Release notes
Core API
Security guidelines
On demand
4.9.4 (Android only)

Release notes

Release name: Protector OATH SDK 6.0.0

Release date

iOS: December 23, 2020

Android: March 12, 2021

Supported platforms & processor architectures


  • iOS 11 and up
    • Ended the support for iOS 10. End users on iOS 10 or earlier may encounter issues using the SDK, it is recommended to upgrade the device OS before using it.
  • Processor architectures: arm64, x86_64


  • Android 5.1 and up
  • Processor architectures: armeabi-v7a, arm64-v8a, x86, x86_64

New features

iOS & Android

For Core API and FastTrack API

  • Mobile Provisioning Protocol V1, V2, and V3 are deprecated. Please upgrade to EPS V3 Server and use Mobile Provisioning Protocol V5.
  • Improved SDK code obfuscation.
  • TLS minimum support is increased from 1.0 to 1.1.
  • Added the secure logger module for SDK log collection. The SDK logs are encrypted and stored securely on the file system which is useful when troubleshooting the SDK. The secure log configuration function has to be called to activate/deactivate the SDK logging before initializing Core API or FastTrack API.
  • Upgraded Secure keypad for general stability improvements:
    • Supports standalone secure keypad where the buildClearTextWithScrambling function is added and can be extracted to cleartext. Hence, the secure keypad can be used for generic purpose.
    • Added the Shift button feature which allows the application to configure and display extra keys and subscripts when the Shift button is pressed.
    • The SecureInputBuilder class in V1 API was dropped from Protector OATH SDK V5.4 and earlier. The SecureInputBuilderV2 class in V2 API was subsequently replaced by the SecureInputBuilder class. Refer to migration for more details.

For Core API

  • Removed Thales FaceId release variant in the SDK package. There is currently only one default standard release in the SDK package.

For FastTrack API

  • Supports dynamic token configuration for OTP generation. Refer to Fast Track API for more details.
  • Secure keypad is now available in FastTrack API.


  • Improved string definitions to make it Swift friendly. All strings that are appended with _TO_STRING() are renamed. For example, EMOobIncomingMessageTypeUserMessage_TO_STRING() will be EMOobIncomingMessageTypeUserMessage.


  • Migrated the deliverables from .jar to .aar. Refer to Android Integration guide for more details.
    • QUERY_ALL_PACKAGES permission is included in .aar SDK
  • Enhanced SDK security protection.
  • Removed the ApiCore:preload() API.

Fixed issues and bugs


  • Fixed the date and time format issue in PPv5 provisioning request for certain specific regions and time zones.
  • Removed the biometric configuration check when deactivating biometric authentication.


  • Fixed the vulnerability in the secure keypad which allows the screen recording through ADB shell when it is configured in dialog mode.
  • Fixed crash issues when Android Package Manager is not accessible.
  • Fixed the Biometric RuntimeException after the app’s Backup-Restore.
  • Fixed the OOB Registration issue where it refers to the same user alias if a different alias is registered on the same instance of OOBManager.
  • Fixed the crash issue in GSK where the Delete button is tapped when the keyboard is about to be dismissed.

Known issues


  • There is a memory leak in the Secure Storage feature due to the string-terminating character. However, the leak does not contain any sensitive information.
  • Thales Secure Keypad does not support the system font on iOS/iPadOS 13.x and later. The system font will be replaced by Times New Roman font.

Known limitations

  • The predefined template #0 (INPUT_FURTHER_INPUTS) is not supported for dynamic signatures.
  • For CAP on iOS platforms, the length of the elements encoded in BER-TLV (such as CDOL definition) cannot be longer than 127 bytes.
  • SHA-256 algorithm for HOTP is supported on SAS Authentication Server only.
  • The Secure Storage feature in iOS does not support multiple instances with different device fingerprint source configurations.
  • Dual seed tokens are only supported with TOTP and time-based OCRA.
  • OCRA HEX challenge with odd length is not supported.
    • Additionally, the setting OCRA suites with odd length HEX challenge format is not supported.
  • When using provisioning protocol v1 (PPV1) with EPS 1.x, the provisioned Token Sequence Number (that is, GIDV) cannot be used as part of the CAP OTP calculation (that is, configured to be included in the IPB).
  • When using PPV1 with EPS 1.x, the provisioned Token Sequence Number (that is, GIDV) can only be a decimal and is in the range 0-99. The length varies depending on the configured GIDV length in the backend.
  • DSKPP provisioning only supports DSKPP provisioning protocol V1 which is based on Thales proprietary servers SPA and SAS.
  • Upgrading a token to biometric user authentication fails on iOS Simulator from version 13 to 13.3: isAuthModeActive will always return a “NO” value. This is due to an iOS backward compatibility issue and has been reported to Apple. This issue is only specific to simulator, it works well on real devices.

Supported authentication algorithms

  • Thales DIS Verify Issuer function (FRS Protector OATH ZEN token - version 1.0)
  • CAP: Version 2007 (all modes)
  • Dynamic Signature: Thales DIS Proprietary Formatting (TPF), CAP Mode 2 TDS Formatting
  • OATH: HOTP (RFC 4226 - Dec 2005), TOTP (RFC 6238 - May 2011), OCRA (RFC 6287 - June 2011)
  • Thales DIS – Digital Banking OATH options (version 1.1)

Tested devices


  • 11.2.5: Apple iPad Pro
  • 12.4.3: Apple iPhone 5S
  • 13.4.0: Apple iPhone 6s
  • 13.7.0: Apple iPad 2018
  • 14.2.0: Apple iPhone XS Max
  • 14.3.0: Apple iPhone 7 Plus
  • 14.3.0: Apple iPhone 12 Mini


  • 5.1.1: OnePlus One
  • 6.0.0: Wiko Sunny
  • 7.0.0: Sony Xperia Z5
  • 7.0.0: Samsung Galaxy S7
  • 8.0.0: LG V30+
  • 8.1.0: Huawei Nexus 6P
  • 9.0.0: Samsung Galaxy S9
  • 10.0.0: Samsung Galaxy S10
  • 10.0.0: Huawei P30 Pro
  • 11.0.0: Google Pixel 2
  • 11.0.0: Google Pixel 3a
  • 12 Dev Preview 1: Google Pixel 3a