Architecture
Veridium Mobile SDK
The Mobile SDK is a set of libraries for Android and iOS that help to easily add biometric authentication capabilities to custom apps. The SDK exposes a high level API that intuitively describe the actions for managing identities, biometries and authentication workflows.
Prequisites
In order to function properly, the following requirements are needed:
iOS
operating system: 10.0 and above
programming language: Swift or Objective-C
hardware sensors: depending on the capabilities of the phone the SDK will use local biometries like TouchID or FaceID. For the VeridiumID proprietary 4F biometry back camera permission is required.
Android
operating system: 5.0 (API 21) and above
programming language: Java 8 or Kotlin
hardware sensors: depending on the capabilities of the phone the SDK will use local biometries like Fingerprint. For the VeridiumID proprietary 4F biometry back camera permission is required.
General Internal Structure
The internal structure of the SDK is for informative purposes detailed below as it is opaque to container application.
Figure #1: MobileSDK internal structure
On both platforms the hardware capabilities are exploited if available. For instance all sensitive information (encryption keys, biometric information, user information) is stored in the hardware protected secure space; local biometry sensors are presented as authenticators when enrolling new accounts.
Authenticators are modules that can assert if the presented biometry during an authentication session is matching the enrolled one. During an authentication the list of authenticators that will challenge the user can be statically or dynamically composed by a negotiation with the VeridiumID Server. The authentication result is the list of authenticators, their result and signatures for each one that guaranty the authenticity of the result.
Any client that wants to communicate with the VeridiumID server needs to implement the Biometric Open Protocol Standard (BOPS). Request and response serialization, network security, error reporting is handled by the VeridiumID Server Communication module.
Integrating MobileSDK into an existing application
For details integrating the FourF TouchlessID export format functionality and configuring export format settings, see Biometric exports with Mobile SDK.
iOS
Before starting please check the Prerequisites section.
To export the logs from the SDK you need to:
Enable debug mode. After this option is enabled, the logs will be captured:
VIDMobileSDK.shared().getConfiguration().isDebugEnabled = trueCall
VIDMobileSDK.shared().exportLogs()
Add all the .xcframework dependencies by following these steps below. The Frameworks contain all necessary code that enable the workflows described in the next sections.
Contact the Veridium Sales team to get the SDK archive.
Extract the archive and locate the veridium-sdk folder.
Open your XCode project and navigate to the project navigator on the left-hand side.
Select your project at the top of the project navigator to open the project settings.
Select the target you want to add the VeridiumID framework to.
Select the "General" tab in the project editor.
Scroll down to the "Frameworks, Libraries, and Embedded Content" section.
Click the "+" button to add a new framework.
In the "Add" dialog that appears, select "Add Other...".
Navigate to the veridium-sdk folder that you extracted earlier and select the .xcframework file(s) you want to add.
Veridium4FBiometrics and Veridium4FUI dependencies are optional. They can be excluded if the 4F biometric library is not desired to be used.
VeridiumVFaceBiometrics and VeridiumDefaultVFaceUI dependencies are optional. They can be excluded if the VFace biometric library is not desired to be used.
Click "Open" to add the frameworks to your project.
In the "Embed" column next to each framework you just added, select "Embed & Sign" from the dropdown menu.
Go to your app's settings and set ‘Enable Bitcode’ to No
If you did not tick the "Copy" checkbox when adding the frameworks, be sure to go to Project settings → Build Settings → Framework Search Path and add the directory to the framework files you just included.
To ensure that the VeridiumID SDK functions properly within your container app, you need to add these required permissions in your .plist file: NSLocationWhenInUseUsageDescription, NSCameraUsageDescription, NSFaceIDUsageDescription. If you cannot locate your .plist file, navigate to: Project -> Targets -> Info -> Custom iOS Target Properties and add the permissions there.
The container app will only use the VIDMobileSDK singleton to access the code from the VeridiumOrchestrator framework. The other frameworks are subcomponents accessed and used internally. So add import VeridiumOrchestrator in the header of your AppDelegate.swift file and compile. You should get a successful compilation message.
