This repository contains sample apps and code snippets to showcase and provide guidance when developing mobile applications with the IBM Security Verify SDK. The following steps will help you get started.
To access the SDK you need to sign in with an IBMid account. Create your free IBMid and navigate to IBM AppExchange to download the SDK.
| SDK Version | API 26 | API 27 | API 28 | API 29 | API 30 | API 31 | API 32 | API 33 | API 34 | Gradle Version |
|---|---|---|---|---|---|---|---|---|---|---|
| v2.1.9 | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes (Targeted) | Yes | 8.0 |
The SDK can be used in Android Studio.
See our instructions on configuring your project with the SDK.
With version 2.0.6, the SDK requires the AndroidX support library. To use AndroidX is the recommended by Google and the migration of existing projects is supported by Android Studio.
Please note: the IBM Security Verify SDK itself is not part of the samples and needs to be downloaded from IBM AppExchange and added to the VerifySdk folder in the project.
Available samples and snippets include:
| Name | Type | Description |
|---|---|---|
| OAuth token using ROPC grant | Sample | This example demonstrates acquiring and refreshing an OAuth token. |
| QR code scanning | Sample | This example demonstrates scanning a QR code for one-time password (OTP) generation or multi-factor authentication (MMFA) with ISAM. |
| Create Authenticator | Sample | This example demonstrates to bootstrap a MFA authenticator with IBM Cloud Identity and IBM Security Access Manager, starting from scanning a QR code. |
| Get OAuth token | Snippet | The SDK supports the ROPC grant flow. |
| Key pair generation | Snippet | Key pairs are used in the SDK to sign challenges, coming from IBM Security Access Manager. The private key remains on the device, whereas the public key gets uploaded to the server as part of the mechanisms enrollment. |
| Signing data | Snippet | The public key would be stored on a server and provide the challenge text to the client. The client uses the private key to sign the data which is sent back to the server. The server validates the signed data against the public key to verify the keys have not been tampered with. |
| Certificate pinning | Snippet | Compares a certificate stored in the mobile app as being the same certificate presented by the web server that provides the HTTPS connection. |
IBM Security Verify is a mobile app for multi-factor authentication (MFA) with IBM Security Verify and IBM Security Verify Access. IBM Security Verify for Android features:
- One-time password (OTP) generation
- Device registration and enrolment
- Multi-tenant services for push notification
- Built on the IBM Security Verify SDK for Android
For more information about IBM Security Verify for Android, navigate to the user guide.
The Verify SDK for Android will support continuous delivery for features and security vulnerabilties and defects into the latest stream. Security vulnerabilties and critical defects will be backported into older SDK Versions. Support is defined as fixing of critical security vulnerabilties and defects. Support does not imply new feature enhancements.
| What's supported and what's not | Latest SDK Versions (API 33) | SDK Versions < API 33 |
|---|---|---|
| Android Studio updates | Yes | No |
| Java updates | Yes | No |
| New features | Yes | No |
| Security Vulnerabilties | Yes | Yes |
| Critical Defects | Yes | Yes |
| Android API version updates | Yes | No |
IBM has an internal development and release process for ensuring code quality and to mitigate the risk of vulnerabilities. As part of the development process, all products are scanned by security vulnerability scanning tools to mitigate the risks of at least the following:
In addition, IBM Security products are developed and tested according to the best practices outlined in the IBM Secure Engineering Framework
http://www-03.ibm.com/security/secure-engineering/
We do not provide external security certifications for the Verify SDK. IBM recommends professional security scanning be performed on all mobile apps built with the IBM Security Verify SDK.
The contents of this repository are open-source under this license. The IBM Security Verify SDK itself is closed-source.
Copyright 2018, 2023 International Business Machines
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Google Play and the Google Play logo are trademarks of Google Inc.