Release notes v6.X

6.06.02

Bug-fixes

  • Fixed the "unsupported class javax.crypto.spec.IvParameterSpec" exception that was thrown during the Payload Encryption handshake on the Android 8.1 (API 27)
  • Fixed migration of the preferred authenticator during the SDK version upgrade
  • Fixed null pointer exception that may occur during user deregistration

6.06.01

Bug-fixes

  • Fixed a bug that corrupted the mobile authentication storage after any SDK update. All users must re-enroll for mobile authentication to fix the storage and mobile authentication functionality.

6.06.00

Features

  • Transaction signing support for mobile authentication with push.

Improvements

  • Google Guava is not an SDK dependency anymore.
  • Performance improvements.

Bug-fixes

  • The SDK will not crash anymore when the PIN policy was not defined in the Token Server configuration.
  • Fixed a bug introduced in 6.05.00 when UserProfile might not be removed properly during deregistration.
  • Fixed a bug introduced in 6.05.00 that limited only one SDK instance to be installed on the same device.

6.05.00

Improvements

  • The SDK exposes a new type of the OkHttp client (via DeviceClient#getUnauthenticatedResourceOkHttpClient method) that can be used to fetch resources without authentication.
  • The FIDO SDK dependencies are not required anymore unless the app actually uses FIDO authentication.
  • Improved error handling for FIDO authentication.
  • Added experimental custom authenticator API. The API is not in the final state and it should not be used for production apps.
  • Internal SDK data storage improvements.

6.04.08

Bug-fixes

  • Fixed the invalid PIN length error for PINs longer than 5 digits.

6.04.07

Bug-fixes

  • Fixed the "unsupported class javax.crypto.spec.IvParameterSpec" exception that was thrown during the Payload Encryption handshake on the Android 8.1 (API 27)

6.04.06

Bug-fixes

  • Fixed preferred authenticator migration

6.04.05

Improvements

  • The SDK will not show any root permission dialogs on rooted devices anymore

6.04.04

Bug-fixes

  • Fixed a bug that corrupted the mobile authentication storage after any SDK update. All users must re-enroll for mobile authentication to fix the storage and mobile authentication functionality.

6.04.03

Bug-fixes

  • onNextAuthenticationAttempt was called always when the failed attempts is > 0 during push mobile authentication with PIN. If a new mobile authentication request arrives the startAuthentication method must always be called.
  • Fixed a minor cache issue for client configuration.

6.04.02

Bug-fixes

  • The fingerprint authenticator was not marked as preferred after migrating from Android SDK version 5.x to 6.x in case the user had the fingerprint authenticator registered.

6.04.01

Improvements

  • Performance improvements

6.04.00

Improvements

  • Major update of the OkHttp client dependency (from 2.4.0 to latest 3.5.0). The new client is now used in all SDK requests and is also exposed to the end app via the new methods: DeviceClient#getOkHttpClient(), DeviceClient#getAnonymousResourceOkHttpClient(), UserClient#getResourceOkHttpClient(). Old, deprecated methods will now return instance of com.jakewharton.retrofit.Ok3Client for backwards compatibility.
  • The SDK will enable TLS 1.2 support for network calls on older Android 4.X devices, where it's disabled by default.
  • Update of the FIDO SDK to the latest 1.5.0 version.
  • New OneginiClientBuilder#setSecurityController that can be used for disabling root/debug detection.
  • The SDK won't deregister the fingerprint authenticator if fingerprint authentication was canceled by the end-user. Instead it will perform a fallback to PIN authentication.

6.03.01

Bug-fixes

  • Fixed a cookie store issue, where cookies were never stored even if proper method in OneginiClientBuilder was set.

6.03.00

Improvements

  • Registration action is now performed with a new OneginiRegistraionRequestHandler.
  • When root or debug is detected before DCR, the SDK will still notify the Token Server about a client abuse.

Bug-fixes

  • The SDK will return only UserProfiles that were able to finish the registration process. In previous versions when the app was forced to close during the registration action, the SDK could return corrupted profile object as registered.

6.02.00

Features

  • Support for FIDO UAF (Fast IDentity Online) authenticators.

Improvements

  • The SDK client will store cookies by default (if it wasn't set directly with OneginiClientBuilder#shouldStoreCookies() call).
  • Improved error handling when a user or device gets deregistered on the Token Server side during SDK's runtime.

Bug-fixes

  • The SDK will throw an IllegalArgumentException when NULL is passed in public methods that require the UserProfile param.
  • Few smaller bug-fixes and improvements.

6.01.01

Bug-fixes

  • Fixed internal data encryption issue, where the data could be encrypted multiple times when client config has changed.