The Mobile SDK needs registration and configuration for the biometric libraries (if used). The VIDConfiguration object has the sdkConfigurationBlock parameter used for providing the biometric library configurations as a closure. Import the biometric libraries you want to use and add the closure implementation with biometric library configurations. You can find how 4F and VFace biometric libraries are registered and configured in the code below:
Init SDK with license and biometric library configurations
Note: This method is only for SDK implementations integrated with a VeridiumID server. For Biometrics only, export SDKs, please check VFace iOS Integration or 4F iOS Integration
...
// Required
import VeridiumOrchestrator
// Optional imports for 4F biometric library
import Veridium4FBiometrics
import Veridium4FUI
// Optional imports for VFace biometric library
import VeridiumVFaceBiometrics
import VeridiumDefaultVFaceUI
...
@UIApplicationMain
class AppDelegate: UIResponder, UIApplicationDelegate {
// ...
func application(_ application: UIApplication,
didFinishLaunchingWithOptions launchOptions:
[UIApplicationLaunchOptionsKey: Any]?) -> Bool {
// ...
let configBuilder = VIDConfigurationBuilder()
.withSDKConfigurationBlock({ veridiumSDK in
// register biometric license loader for the 4F biometric library
veridiumSDK.registerLicenseLoader(VeridiumBiometricsFourFLicenseLoader())
// register biometric license loader for the VFace biometric library
veridiumSDK.registerLicenseLoader(VeridiumBiometricsVFaceLicenseLoader())
// register authenticator and enroller for the VFace biometric library
veridiumSDK.registerDefaultVFaceEnroller()
veridiumSDK.registerDefaultVFaceAuthenticator();
// configurations for the 4F authenticator
let authenticatorConfig = VeridiumFourFCaptureConfig.init(forAuthWithHand: .eitherHandEnroll, andLiveness: false)
authenticatorConfig.do_debug = false
authenticatorConfig.configureTimeoutEnabled(true, andTimoutSeconds: 30, andAllowedRetries: .infinite, andAllowSkipping: false)
// register authenticator for the 4F biometric library
veridiumSDK.register4FUIAuthenticator()
veridiumSDK.configureFourFAuthenticator(authenticatorConfig)
// configurations for the 4F enroller
let enrollerConfig = VeridiumFourFCaptureConfig.init(forEnrollWithHand: .eitherHandEnroll, andLiveness: true)
enrollerConfig.do_debug = false
enrollerConfig.configureTimeoutEnabled(true, andTimoutSeconds: 30, andAllowedRetries: .infinite, andAllowSkipping: false)
enrollerConfig.showHandSelectorOnEnrolment = true
// register enroller for the 4F biometric library
veridiumSDK.register4FUIEnroller()
veridiumSDK.configureFourFEnroler(enrollerConfig)
})
let initError = VIDMobileSDK.shared().initialize(configBuilder.build())
if let error = initError {
// handle initialization error
}
// ...
}
}Colour Theme customization
To customize the colour palette of the SDK owned UI you can add this in the config object above:
let appearanceBuilder = VIDAppearanceBuilder()
.withPrimaryColor(UIColor.primaryColor)
.withSecondaryColor(UIColor.secondaryColor)
...
configBuilder
.withAppearance(appearanceBuilder.build())
...The assigned UIColor object may contain Light, Dark, Normal Contrast and High Contrast settings that will be used accordingly inside the SDK.
The complete list of colour attributes that can be configured is
primaryColor : used for buttons, UI separators
secondaryColor : not used; reserverd for future implementations
textPrimaryColor : text main colour for content
textSecondaryColor : text colour for alternate text and strong titles
textLightColor : input fields watermark
backgroundColor : main background colour
backgroundSecondaryColor : secondary background colour
backgroundTernaryColor : ternary background color
accentColor : used for distructive buttons
Note: This mechanism does not cover 4F and VFace modules. Their UI can be cusomized directly through the framework code included in the SDK.
Enabling Push Notifications
Push Notifications (APNS) handling is the responsibility of the container app. There are two operation modes: through APNS servers or with local polling. The container app must opt for one of them, otherwise normal operation is impossible.
