This repo is deprecated.
Please go to https://github.com/IBM-Security/verify-sdk-android
This repository contains sample apps and code snippets to showcase and provide guidance when developing mobile applications with the IBM Mobile Access SDK. The following steps will help you get started.
To access the SDK you need to sign in with an IBM ID account. Create your free IBM ID and navigate to Fix Central to download the SDK.
| SDK Version | API 21 | API 22 | API 23 | API 24 | API 25 | API 26 | Gradle Version | Comments |
|---|---|---|---|---|---|---|---|---|
| v1.2.6 | Yes | Yes | Yes | Yes | Yes (Targeted) | No | 2.3.3 | Usage of Fingerprint capabilities require API >= 23 |
The SDK can be used in Android Studio.
See our instructions on configuring your project with the SDK.
Available samples and snippets include:
| Name | Type | Description |
|---|---|---|
| MFA Fingerprint, PIN & Username/Password | Sample | This example demonstrates registering & authenticating a fingerprint or PIN with IBM MFA. In particular, this demonstrates quick login (after Username/Password login) with the on-device biometric or PIN. |
| MMFA Device Registration | Sample | This example demonstrates registering a device with IBM MMFA. |
| OAuth token using ROPC grant | Sample | This example demonstrates acquiring and refreshing an OAuth token. |
| Invoke username password policy | Sample | This example demonstrates invoking the username password policy. |
| QR code scanning | Sample | This example demonstrates scanning a QR code for one-time password (OTP) generation or multi-factor authentication (MMFA) with ISAM. |
| Get OAuth token | Snippet | The SDK supports the ROPC grant flow. |
| Certificate pinning | Snippet | Compares a certificate stored in the mobile app as being the same certificate presented by the web server that provides the HTTPS connection. |
| Key pair generation | Snippet | Key pairs are used in the SDK to sign challenges, coming from IBM Security Access Manager. The private key remains on the device, whereas the public key gets uploaded to the server as part of the mechanisms enrollment. |
| Signing data | Snippet | The public key would be stored on a server and provide the challenge text to the client. The client uses the private key to sign the data which is sent back to the server. The server validates the signed data against the public key to verify the keys have not been tampered with. |
IBM Verify is a mobile app for multi-factor authentication (MFA) with IBM Security Access Manager (ISAM). IBM Verify features:
- One-time password (OTP)
- Device registration and enrolment
- Multi-tenant services for push notification
- Built on the IBM Security Mobile Access SDK
For more information about IBM Verify, navigate to the user guide.
The Mobile Access SDK for Android will support continuous delivery for features and security vulnerabilties and defects into the latest stream. Security vulnerabilties and critical defects will be backported into Older SDK Versions. Support is defined as fixing of critical security vulnerabilties and defects. Support does not imply new feature enhancements.
| Here's a breakdown of what's supported and what's not | Latest SDK Versions (API 25) | Older SDK Versions (< API 25) |
|---|---|---|
| Android Studio updates | Yes | No |
| Java updates | Yes | No |
| New features | Yes | No |
| Security Vulnerabilties | Yes | Yes |
| Critical Defects | Yes | Yes |
| Android API version updates | Yes | No |
IBM has an internal development and release process for ensuring code quality and to mitigate the risk of vulnerabilities. As part of the development process, all products are scanned by security vulnerability scanning tools to mitigate the risks of at least the following:
In addition, IBM Security products are developed and tested according to the best practices outlined in the IBM Secure Engineering Framework
http://www-03.ibm.com/security/secure-engineering/
We do not provide external security certifications for the SDK. IBM recommends professional security scanning be performed on all mobile apps built with the ISAM SDK.
The contents of this repository are open-source under this license. The SDK itself is closed-source.
Copyright 2018 International Business Machines
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Google Play and the Google Play logo are trademarks of Google Inc.