The IBM Verify SDK is a library available for Android and iOS and provide classes to create rich native client mobile applications that interact with IBM Cloud Identity and IBM Security Access Manager, so that enterprises can easily integrate flexible and intelligent multi-factor authentication into their applications.

Multi-factor authentiation (MFA) verifies an indiviual’s identity by the possession of a mobile device as a first factor and an unique biometric identifier, which is verified on that device, as the second factor. Using mobile devices and biometric characteristics enable users to authenticate with minimal reliance on passwords and reduce the threat of unauthorized access to sensitive resources. The IBM Verify SDK supports the following authentication methods (or combinations thereof):

• Face ID (iOS only)
• Fingerprint / Touch ID
• Time-based OTP
• User Presence

This tutorial walks you through the creation of an application project for Android and iOS and how to add the IBM Verify SDK to it.

Android

Prerequisites

• Download the IBM Verify SDK (Android)  bundle from IBM AppExchange (you need to obtain an IBMid if you do not have one yet and select the “Software Development Kit” check-box in the category bar on the left to narrow down the search) and extract the contents to a folder that is easily located.
• Install Android Studio.

Setup Your Project

1. Start Android Studio and create a new project by accepting the default settings and support minimum Android 6.0 (API 23).

2. Go to File -> Project Structure... and add a new module by click on the + symbol in the upper left corner:

3. Select Import .JAR/.AAR package and click Next:

4. Click on the Browse button for the File name and select the VerifySdk.aar. Click Finish:

5. The VerifySDK will appear in the list of Modules on the left sidebar. Select the app and in the tab view, click on the Dependencies tab:

6. Add the VerifySdk as a dependency by clicking on the + symbol at the bottom. Select Module dependency.

7. Select the VerifySdk module in the dialog:

8. Close all dialogs by clicking on Ok.

9. Sync your project with Gradle (that should happen automatically – if not, click on File -> Sync Project with Gradle Files.

Configure Your Project

build.gradle

Add these lines to support Java 8 language features:

android {
    compileOptions {
        sourceCompatibility JavaVersion.VERSION_1_8
        targetCompatibility JavaVersion.VERSION_1_8
    }
}

ProGuard

Please note: this step is only required if you want to obfuscate your code when you publish an app.

The SDK does not provide an embedded ProGuard configuration file. The reason for that is, that you won’t be able to override those settings if you have to. If you want to use ProGuard in your app, add this to your build.gradle:

android {
    buildTypes {
        release {
            minifyEnabled true
            proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
        }
    }
}

Create a proguard-rules.pro file in the app folder of your project and add this configuration that we use in our IBM Verify app:

###--------------- Begin: proguard configuration for Verify SDK ----------
-keep class com.ibm.security.verifysdk.OnPremiseMetadata$*Metadata* { *; }
-keepclasseswithmembers class com.ibm.security.verifysdk.**Parser** { *; }
-keepclasseswithmembers class com.ibm.security.verifysdk.OnPremiseTransactionResult** { *; }
-keepclasseswithmembers class com.ibm.security.verifysdk.**Info { *; }

-keepclasseswithmembernames class * implements com.ibm.security.verifysdk.IMfaAuthenticator {
    public static final android.os.Parcelable$Creator CREATOR;
}

-keepclasseswithmembernames class * implements com.ibm.security.verifysdk.IAuthenticator {
    public static final android.os.Parcelable$Creator CREATOR;
}

-keep, includedescriptorclasses class * implements com.ibm.security.verifysdk.IMfaAuthenticator {
    !private *;
    !protected *;
    public *;
}

-keep, includedescriptorclasses class * implements com.ibm.security.verifysdk.IAuthenticator {
    !private *;
    !protected *;
    public *;
}

-keep, includedescriptorclasses public abstract class com.ibm.security.verifysdk.OtpGeneratorContext {
    !private *;
    !protected *;
    public *;
}

-keep, includedescriptorclasses public abstract class com.ibm.security.verifysdk.AuthenticationMethod {
    !private *;
    !protected *;
    public *;
}

-keepclasseswithmembernames,includedescriptorclasses class * {
    native ;
}

-keepnames class * implements java.io.Serializable
-keepclassmembers class * implements java.io.Serializable {
    static final long serialVersionUID;
    private static final java.io.ObjectStreamField[] serialPersistentFields;
    !static !transient ;
    private void writeObject(java.io.ObjectOutputStream);
    private void readObject(java.io.ObjectInputStream);
    java.lang.Object writeReplace();
    java.lang.Object readResolve();
}
###--------------- End: proguard configuration for Verify SDK ----------

If you use ProGuard, you will also have to add settings for other libraries, used by the SDK as mentioned below. See the ProGuard manual for further details.