Option #1
In the AppDelegate.swift file register for push notifications and once a push intended for the SDK arrives, the container app needs to forward it to the SDK. A sample on how to achieve this can be found below:
@UIApplicationMain
class AppDelegate: UIResponder, UIApplicationDelegate {
var pushToken: Data?
func application(_ application: UIApplication, didRegisterForRemoteNotificationsWithDeviceToken deviceToken: Data) {
pushToken = deviceToken
VIDMobileSDK.shared().setRemoteNotificationsToken(pushTokenData: deviceToken)
print("registered for push notifications")
}
func application(_ application: UIApplication, didFailToRegisterForRemoteNotificationsWithError error: Error) {
VIDMobileSDK.shared().setRemoteNotificationsToken(pushTokenData: nil)
print("failed to registered for push notifications")
}
func application(_ application: UIApplication, didReceiveRemoteNotification notification: [AnyHashable : Any], fetchCompletionHandler completionHandler: @escaping (UIBackgroundFetchResult) -> Void) {
print("Did receive push: \(String(describing: notification["actionName"]))")
VIDMobileSDK.shared().handlePush(notification)
}
}Option #2
MobileSDK has alternative push notification mechanisms that can be enabled if APNS is not available / user opted out from receiving pushes. To enable this the container app needs to call VIDMobileSDK.shared().setRemoteNotificationsToken(pushTokenData: nil). You can add this to application(\_:didFinishLaunchingWithOptions:) if you don't want to enable Apple pushes or you can have more complex decisions based on application settings and user preferences.
Android
Before starting please check the Prerequisites section.
Include all the Veridium SDK dependencies in your project's library folder (e.g. libs)
Include Veridium SDK in build.gradle
android {
// Java compatibility is set to Java 1.8
compileOptions {
sourceCompatibility JavaVersion.VERSION_1_8
targetCompatibility JavaVersion.VERSION_1_8
}
}
repositories {
// We include libs directory into repositories to make VeridiumSDK available for importing
flatDir { dirs 'libs' }
google()
jcenter()
}
...
dependencies {
...
// Veridium SDK Modules
// ==================================
implementation(name: 'veridium-sdk-release', ext: 'aar')
implementation(name: 'veridium-core-release', ext: 'aar')
implementation(name: 'veridium-support-release', ext: 'aar')
implementation(name: 'veridium-secure-data-release', ext: 'aar')
implementation(name: 'veridium-fingerprint-release', ext: 'aar')
implementation(name: 'veridium-fingerprint-ui-release', ext: 'aar')
implementation(name: 'veridium-fourf-release', ext: 'aar')
implementation(name: 'veridium-fourf-ui-release', ext: 'aar')
implementation(name: 'veridium-analytics-release', ext: 'aar')
// ==================================
// Veridiumid SDK Modules
// ==================================
implementation(name: 'veridiumid-client-release', ext: 'aar')
implementation(name: 'veridiumid-http-release', ext: 'aar')
implementation(name: 'veridiumid-sdk-release', ext: 'aar')
implementation(name: 'veridiumid-uba-release', ext: 'aar')
implementation(name: 'veridiumid-otp-release', ext: 'aar')
implementation(name: 'veridiumid-vc-release', ext: 'aar')
implementation(name: 'veridiumid-dynamic-ui-release', ext: 'aar')
implementation(name: 'veridiumid-mobile-sdk-release', ext: 'aar')
// ==================================
// Optional VFace Biometrics Dependencies
// ==================================
implementation(name: 'veridium-vface-release', ext: 'aar')
implementation(name: 'veridium-vface-ui-release', ext: 'aar')
implementation(name: 'veridium-vface-camera-release', ext: 'aar')
implementation(name: 'veridiumid-vface-ui-release', ext: 'aar')
// ==================================
// External Veridium SDK dependencies
// ==================================
implementation "androidx.appcompat:appcompat:1.5.1"
implementation "com.google.android.material:material:1.7.0"
implementation "androidx.constraintlayout:constraintlayout:2.1.4"
implementation "androidx.annotation:annotation:1.1.0"
implementation ("com.journeyapps:zxing-android-embedded:4.3.0"){
transitive = false
}
implementation "com.google.zxing:core:3.3.0"
implementation "com.google.android.gms:play-services-safetynet:18.0.1"
implementation "com.google.android.gms:play-services-analytics:18.0.2"
implementation "com.google.android.gms:play-services-location:20.0.0"
implementation "com.google.android.play:core:1.10.3"
implementation "com.google.android.play:integrity:1.1.0"
implementation "com.google.code.gson:gson:2.9.1"
// We only use this for deserialize JWS from SafetyNet attestation response
implementation("com.google.http-client:google-http-client-gson:1.23.0") {
// We use the default client based on OkHttp
exclude group: 'org.apache.httpcomponents'
// We already import gson, and the internal dependency is an older version 2.1 of gson
exclude group: 'com.google.code.gson'
}
implementation 'com.squareup.okhttp3:okhttp:4.10.0'
implementation 'com.squareup.okhttp3:logging-interceptor:4.10.0'
implementation 'pl.droidsonroids.gif:android-gif-drawable:1.2.20'
implementation 'de.hdodenhof:circleimageview:3.1.0'
// ==================================
...