6.01.00

Improvements

  • The OneginiClientConfigModel.getMaxPinFailures() was removed. The SDK will use a maximum pin failures limit that's declared in the Token Server configuration
  • Improved root and debug detection
  • The third-party libraries that are used by the Android SDK can now be resolved as transitive dependencies when including the SDK in an application
  • When the user provides a wrong PIN/fingerprint, but his failed attempts limit is not reached yet, he won't get logged out

Bug-fixes

  • The getPreferredAuthenticator() method will return null if no user is currently authenticated
  • The SDK will return the proper error type DEVICE_DEREGISTERED if the device was deregistered on the Token Server side
  • Fixed Dynamic Client Registration functionality, that could fail if the DCR was performed after device deregistration on the Token Server side
  • The SDK will throw the OneginiInitializationException if internal data decryption will fail due to unrecoverable changes in app client config
  • The SDK will throw the OneginiInitializationException if an optional RequestHandler was not set but it's required to handle an authentication request
  • Other internal bugfixes and improvements

6.00.01

Bug-fixes

  • Fixed an error when preferred authenticator could not be loaded properly

6.00.00

This is a stable release of the SDK v6.00.00. Main changes between 6.00.00-BETA release and the stable release are described below.

Improvements

  • Inlined the failed fingerprint attempts with the Android OS. The fingerprint scanner will get automatically blocked by the Android OS. If the fingerprint scanner is blocked (i.e. abuse is detected) the Onegini SDK will revoke fingerprint authentication for the current profile and a fallback to PIN authentication will be triggered
  • The handleAuthorizationCallback method has been renamed into handleRegistrationCallback
  • The package name has been renamed from com.onegini.mobile.android.sdk into com.onegini.mobile.sdk.android
  • The SDK will throw an OneginiInitializationException rather than NullPointerException if it was used without a proper RequestHandler
  • When the user denies a mobile authentication request, the SDK will return an error with the ACTION_CANCELED type
  • New handler class OneginiDeviceAuthenticationHandler for authenticateDevice method
  • All error type values are now inline with error types in the iOS SDK
  • A new AuthenticationAttemptCounter object has been added to several methods in OneginiPinAuthenticationRequestHandler and OneginiMobileAuthenticationPinRequestHandler interfaces
  • All deprecated and/or classes that were not used publicly have been removed
  • The asynchronous method void fetchNotRegisteredAuthenticators has been removed. New synchronous method Set<OneginiAuthenticator> getNotRegisteredAuthenticators has been introduced
  • A new Set<OneginiAuthenticator> getAllAuthenticators method has been introduced
  • The getUser method has been renamed into getOpenIdUserInfo
  • The OneginiAuthenticator interface has new isRegistered and isPreferred convenience methods
  • The OneginiClientBuilder has new setDeviceConfigCacheDurationSeconds method
  • Updated the Google Cloud Messaging library dependency from v8.4.0 to latest v9.6.1

Bug-fixes

  • Fixed user registration that could not be finished because of internal client config cache
  • The SDK wil not 'hang' when a fingerprint authentication request is received but fingerprint is disabled for the given user
  • Increased the security for mobile authentication by using a stronger hashing algorithm
  • All internal data is being wiped out when the device is deregistered
  • Fixed certificate pinning issues for latest Android Nougat release
  • The SDK will not return an error during the change PIN flow when the user provides a wrong pin but he has more attempts left

6.00.00-BETA

This is a BETA release that can still contain bugs and issues. You should not use it for any production releases!

Improvements

  • Completely redesigned public API to make the SDK easier to use

Release notes v5.X

5.04.02

Improvements

  • Performance improvements

Bug-fixes

  • In case when the SDK cant decrypt internal data, all internal data will be removed rather than throwing OneginiInitializationException

5.04.01

Bug-fixes

  • Fixed internal data encryption issue, where the data could be encrypted multiple times when client config has changed.

5.04.00

Features

  • Inlined the failed fingerprint attempts with the Android OS. The fingerprint scanner will get automatically blocked by the Android OS. If the fingerprint scanner is blocked (i.e. abuse is detected) the Onegini SDK will revoke fingerprint authentication for the current profile and a fallback to PIN authentication will be triggered.

Bug-fixes

  • The SDK wil not 'hang' when a fingerprint authentication request is received but fingerprint is disabled for the given user
  • Increased the security for mobile authentication by using a stronger hashing algorithm

5.03.03

Bug-fixes

  • Fixed certificate pinning issues for latest Android Nougat release

5.03.02

Bug-fixes

  • Fixed OneginiConfigNotFoundException that could occur when config model was provided as an argument in OneginiClient.setupInstance method
  • Fixed ClassNotFoundException that could occur when compiling app with the SDK on Windows environment

5.03.01

Bug-fixes

5.03.00

Features

  • Introduced multiple user profiles feature

Improvements

  • Improved root and debug detection
  • Improved security of fingerprint authentication

5.02.02

Bug-fixes

  • Fixed internal data encryption issue, where the data could be encrypted multiple times when client config has changed.