Libraries

The SDK uses the following open source libraries:

• RxJava2
• Retrofit2 (okhttp3)
• Jackson
• Gson
• RootBeer

These libraries are not bundled with the SDK and you need to add those libraries as dependencies in your build.gradle file for your app:

dependencies {
    implementation 'com.google.android.gms:play-services-vision:15.0.2'
    implementation 'com.google.android.gms:play-services-gcm:15.0.1'

    implementation 'com.scottyab:rootbeer-lib:0.0.7'
    implementation 'com.google.code.gson:gson:2.8.2'
    implementation 'com.fasterxml.jackson.core:jackson-databind:2.9.4'
    implementation 'com.fasterxml.jackson.core:jackson-core:2.9.4'
    implementation 'com.fasterxml.jackson.core:jackson-annotations:2.9.2'
    implementation 'io.reactivex.rxjava2:rxjava:2.1.12'
    implementation 'io.reactivex.rxjava2:rxandroid:2.0.1'
    implementation 'com.squareup.retrofit2:retrofit:2.4.0'
    implementation 'com.squareup.retrofit2:converter-gson:2.4.0'
    implementation 'com.squareup.retrofit2:converter-jackson:2.4.0'
    implementation 'com.squareup.retrofit2:adapter-rxjava2:2.4.0'
    implementation 'com.squareup.okhttp3:logging-interceptor:3.5.0'
}

The first two lines with Google Play Services are required for the QR code scan activity that comes with the SDK (see also next section).

AndroidManifest.xml

The SDK contains an activity UIQRScanView that provides QR code scan capabilities. Add these lines to the application tag in the AndroidManifest.xml:

<meta-data android:name="com.google.android.gms.vision.DEPENDENCIES"
           android:value="barcode" />
<activity android:name="com.ibm.security.verifysdk.UIQRScanView" />

As the app needs to invoke the camera, it must have the following line in the manifest tag:

<uses-permission android:name="android.permission.CAMERA" />

Sample Code

As an example, we leverage the OTP calculation capability of the SDK. Add this code to the onCreate method in MainActivity.java:

HotpGeneratorContext hotpGeneratorContext = new HotpGeneratorContext("AB4C", 6, HmacAlgorithm.SHA1, 0);
Log.i("SDK Demo", "HOTP: " + hotpGeneratorContext.create());

It initiates a HOTP object with a secret, the number of digits, the algorithm used and a counter. Once the app compiles and run, you will see this line in the logcat:

SDK Demo: HOTP: 630496

Android has the concept of Context, that provides services and access to resources. To give the SDK access to the context of your application, add this line as early as possible to your application:

ContextHelper.sharedInstance().setContext(getApplicationContext());

You can extend the logging for network request and responses with:

NetworkHandler.sharedInstance().setLoggingInterceptor(new HttpLoggingInterceptor().setLevel(HttpLoggingInterceptor.Level.BODY));

iOS

Prerequisites

• Download the IBM Verify SDK (iOS) bundle from IBM AppExchange (you need to obtain an IBMid if you do not have one yet and select the “Software Development Kit” check-box in the category bar on the left to narrow down the search) and extract the contents to a folder that is easily located.
• Install XCode

Setup Your Project

1. Start XCode and create a new Swift project:

2. Open the folder where the SDK was extracted. Copy the Framework folder to the folder where you created the Xcode project in the previous step:

3. In the General settings, scroll down to the Embedded Binaries section and click on the + symbol:

4. Click on Add Other... in the next dialog:

5. Navigate to the Framework folder that was copied to your project folder in step 2. Select the IBMVerifyKit.framework, then click Open:

6. Click on Finish in the next dialog:

Sample Code

Add the following line to the header section of your ViewController.swift class:

import IBMVerifyKit

To do the same OTP example as for Android, add these lines to the viewDidLoad() method:

var generator = HOTPGenerator(secret: "AB4C", digits: 6, algorithm: HmacAlgorithm(.sha1), counter: 0)
print("OTP: \(String(describing: generator?.create()))")

And this is the output you should see than:

OTP: Optional("630496")

Next Steps

In this article, you have seen how to add the IBM Verify SDK to your project. The sample code demonstrated how to invoke the SDK for generating a HOTP. There are more complex examples available on GitHub, which also demonstrate UI based interactions and how to leverage MMFA capabilities on server side. You can find them here for Android and iOS.

The documentation of the SDK is part of the bundle, available on IBM AppExchange. I recommend to read it and learn how you can interact with it.

If you have questions or feedback, please post it here for Android and iOS.

#ISAM