}
If you are building for release, with minifyEnabled option set to true, make sure you configured your proguard file with:
## Core Veridium SDK Modules
-keep class com.veridiumid.sdk.** { *; }
## Orchestrator Veridium SDK module
-keep class com.veridiumid.mobilesdk.** { *; }
## Samsung Pass SDK
-keep class com.samsung.** { *; }
-dontwarn com.samsung.**The container app will only use the VeridiumMobileSDK singleton from veridiumid-mobile-sdk-release.aar to access the functionalities of the SDK. The other libraries are subcomponents accessed and used internally.
The Veridium Mobile SDK needs licenses to operate. Add the license provided by VeridiumID in your AndroidManifest.xml.
Setup VeridiumId License in AndroidManifest.xml
<manifest xmlns:android="http://schemas.android.com/apk/res/android">
<application>
...
// Setup SDK license
<meta-data
android:name="com.veridiumid.sdk.LICENSE"
android:value="<your_veridium_id_sdk_license>"/>
// Optional activity handler for VFace biometrics opperations
<activity
android:name="com.veridiumid.sdk.vface.ui.VFaceMobileBiometricsActivity"
android:label="VFACE"
android:screenOrientation="portrait">
<meta-data
android:name="com.veridiumid.sdk.component.config"
android:value="uid=VFACE, optional=false, validator=com.veridiumid.sdk.vface.VFaceValidator" />
</activity>
...
</application>
</manifest>Initialize the VeridiumMobileSDK when Application is created:
Initialize VeridiumSDK
public class App extends Application {
...
@Override
public void onCreate() {
super.onCreate();
VeridiumConfiguration config = new VeridiumConfiguration.Builder(this)
.with(new VeridiumSDKVFaceInitializer()) // Only if VFace dependencies are used
.build()
VeridiumMobileSDK.init(this, config);
}
...
}Push Notifications handling is the responsibility of the container app. In order to provide push notifications using internal polling system the SDK will notify via NotificationsListener and the container app needs to forward it to the SDK.
