation, a default rules file has been included in the AAR package

  • Upgrade from the mobile application using HID Approve SDK version below 5.1 is no longer supported. As a consequence, the issue encountered when migrating from versions earlier than SDK v5.1 no longer applies.

Enhancements

Simplified integration for applications leveraging this SDK to use biometrics to protect containers (where the container policy is biometric or password). For further information, see Updates to the HID Approve SDK for Google Android.

Bug fixes:

  • PasswordPolicy getCurrentAge() now returns a valid value.
  • The container registration no longer fails if the TEE is not working on the device. Instead, it now falls back to a software keystore if allowed by the configuration defined in the HID Authentication Service. [P2124-359]

Several SDK third parties have been updated.

Enhancements

  • The SDK Sample provides a change password menu to illustrate this feature
  • Documentation has been updated to specify possible exceptions on some functions and methods
  • Minor bug fixes:
    • Support for Level 3 'Strong' biometry. [IAHA-2266]

    • Support Registration for Arabic Interfaces. [P2124-331]

HID Approve SDK for Windows

The SDK was migrated to the Microsoft .NET 6.0 unified development platform for Microsoft Windows.

Note: This version should be considered as a new starting point and, as such, there are no supported migration paths from previous versions.