Security Guidelines
API Reference
Release notes
4.9.4 (Android only)

Release Notes

Release name: Mobile Protector SDK 5.0.0-201904110625

Release date: April 11, 2019

Supported Platforms & Processor Architectures


  • iOS 9.0 up to 12.2
  • Architectures: ARMv7, ARM64


  • Android 4.4 up to 9
  • Default Package
    • Architecture: armeabi-v7a, arm64-v8a, x86, x86_64
  • FaceID Package
    • Architectures: armeabi-v7a, arm64-v8a

New Features

Android & iOS

  • Added an EMV QR module to provide the capability to decode a QR code which contains data in EMVCo Merchant-Presented Mode. This data is used for further processing of the transaction.

  • Added new APIs for new provisioning protocol version 5 (PPV5) (See Creating Token).

  • WhiteBox Cryptographic (WBC) supported on OATH Token (HOTP/TOTP/OCRA/Gemalto DCVV), and it supports SHA256 algorithm only. WBC ensures that the OTP seed is never exposed in clear from memory at any time.

Fixed Issues and Bugs

Android & iOS

  • Corrected OOB blacklist header validation to be case-insensitive. Previous implementation was case-sensitive.
  • Resolved the issue of OOB incoming message expiration time to seconds. It was misinterpreted by SDK as seconds instead of milliseconds.


  • Resolved the BioFingerprint de/reactivation crash issue. It was triggered when the user lowers the screen lock type from medium to none/swipe.


  • If EMBioFingerprintAuthService:isSupported returns a false value, EMBioFingerprintAuthService:isConfigured API will return a false value instead of throwing an exception.
  • Removed PPiOS-Rename obfuscation (to avoid delay when submitting the Application to AppStore for review).
  • Resolved the crash scenario when jailbreak and hook detection are called concurrently (which are unlikely to happen). Jailbreak and hook detection can be called concurrently after the fix.

Known Issues


  • There is a memory leak in Secure Storage feature which is a leak on string termination character which does not contain any sensitive information.
  • Restoring an application using ‘DEVICE’ fingerprint source on a different device will throw a NSException instead of providing a NSError for selectors token with the name EMTokenManager.


  • Android Q has a privacy enforcement in which IMEI/MEID, IMSI value will no longer be accessible by third party applications.
    • READ_PRIVILEGED_PHONE_STATE is necessary to access the non-resettable device identifiers.
    • Data sealed with these fingerprint sources are not accessible after the device is upgraded to Android Q.
    • For applications with Targeted OS lower than 29, it returns a NULL value on Android Q devices. For applications with
    • Targeted OS equals to 29, SecurityException will be thrown as documented by Google. The application will crash if the exception is not handled.

Known Limitations

  • The pre-defined template #0 (INPUT_FURTHER_INPUTS) is not supported for Dynamic Signatures.
  • On iOS platforms, for CAP, elements encoded in BER-TLV (like in CDOL definition) cannot be greater than 127 bytes.
  • Secure keypad does not support custom top section of the keypad screen in dialog mode.
  • SHA-256 algorithm for HOTP is only supported on specific Authentication Servers.
  • The iOS Secure Storage is not able to have multiple instances with different fingerprint source configurations.
  • Dual seed tokens only support TOTP and time based OCRA.
  • Mobile Protector SDK upgrade is not possible from a SDK version below 2.1.
    • Importing legacy credential from SDK 1.1.x is possible under certain conditions.
  • OCRA HEX challenge with odd length are not supported.
    • Additionally, setting OCRA suites with odd length HEX challenge format are not supported.
  • When using provisioning protocol v1 (PPV1) with EPS 1.x, the provisioned Token Sequence Number (i.e. GIDV) cannot be used as part of the CAP OTP calculation (that is, configured to be included in the IPB).
  • When using PPV1 with EPS 1.x, the provisioned Token Sequence Number (that is, GIDV) can only be a decimal and in the range 0-99. The length varies depending on that configured GIDV length in the backend.
  • DSKPP provisioning only supports DSKPP provisioning protocol V1 which is based on Gemalto proprietary server SPA and SAS.
  • On iOS platform, Secure keypad top element is not vertically aligned if the keypad controller is presented modally by presenting as a view controller for navigation controller.

Supported Authentication Algorithms

  • Gemalto Verify Issuer function (FRS Ezio ZEN token - version 1.0)
  • CAP: Version 2007 (all modes)
  • Dynamic Signature: Gemalto Proprietary Formatting (GPF), CAP Mode 2 TDS Formatting
  • OATH: HOTP (RFC 4226 - Dec 2005), TOTP (RFC 6238 - May 2011), OCRA (RFC 6287 - June 2011)
  • Gemalto eBanking OATH options (Version 1.1)

Tested Devices


  • 9.0: Apple iPhone 4S
  • 9.1: Apple iPhone 5S (jailbroken)
  • 9.3.3: Apple iPad Mini
  • 9.3.4: Apple iPad 2
  • 10.3.2: Apple iPhone 5C
  • 11.2: Apple iPhone 5S (jailbroken)
  • 11.2.5: Apple iPad Pro
  • 11.4: Apple iPhone 6S
  • 12.0: Apple iPhone 7 Plus (jailbroken)
  • 12.1.3: Apple iPhone 5S
  • 12.2: Apple iPhone X


  • 4.4.2: Samsung Galaxy S5
  • 5.0.2: Xiaomi Mi 4i
  • 5.0.2: HTC One
  • 5.1.1: One Plus One
  • 5.1.1: Blackberry Priv
  • 6.0.0: Sony Xperia XA F3116
  • 6.0.0: Wiko Sunny
  • 6.0.1: One Plus Two
  • 6.0.1: Samsung Galaxy S6
  • 7.0.0: Samsung Galaxy S7
  • 7.0.0: Samsung Galaxy S8
  • 7.0.0: Sony Xperia SO-02H
  • 7.1.1: Oppo R11s
  • 7.1.2: LG V30+
  • 8.0.0: Samsung Galaxy S9
  • 8.1.0: Huawei Nexus 6P
  • 8.1.0: Huawei Nexus 6P(rooted)
  • 9.0.0: Google Pixel2 XL
  • Android Q beta: Google Pixel2