Some notifications requires user action (e.g. authentication) in order to get consumed. A sample on how to achieve this can be found below:
UI customization
You can define custom colors inside your own colors.xml file:
veridiumid_color_primary: background color of the Toolbarveridiumid_color_primary_dark: color of the status barveridiumid_color_surface: the color for windows background (activity and dialogs)veridiumid_color_on_primary: the color for texts displayed on -veridiumid_color_primarybackgroundveridiumid_color_accent: to color for controls (checkbox, switches, progress) in activated stateveridiumid_color_button: the color of button backgroundveridiumid_color_text_button: the color of button textveridiumid_text_color_primary: the color used for most of the textsveridiumid_text_color_secondary: the color used for secondary, disabled texts and not active controlsveridiumid_text_color_hint: the color used for input text placeholder when the input is emptyveridiumid_color_divider: the color for list dividersveridiumid_color_warning: the color used to illustrate warnings (input text error etc.)veridiumid_color_map_overlay: the color used to draw a transparent circle on context map
Push notifications SDK forwarding
public class NotificationHandler implements NotificationsListener {
private Queue<VeridiumIdPendingIntent> mPendingIntents;
@Override
public void onNotificationsReceived(List<VeridiumIdNotification> notifications) {
for (VeridiumIdNotification notification : notifications) {
VeridiumIdPendingIntent pendingIntent = VeridiumMobileSDK.getInstance().processNotification(notification);
if (pendingIntent != null)
mPendingIntents.offer(pendingIntent);
}
}
public VeridiumIdPendingIntent getPendingNotification() {
return mPendingIntents.poll();
}
}
// Registering
NotificationHandler notificationHandler = new NotificationHandler();
VeridiumMobileSDK.getInstance().setNotificationListener(notificationHandler);
// Consume notifications that requires user action (e.g. authentication)
VeridiumIdPendingIntent pendingNotification = notificationHandler.getPendingNotification();
if (pendingNotification != null && pendingNotification.hasPendingIntent()) {
try {
pendingNotification.launchPendingIntent(this, REQUEST_CODE_NOTIFICATION_HANDLE);
} catch (IntentSender.SendIntentException e) {
e.printStackTrace();
}
}As alternative, a 3rd party push notifications service can be included. In the example blow we illustrate how to forward Push Notifications to SDK using Firebase.
This has a prerequisite to create a Firebase project and setup in the Android application. The firebase token needs to be passed to the VeridiumMobile SDK after every intialization, otherwise the default implementation will use internal push notification mechanism described above.
Push notifications SDK forwarding using Firebase
public class App extends Application {
private static App sInstance;
private SharedPreferences mSharedPreferences;
private NotificationHandler mNotificationHandler;
...
@Override
public void onCreate() {
super.onCreate();
sInstance = this;
mSharedPreferences = ... // Init Shared Preferences
// We initialize Firebase App
FirebaseApp.initializeApp(this);
VeridiumMobileSDK.init(this, configuration);
// We get the pushRegistrationToken from persistence layer and pass it to the SDK
String pushRegistrationToken = mSharedPreferences.getString("firebase_token");
if(pushRegistrationToken != null)
VeridiumMobileSDK.getInstance().setPushRegistrationId(pushRegistrationToken);
}
public static App getInstance() {
return sInstance;
}
...
}Push notifications SDK forwarding using Firebase
public class FCMListeningService extends FirebaseMessagingService {
private SharedPreferences mSharedPreferences
private NotificationHandler mNotificationHanlder;
public void FCMListeningService() {
}
@Override
public void onCreate() {
super.onCreate();
mAppPreferences = App.getInstance().getPreferences();
}
@Override
public void onNewToken(String token) {
VeridiumMobileSDK.getInstance().setPushRegistrationId(token);
mSharedPreferences.edit().putString("firebase_token", token).apply();
}
@Override
public void onMessageReceived(RemoteMessage message) {
App.getInstance().getNotificationHandler().onNotificationReceived(message);
}
}
public class NotificationHanlder {
private final Queue<VeridiumIdPendingIntent> mPendingIntents;
public void onNotificationReceived(RemoteMessage remoteMessage) {
processNotificationPendingIntent(VeridiumMobileSDK.getInstance().processNotification(remoteMessage.getData()));
}
private void processNotificationPendingIntent(VeridiumIdPendingIntent pendingIntent) {
if (!pendingIntent.hasPendingIntent())
return;
mPendingIntents.offer(pendingIntent);
}
}
// Consume notifications that requires user action (e.g. authentication)
VeridiumIdPendingIntent pendingNotification = notificationHandler.getPendingNotification();
if (pendingNotification != null && pendingNotification.hasPendingIntent()) {
try {
pendingNotification.launchPendingIntent(this, REQUEST_CODE_NOTIFICATION_HANDLE);
} catch (IntentSender.SendIntentException e) {
e.printStackTrace();
}
}Note: Both push notification methods can be enabled and the Veridium SDK will multiplex between them at initialization time based on VeridiumMobileSDK.getInstance().setPushRegistrationId(token) was called with a non-null token.