5.02.01

Bug-fixes

5.02.00

Improvements

  • Changed way the SDK allows to perform secure resource calls. Introduced OneginiClient#getResourceRetrofitClient and OneginiClient#getAnonymousResourceRetrofitClient, which are meant to be used in order to build a Retrofit RestAdapter.
  • Deprecated ResourceHelperAbstract and AnonymousResourceHelperAbstract
  • Added new topic guide chapter performing-resource-calls

5.01.00

Bug-fixes

  • Fixed connectivity issues when baseUrl property was ending with a slash character

Improvements

  • Mobile Authentication security improvements
  • OneginiClientNotValidatedException exception will be thrown when isPinValid() is be called before client validation
  • Updated Google Play Services library to the latest version (8.4.0)
  • Introduced new documentation layout

5.00.01

Improvements

  • OneginiClient can be instantiated with custom OneginiClientConfigModel implementation by calling #setupInstance(context, configModel) on OneginiClient

5.00.00

Features

  • Introduced fingerprint authentication method for devices with Android 6.0 "Marshmallow" or newer

Improvements

  • The minimum required Android OS version for the SDK is now 4.1 (API LVL 16)
  • The SDK doesn't require OneginiClientConfigModel instance to be passed during initialization - the config model will be loaded automatically using a reflection API
  • The SDK supports latest Android version "6.0 Marshmallow" (API lvl 23)
  • The SDK doesn't require android.permission.GET_ACCOUNTS permission anymore to handle push messages
  • Updated 3rd party dependencies (for a list of dependencies please refer to documentation: Introduction #4 Used libraries)
  • Security improvements

Bug-fixes

  • Fixed issues that were occurring when ProGuard was used to obfuscate the top-level application
  • Fixed infinite loop issue during anonymous request when client credentials were invalid

Release notes v4.X

4.02.02

Bug fixes

  • Fixed authorization flow for anonymous resource calls

4.02.01

Bug fixes

  • Fixed issue with SharedPreferences missing keys when obfuscation was enabled

4.02.00

Features

  • All data stored by the SDK in Android's SharedPreferences are encrypted

Improvements

  • Encrypted communication will be handled using binary data
  • All permission required by the SDK are included and declared by the SDK it self

4.01.02

Improvements

  • Updated google-play-services and build-tools dependencies to the latest versions

4.01.01

Bug fixes

  • Fixed obfuscation issue in AnonymousResourceHelperAbstract layer

4.01.00

Features

  • ResourceHelper abstract layer accepts custom RequestInterceptor which can be used to extend original request with additional headers or parameters

Improvements

  • Removed deprecated methods and interfaces

4.00.00

Features

  • SDK is capable of sending and handling encrypted communication - Payload Encryption

Improvements

  • Removed multi-catch syntax to fix possible issues on older Android versions

Release notes v3.X

3.05.00

Features

  • Payload encryption handshake implementation

Bug fixes

  • Fixed client validation loop detection handling
  • Fixed SSL TrustManager security issue

3.04.00

Features

  • OS version detection
  • Device CPU architecture detection

Improvements

  • Removed unused, deprecated properties from OneginiConfigModel: shouldConfirmPin, shouldDirectlyShowPushMessage

3.03.00

Features

  • Improved root/debug detection
  • SDK uses custom user-agent header

3.02.02

Bug fixes

  • Fixed a bug in accessing the application when using encrypted clientSecret

3.02.01

Features

  • SDK calculates application secret by it's own, #getAppSecret has been removed from OneginiClientConfigModel interface.
  • Support debug mode/environment detection.
  • Support rooted device detection.
  • Added Dynamic Client Update flow support.
  • Added tampering detection

3.02.00

Features

  • Forced update support. SDK validates against Token Server if current application version can be still used and if not notifies that update is needed.
  • Extended error handling within DCR process. All connectivity and other unsuspected errors which will occur within DCR flow will be mapped to general #authorizationError handler instead of #authorizationErrorClientRegistrationFailed

Release notes v2.X

2.04.05

Features

  • Added option to configure if cookies should be kept between requests
  • SDK doesn't provide any base dialogs implementations (like for ex. PinDialog), it's the responsibility of end-developer to provide these layers
  • SDK exposes new API to validate provided PIN number against set pin policy
  • SDK added an option to configure the timeouts on HTTP calls