Merge pull request #550 from /issues/544-prepare-release-1.8

Prepare release 1.8

Note: Bypassing branch protection because the unsigned commit is due to rebase done by github itself

PowerAuth2.podspec

@@ -23,8 +23,8 @@ Pod::Spec.new do |s|
         :submodules => true
     }
 
-    s.ios.deployment_target  = '11.0'
-    s.tvos.deployment_target = '11.0'
+    s.ios.deployment_target  = '12.0'
+    s.tvos.deployment_target = '12.0'
 
     # XCFramework  build    
     s.prepare_command = <<-CMD

PowerAuthCore.podspec

@@ -22,8 +22,8 @@ Pod::Spec.new do |s|
         :submodules => true
     }
 
-    s.ios.deployment_target  = '11.0'
-    s.tvos.deployment_target = '11.0'
+    s.ios.deployment_target  = '12.0'
+    s.tvos.deployment_target = '12.0'
 
     # XCFramework  build    
     s.prepare_command = <<-CMD

docs/Migration-from-1.7-to-1.8.md

@@ -49,10 +49,17 @@ Legacy PowerAuth configuration:
   - `commitActivationWithAuthentication()` is now `persistActivationWithAuthentication()`
   - All variants of `commitActivationWithPassword()` are now `persistActivationWithPassword()`
   - All variants of `commitActivation()` are now `persistActivation()`
+  - All variants of `authenticateUsingBiometry()` are now replaced with `authenticateUsingBiometrics()` with `IAuthenticateWithBiometricsListener` interface returning `PowerAuthAuthentication` in success.
 
-- The `ICommitActivationWithBiometryListener` is now deprecated and you can use `IPersistActivationWithBiometryListener` as a replacement.
+- The `ICommitActivationWithBiometryListener` is now deprecated and you can use `IPersistActivationWithBiometricsListener` as a replacement.
 
-- The biometry-related methods in `PowerAuthSDK` are no longer annotated as `@RequiresApi(api = Build.VERSION_CODES.M)`. This change may lead to a several dead code branches in your code if you still support devices older than Android 6.0.
+- The `PowerAuthAuthentication` object is now immutable object.
+
+- `PowerAuthErrorCodes` now contains the following new error codes:
+  - `TIME_SYNCHRONIZATION` indicating a problem with the time synchronization.
+  - `BIOMETRY_NOT_ENROLLED` indicating that device has no enrolled biometry.
+
+- The biometry-related methods in `PowerAuthSDK` are no longer annotated as `@RequiresApi(api = Build.VERSION_CODES.M)`. This change may lead to a several dead code branches in your code if you still support devices older than Android 6.0. 
 
 - Removed all interfaces deprecated in release `1.7.x`
 
@@ -142,10 +149,14 @@ Visit [Synchronized Time](https://developers.wultra.com/components/powerauth-mob
   - `.commitWithPasswordAndBiometry(password:)` is now `.persistithPasswordAndBiometry(password:)`
   - `.commitWithPasswordAndBiometry(password:customBiometryKey:customPossessionKey:)` is now `.persistWithPasswordAndBiometry(password:customBiometryKey:customPossessionKey:)`
 
+- The `PowerAuthAuthentication` object is now immutable and no longer implements `NSCopying` protocol.
+
 - `PowerAuthErrorCode` now contains new `.timeSynchronization` case indicating a problem with the time synchronization.
 
 - Removed all interfaces deprecated in release `1.7.x`
 
+- Minimum deployment target updated to iOS 12 and tvOS 12
+
 ### Other changes
 
 #### Synchronized time
@@ -203,10 +214,42 @@ Visit [Synchronized Time](https://developers.wultra.com/components/powerauth-mob
 
 ### API changes
 
-- TBA
+- `PowerAuthConfiguration` - class now supports only the simplified configuration.
+  - Use new object constructor with all required parameters:
+    ```swift
+    let config = PowerAuthConfiguration(
+        instanceId: "your-instance-id",
+        baseEndpointUrl: "https://api.wultra.com/enrollment-server",
+        configuration: "ARDDj6EB6iA...H9bMk8Ju3K1wmjbA=="
+    )
+    ```
+  - Removed `applicationKey`, `applicationSecret`, `masterServerPublicKey`, `disableAutomaticProtocolUpgrade` properties.
+
+- The `PowerAuthAuthentication` object is now immutable object and no longer implement `NSCopying` protocol.
+
+- Removed all interfaces deprecated in release `1.7.x` 
+
+- Minimum deployment target updated to iOS 12 and tvOS 12.
 