Unlock Server communication (deprecated with version 4.0.0)
After app start but before any server communication the client certificate used for device authentication needs to be unlocked. Starting with version 4.0.0 of the SDK this is done implicitly by the SDK before the first VeridiumID server call is made after an app restart. The unlock delegate was removed as well.
Still, to know in what state the SDK is you can call
iOS unlock
class SplashViewController: UIViewController {
...
func initializeApp() {
// removed in 4.0.0
// VIDMobileSDK.shared().unlockDelegate = self
let state = VIDMobileSDK.shared().getState()
switch state {
case .serverPairing:
// account not enrolled yet
break
case .accountRegisteredAndBiometricsSet:
// removed in 4.0.0
//self.unlockCompletion = {
// SDK unlocked successfully
}
//VIDMobileSDK.shared().unlockDelegate = self
//VIDMobileSDK.shared().unlock()
break
case .initializeFailure:
// SDK initialization failed
break
}
}
}
// removed in 4.0.0
//MARK: handlers for VIDUnlockDelegate
extension SplashViewController: VIDUnlockDelegate {
func didStartUnlock() {
}
func didFinishUnlock() {
VIDMobileSDK.shared().unlockDelegate = nil
self.unlockCompletion?()
}
func didFailUnlock(error: VIDError) {
}
}Android unlock
class SplashViewController: UIViewController {
// removed in 4.0.0
public class UnlockHandler implements IInitDelegate {
void unlock(){
VeridiumDelegateManager.getInstance().setInitDelegate(this);
VeridiumMobileSDK.getInstance().unlock();
}
@Override
public void onInitResponse(InitResponse initResponse) {
Log.d(TAG, "Received init response: deviceStatus" + initResponse.getDeviceStatus(), initResponse.getError());
if (initResponse.getError() != null) {
// We handle errors inside
} else if (initResponse.getDeviceStatus() == DeviceStatus.ACTIVATED) {
// Unlock finished successfully
} else {
// We handle different cases based on device state
}
});
}
// Added in 4.0.0
VeridiumMobileSDK.getInstance().connect(new Callback<List<VeridiumIdAccount>>() {
@Override
public void onSuccess(List<VeridiumIdAccount> accounts) {
if (accounts.isEmpty()) {
// There are no accounts paired.
} else {
// The sdk connected with success and has enrolled profiles.
}
}
@Override
public void onFailure(Throwable throwable) {
// We handle connect errors here. Only blocking errors will be received here (e.g. invalid/expired license retrieved from server)
}
});Calling the MobileSDK and receiving responses
MobileSDK methods can be synchronous or asynchronous. The type is specified for each method in the code documentation.
iOS Asynchronous method handling
When calling asynchronous methods responses are sent back through delegates. In order to receive responses, implement the delegate interface in the container app and handle responses accordingly.
E.g. since authentication is an asynchronous method, in order to know when the execution finished and with what result the container app needs to implement VIDAuthenticationDelegate and subscribe itself as handler in the SDK
In order to subscribe to the delegate handler use:
VIDMobileSDK.shared().authenticationDelegate = self
Android Asynchronous method handling
On Android there are 2 different types of asynchronous methods:
Async methods that requires user action (e.g. enrollment, authentication). These methods can be identified when the retrun type is VeridiumIdPendingIntent. This allows the container application to perform the action on sdk at any desired time by calling VeridiumIdPendingIntent#launchPendingIntent(Activity actiivity, int requestCode). The result is received in onActivityResult(int requestCode, int resultCode, \@Nullable Intent* data). The data contains the result under data.getParcelableExtra(VeridiumMobileSDK.VERIDIUMID_KEY_ERROR_EXTRA) if the action completed with error or data.getParcelableExtra(VeridiumMobileSDK.VERIDIUMID_KEY_RESPONSE_EXTRA) if result completed with success.
Async methods that do not requires user action (e.g. getProfiles) are using Callback interface to send back successful or failed results back.
In the following sections there are code snippets for mobile platforms to integrate into the Veridium workflows.
The sections describe a complete integration with server and mobile coding. If your integration uses a standard VeridiumID server with a standard Integration Adaptor, you can ignore the server-side code snippets, but be sure you understand the diagrams and the interaction between all actors.