Added a new DeviceFingerprintSource Type - HardwareKey. This type improves the anti-cloning capability with the use of Hardware-Backed keystore or StrongBox keystore in Android and Secure Enclave in iOS.
For Android, the type HardwareKey can be used for the token, SecureStorage and OOB.
For iOS, the type HardwareKey can be used only for the token.
Added a new API to update the tokenβs device fingerprint. With this method you can update the existing token to use the new DeviceFingerprintSource Type - HardwareKey.
iOS
Enhanced security of biometric authentication with hardware-based key in Secure Enclave. This feature is automatically applied to existing tokens.
Added RASP (Runtime Application Self-Protection) APIs that can be used to protect the application layer methods for hooking and debugging detections.
Existing jailbreak detection API is refactored and included with newly added RASP APIs.
Android
For Core API and FastTrack API, new APIs are added to use Biometric Prompt for Android API level greater than or equal to 28. Now, the new API handles Android 9 Biometric authentication (such as fingerprint recognition, face recognition, and iris scan). Existing Biofingerprint APIs are deprecated.
Updated JNA version from 4.5.0 to 5.5.0. Application needs to update the dependency to use this version.
Added RASP (Runtime Application Self-Protection) APIs that can be used to protect the application layer methods for hooking, debugging, emulator and virtual environment detections.
Enhanced hook detection. Now, the SDK will continuously detect hooks for the critical APIs such as OTP generation.
Fixed issues and bugs
Android
Resolved the issue of Android 10 data migration when targetSDK version is set to 29.
Known issues
iOS
There is a memory leak in the Secure Storage feature due to the string-terminating character. However, the leak does not contain any sensitive information.
Thales Secure Keypad does not support the system font on iOS/iPadOS 13.x. The system font will be replaced by Times New Roman font.
Android
Vulnerability in secure keypad allows the screen recording through ADB shell when it is configured in dialog mode.
Known limitations
The predefined template #0 (INPUT_FURTHER_INPUTS) is not supported for dynamic signatures.
For CAP on iOS platforms, the length of the elements encoded in BER-TLV (such as CDOL definition) cannot be longer than 127 bytes.
Secure keypad does not support custom-designed top section of the keypad screen in dialog mode.
On iOS platform, the top element of secure keypad is not vertically aligned if the keypad controller is presented modally as a view controller for the navigation controller.
SHA-256 algorithm for HOTP is supported on SAS Authentication Server only.
The Secure Storage feature in iOS does not support multiple instances with different device fingerprint source configurations.
Dual seed tokens are only supported with TOTP and time-based OCRA.
OCRA HEX challenge with odd length is not supported.
Additionally, the setting OCRA suites with odd length HEX challenge format is not supported.
When using provisioning protocol v1 (PPV1) with EPS 1.x, the provisioned Token Sequence Number (that is, GIDV) cannot be used as part of the CAP OTP calculation (that is, configured to be included in the IPB).
When using PPV1 with EPS 1.x, the provisioned Token Sequence Number (that is, GIDV) can only be a decimal and is in the range 0-99. The length varies depending on the configured GIDV length in the backend.
DSKPP provisioning only supports DSKPP provisioning protocol V1 which is based on Thales proprietary servers SPA and SAS.
On Android device with an in-screen fingerprint scanner, Android will prompt a system fingerprint UI on top of the application custom fingerprint UI. The fingerprint authentication will still work as expected.
Upgrading a token to biometric user authentication fails on iOS Simulator from version 13 to 13.3: isAuthModeActive will always return a βNOβ value. This is due to an iOS backward compatibility issue and has been reported to Apple. This issue is only specific to simulator, it works well on real devices.
Supported authentication algorithms
Thales DIS Verify Issuer function (FRS Protector OATH ZEN token - version 1.0)
