Instruction for upgrading the Onegini Android SDK to version 11.2
New tampering protection
For many years the Onegini SDK protected mobile apps from tampering by checking their binaries for any modifications in source code or assets. With the tampering protection enabled the app developers gained confidence that apps installed by customers do not contain malicious code injected by an attacker. Unfortunately, such verification was too strict to allow the app developers to use some functionalities like Play App Signing or App Bundles, since those functionalities were able to modify the binary file protected by the SDK.
Starting with Android SDK 11.2.0 we're introducing a new tampering protection functionality. The new feature does not check what the app contains but who created the app. Whenever the user installs the app on a device, the Android SDK checks if the certificate used to sign the app matches the one configured on the Token Server. This approach allows you to use features like App Bundles, as long as the app is signed by a trusted certificate.
The new functionality does not require any changes in the code of the mobile app, but you need to add your trusted certificates to the configuration of the Token Server. To read more about the certificate and configuration please follow the Application integrity chapter.
New error INVALID_DATETIME
The Onegini MSP uses epoch timestamps for registering and validating mobile devices. In very rare cases when the mobile device has set an incorrect date or time,
the SDK will not be able to register and verify the client. In such cases the SDK will return a new INVALID_DATETIME
error that can be used to indicate possible
issues with the date or time that was set on the device.
Third-party libraries were updated
A couple of third-party libraries were updated, if you provide the SDK as an aar archive please update the dependencies in your project:
Kotlin Standard Library JDK 7 extension was updated to the version 1.5.10
org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.5.10
BouncyCastle library was updated to the version 1.69:
org.bouncycastle:bcpg-jdk15on:1.69
org.bouncycastle:bcprov-jdk15on:1.69
This update can possibly cause a build error Failed to transform bcprov-jdk15on-1.69.jar...
in your app. Please check out the Q&A for a solution.