 ## watchOS
 
 ### API changes
 
-- TBA
+- `PowerAuthConfiguration` - class now supports only the simplified configuration.
+  - Use new object constructor with all required parameters:
+    ```swift
+    let config = PowerAuthConfiguration(
+        instanceId: "your-instance-id",
+        baseEndpointUrl: "https://api.wultra.com/enrollment-server",
+        configuration: "ARDDj6EB6iA...H9bMk8Ju3K1wmjbA=="
+    )
+    ```
+  - Removed `applicationKey`, `applicationSecret`, `masterServerPublicKey`, `disableAutomaticProtocolUpgrade` properties.
+
+- The `PowerAuthAuthentication` object is now immutable object and no longer implement `NSCopying` protocol.
+
+- Removed all interfaces deprecated in release `1.7.x`
+
+## Known Bugs
+
+The PowerAuth SDKs for iOS and tvOS App Extensions, as well as for watchOS, do not use time synchronized with the server for token-based authentication. To avoid any compatibility issues with the server, the authentication headers generated in your App Extension or on watchOS still use the older protocol version 3.1. This issue will be fixed in a future SDK update.

docs/Supported-Versions.md

@@ -2,8 +2,8 @@
 
 We currently support the following versions of mobile OS:
 
-- iOS 11.0
-- tvOS: 11.0
+- iOS 12.0
+- tvOS: 12.0
 - watchOS 4.0
 - macOS Catalyst: 10.15
 - Android 4.4 (API level 19)
@@ -14,7 +14,7 @@ We currently support the following versions of mobile OS:
 
 On iOS:
 
-- We offer the biometry support since iOS 9.0, the used biometric type depends on the particular device capabilities.
+- The used biometric type depends on the particular device capabilities.
 
 On Android:
 

proj-android/PowerAuthLibrary/src/main/java/io/getlime/security/powerauth/biometry/BiometricKeyData.java

@@ -18,6 +18,8 @@
 
 import androidx.annotation.NonNull;
 
+import java.util.Arrays;
+
 /**
  * The {@code BiometricKeyData} class contains result from the biometric authentication in case that
  * authentication succeeded.
@@ -61,4 +63,12 @@ public BiometricKeyData(@NonNull byte[] dataToSave, @NonNull byte[] derivedData,
     public boolean isNewKey() {
         return newKey;
     }
+
+    /**
+     * Destroy potential sensitive content stored in this object.
+     */
+    public void destroy() {
+        Arrays.fill(dataToSave, (byte) 0xCD);
+        Arrays.fill(derivedData, (byte) 0xCD);
+    }
 }

proj-android/PowerAuthLibrary/src/main/java/io/getlime/security/powerauth/sdk/PowerAuthAuthentication.java

@@ -21,6 +21,8 @@
 import io.getlime.security.powerauth.core.Password;
 import io.getlime.security.powerauth.system.PowerAuthLog;
 
+import java.util.Arrays;
+
 /**
  * Class representing a multi-factor authentication object.
  */
@@ -48,9 +50,14 @@ public class PowerAuthAuthentication {
     /**
      * Construct object with desired combination of factors. Such authentication object can be used
      * either to persist activation and for the signature calculation.
-     *
+     * <p>
      * Note that you should prefer static construction functions instead of this constructor, unless
      * you have a special reason for it.
+     * <p>
+     * Note that the constructor internally makes a copy of provided byte arrays. This is because authentication object
+     * now supports {@link #destroy()} method that clears content of such arrays. We don't want to clear instance of
+     * array that is still in use somewhere else.
+     *
      *
      * @param persistActivation If true, then authentication can be used to persist activation.
      * @param password If set, then knowledge factor will be used to persist activation or signature calculation.
@@ -62,12 +69,31 @@ public class PowerAuthAuthentication {
             @Nullable Password password,
             @Nullable byte[] biometryFactorRelatedKey,
             @Nullable byte[] overriddenPossessionKey) {
-        this.useBiometry = biometryFactorRelatedKey;
+        this.useBiometry = safeArrayCopy(biometryFactorRelatedKey);
         this.password = password;
-        this.overriddenPossessionKey = overriddenPossessionKey;
+        this.overriddenPossessionKey = safeArrayCopy(overriddenPossessionKey);
         this.persistActivation = persistActivation;
     }
 
+    /**
+     * Make copy of provided byte array if non-null array is provided.
+     * @param original Array to safely copy.
+     * @return new array with copied content or null if input is null.
+     */
+    private static byte[] safeArrayCopy(byte[] original) {
+        if (original != null) {
+            return Arrays.copyOf(original, original.length);
+        }
+        return null;
+    }
+
+    /**
+     * Make sure that the sensitive data is always wiped out from the memory.
+     */
+    protected void finalize() {
+        destroy();
+    }
+
     // Persist activation
 
     /**
@@ -347,6 +373,22 @@ public byte[] getOverriddenPossessionKey() {
         return overriddenPossessionKey;
     }
 
+    /**
+     * Destroys any sensitive content, such as password stored in the authentication object.
+     * After this call, the object becomes unusable for authentication operations.
+     */
+    public void destroy() {
+        if (password != null) {
+            password.destroy();
+        }
+        if (useBiometry != null) {
+            Arrays.fill(useBiometry, (byte) 0xCD);  // This may help with the debugging. CD CD CD is more suspicious than 00 00 00
+        }
+        if (overriddenPossessionKey != null) {
+            Arrays.fill(overriddenPossessionKey, (byte) 0xCD);
+        }
+    }
+
     // Internal interfaces
 
     /**

proj-android/PowerAuthLibrary/src/main/java/io/getlime/security/powerauth/sdk/PowerAuthSDK.java

@@ -1045,6 +1045,7 @@ public void onBiometricDialogCancelled(boolean userCancel) {
             public void onBiometricDialogSuccess(@NonNull BiometricKeyData biometricKeyData) {
                 final PowerAuthAuthentication authentication = PowerAuthAuthentication.persistWithPasswordAndBiometry(password, biometricKeyData.getDerivedData());
                 final int errorCode = persistActivationWithAuthentication(context, authentication);
+                biometricKeyData.destroy();
                 if (errorCode == PowerAuthErrorCodes.SUCCEED) {
                     callback.onBiometricDialogSuccess();
                 } else {
@@ -2360,6 +2361,8 @@ public void onBiometricDialogCancelled(boolean userCancel) {
             @Override
             public void onBiometricDialogSuccess(@NonNull BiometricKeyData biometricKeyData) {
                 final PowerAuthAuthentication authentication = PowerAuthAuthentication.possessionWithBiometry(biometricKeyData.getDerivedData());
+                // TODO: This should be moved in the next release to some global point to make sure that we always clear this object.
+                biometricKeyData.destroy();
                 listener.onBiometricDialogSuccess(authentication);
             }
 

proj-android/build.gradle

@@ -52,5 +52,9 @@ allprojects {
     tasks.withType(Javadoc) {
         options.addStringOption('Xdoclint:-html', '-quiet')
     }
+    // Uncomment to show usage of deprecated interfaces
+//    tasks.withType(JavaCompile) {
+//        options.compilerArgs << "-Xlint:deprecation"
+//    }
 }
 

proj-xcode/PowerAuth2.xcodeproj/project.pbxproj

@@ -3,7 +3,7 @@
 	archiveVersion = 1;
 	classes = {
 	};
-	objectVersion = 54;
+	objectVersion = 56;
 	objects = {
 
 /* Begin PBXBuildFile section */
@@ -1728,7 +1728,7 @@
 			attributes = {
 				BuildIndependentTargetsInParallel = YES;
 				LastSwiftUpdateCheck = 1320;
-				LastUpgradeCheck = 1430;
+				LastUpgradeCheck = 1500;
 				ORGANIZATIONNAME = "Wultra s.r.o.";
 				TargetAttributes = {
 					BF4DBCCC1CDF9CDE008F3A47 = {
@@ -1762,7 +1762,7 @@
 				};
 			};
 			buildConfigurationList = BF4DBB961CDF3130008F3A47 /* Build configuration list for PBXProject "PowerAuth2" */;
-			compatibilityVersion = "Xcode 12.0";
+			compatibilityVersion = "Xcode 14.0";
 			developmentRegion = en;
 			hasScannedForEncodings = 0;
 			knownRegions = (
@@ -2274,6 +2274,7 @@
 				DEBUG_INFORMATION_FORMAT = dwarf;
 				ENABLE_STRICT_OBJC_MSGSEND = YES;
 				ENABLE_TESTABILITY = YES;
+				ENABLE_USER_SCRIPT_SANDBOXING = YES;
 				GCC_C_LANGUAGE_STANDARD = c11;
 				GCC_DYNAMIC_NO_PIC = NO;
 				GCC_NO_COMMON_BLOCKS = YES;
@@ -2293,14 +2294,14 @@
 					"$(PROJECT_DIR)/../cc7/include",
 					"$(PROJECT_DIR)/../cc7/openssl-lib/apple/include",
 				);
-				IPHONEOS_DEPLOYMENT_TARGET = 11.0;
+				IPHONEOS_DEPLOYMENT_TARGET = 12.0;
 				LIBRARY_SEARCH_PATHS = "$(PROJECT_DIR)/../cc7/openssl-lib/apple";
 				MACOSX_DEPLOYMENT_TARGET = 10.15;
 				ONLY_ACTIVE_ARCH = YES;
 				PRODUCT_NAME = "${TARGET_NAME}";
 				SDKROOT = iphoneos;
 				SWIFT_VERSION = 5.0;
-				TVOS_DEPLOYMENT_TARGET = 11.0;
+				TVOS_DEPLOYMENT_TARGET = 12.0;
 				WATCHOS_DEPLOYMENT_TARGET = 2.0;
 			};
 			name = Debug;
@@ -2341,6 +2342,7 @@
 				DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
 				ENABLE_NS_ASSERTIONS = NO;
 				ENABLE_STRICT_OBJC_MSGSEND = YES;
+				ENABLE_USER_SCRIPT_SANDBOXING = YES;
 				GCC_C_LANGUAGE_STANDARD = c11;
 				GCC_NO_COMMON_BLOCKS = YES;
 				GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
@@ -2354,14 +2356,14 @@
 					"$(PROJECT_DIR)/../cc7/include",
 					"$(PROJECT_DIR)/../cc7/openssl-lib/apple/include",
 				);
-				IPHONEOS_DEPLOYMENT_TARGET = 11.0;
+				IPHONEOS_DEPLOYMENT_TARGET = 12.0;
 				LIBRARY_SEARCH_PATHS = "$(PROJECT_DIR)/../cc7/openssl-lib/apple";
 				MACOSX_DEPLOYMENT_TARGET = 10.15;
 				PRODUCT_NAME = "${TARGET_NAME}";
 				SDKROOT = iphoneos;
 				SWIFT_COMPILATION_MODE = wholemodule;
 				SWIFT_VERSION = 5.0;
-				TVOS_DEPLOYMENT_TARGET = 11.0;
+				TVOS_DEPLOYMENT_TARGET = 12.0;
 				VALIDATE_PRODUCT = YES;
 				WATCHOS_DEPLOYMENT_TARGET = 2.0;
 			};

proj-xcode/PowerAuth2.xcodeproj/xcshareddata/xcschemes/PowerAuth2_IntegrationTests_iOS.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "1430"
+   LastUpgradeVersion = "1500"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"

proj-xcode/PowerAuth2.xcodeproj/xcshareddata/xcschemes/PowerAuth2_IntegrationTests_tvOS.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "1430"
+   LastUpgradeVersion = "1500"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"

proj-xcode/PowerAuth2.xcodeproj/xcshareddata/xcschemes/PowerAuth2_TestHostApp_iOS.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "1430"
+   LastUpgradeVersion = "1500"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"

proj-xcode/PowerAuth2.xcodeproj/xcshareddata/xcschemes/PowerAuth2_TestHostApp_tvOS.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "1430"
+   LastUpgradeVersion = "1500"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"

proj-xcode/PowerAuth2.xcodeproj/xcshareddata/xcschemes/PowerAuth2_iOS.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "1430"
+   LastUpgradeVersion = "1500"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"

proj-xcode/PowerAuth2.xcodeproj/xcshareddata/xcschemes/PowerAuth2_tvOS.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "1430"
+   LastUpgradeVersion = "1500"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"