The overall SDK interfaces may be accessed as follows:
import com.criticalblue.approovsdk.Approov;
#import <Approov/Approov.h>
import Approov
Note that the iOS SDK is actually written in Objective-C and the method references are described in this way. Other code examples in the documentation are in Swift, using the automatically generated bindings to the SDK methods.
/**
* Initialize the Approov SDK. This must be called prior to any other methods on the Approov
* SDK. The SDK is initialized with an application context, a base configuration and an
* optional update configuration and comment. The base configuration is a signed JWT
* token string that is obtained from the Approov administration portal and contains all
* necessary parameters to initialize the SDK. This must be stored as a resource in the
* application using the SDK. An updated configuration may be transmitted while the SDK
* is in use and this must be stored in the local storage of the app.
*
* @param appContext is the application context to use
* @param initialConfig is the initial configuration string and must be present
* @param dynamicConfig is any dynamic update configuration string or null if there is none
* @param reserved is provided for future usage
* @throws IllegalArgumentException if provided configuration is not valid
*/
public static void initialize(Context appContext, String initialConfig, String dynamicConfig, String reserved) throws IllegalArgumentException;
/**
* Initialize the Approov SDK. This must be called prior to any other methods on the Approov
* SDK. The SDK is initialized with a base configuration and an optional update configuration
* and comment. The base configuration is a signed JWT token string that is obtained from the
* Approov administration portal and contains all necessary parameters to initialize the SDK.
* This must be stored as a resource in the application using the SDK. An updated configuration
* may be transmitted while the SDK is in use and this must be stored in the local storage of the app.
*
* @param baseConfig is the initial configuration string and must be present
* @param updateConfig is any dynamic update configuration string or null if there is none
* @param comment is an optional comment that appears when the app is registered, or null otherwise
* @param error the reference to an error object which will be set if an error occurred
* @return YES if the Approov framework was successfully initialized or NO otherwise
*/
+ (BOOL)initialize:(nonnull NSString *)baseConfig updateConfig:(nullable NSString *)updateConfig
comment:(nullable NSString * )comment error:(NSError *_Nullable *_Nullable)error;
/**
* Initialize the Approov SDK. This must be called prior to any other methods on the Approov
* SDK. The SDK is initialized with a base configuration and an optional update configuration
* and comment. The base configuration is a signed JWT token string that is obtained from the
* Approov administration portal and contains all necessary parameters to initialize the SDK.
* This must be stored as a resource in the application using the SDK. An updated configuration
* may be transmitted while the SDK is in use and this must be stored in the local storage of the app.
*
* @param baseConfig is the initial configuration string and must be present
* @param updateConfig is any dynamic update configuration string or null if there is none
* @param comment is an optional comment that appears when the app is registered, or null otherwise
* @param error the reference to an error object which will be set if an error occurred
* @return YES if the Approov framework was successfully initialized or NO otherwise
*/
class func initialize(_ baseConfig: String, updateConfig: String?, comment: String?) throws
/**
* Fetches the current configuration for the SDK. This may be the base configuration or may
* be a new updated configuration returned from the Approov cloud service. Such updates of the
* configuration allow new sets of certificate pins and other configuration to be passed to
* an app instance that is running in the field.
*
* Normally this method returns the latest configuration that is available and is cached in the
* SDK. Thus the method will return quickly. However, if this method is called when there has
* been no prior call to fetch an Approov token then a network request to the Approov cloud
* service will be made to obtain any latest configuration update. The maximum timeout period
* is set to be quite short but the caller must be aware that this delay may occur.
*
* Note that the returned configuration should generally be kept in local storage for the app
* so that it can be made available on initialization of the Approov SDK next time the app
* is started.
*
* It is possible to see if a new configuration becomes available from the isConfigChanged()
* method of the TokenFetchResult. This changed flag is only cleared for future token fetches
* if a call to this method is made.
*
* @return String representation of the configuration.
*/
public static final String fetchConfig();
/**
* Fetches the current configuration for the SDK. This may be the base configuration or may
* be a new updated configuration returned from the Approov cloud service. Such updates of the
* configuration allow new sets of certificate pins and other configuration to be passed to
* an app instance that is running in the field.
*
* Normally this method returns the latest configuration that is available and is cached in the
* SDK. Thus the method will return quickly. However, if this method is called when there has
* been no prior call to fetch an Approov token then a network request to the Approov cloud
* service will be made to obtain any latest configuration update. The maximum timeout period
* is set to be quite short but the caller must be aware that this delay may occur.
*
* Note that the returned configuration should generally be kept in local storage for the app
* so that it can be made available on initialization of the Approov SDK next time the app
* is started.
*
* It is possible to see if a new configuration becomes available from the isConfigChanged
* property of the TokenFetchResult. This changed flag is only cleared for future token fetches
* if a call to this method is made.
*
* @return String representation of the configuration or nil if SDK not initialized.
*/
+ (nullable NSString *)fetchConfig;
/**
* Fetches the current configuration for the SDK. This may be the base configuration or may
* be a new updated configuration returned from the Approov cloud service. Such updates of the
* configuration allow new sets of certificate pins and other configuration to be passed to
* an app instance that is running in the field.
*
* Normally this method returns the latest configuration that is available and is cached in the
* SDK. Thus the method will return quickly. However, if this method is called when there has
* been no prior call to fetch an Approov token then a network request to the Approov cloud
* service will be made to obtain any latest configuration update. The maximum timeout period
* is set to be quite short but the caller must be aware that this delay may occur.
*
* Note that the returned configuration should generally be kept in local storage for the app
* so that it can be made available on initialization of the Approov SDK next time the app
* is started.
*
* It is possible to see if a new configuration becomes available from the isConfigChanged
* property of the TokenFetchResult. This changed flag is only cleared for future token fetches
* if a call to this method is made.
*
* @return String representation of the configuration or nil if SDK not initialized.
*/
class func fetchConfig() -> String?
/**
* Gets the device ID used by Approov to identify the particular device that the SDK is running on. Note
* that different Approov apps on the same device will return a different ID. Moreover, the ID may be
* changed by an uninstall and reinstall of the app.
*
* @return String representation of the deviceID.
*/
public static final String getDeviceID();
/**
* Gets the device ID used by Approov to identify the particular device that the SDK is running on. Note
* that different Approov apps on the same device will return a different ID. Moreover, the ID may be
* changed by an uninstall and reinstall of the app.
*
* @return String of device ID or nil if SDK not initialized.
*/
+ (nullable NSString *)getDeviceID;
/**
* Gets the device ID used by Approov to identify the particular device that the SDK is running on. Note
* that different Approov apps on the same device will return a different ID. Moreover, the ID may be
* changed by an uninstall and reinstall of the app.
*
* @return String of device ID or nil if SDK not initialized.
*/
class func getDeviceID() -> String?
/**
* Fetches the pins from the current configuration of the SDK. This is returned as
* as map from URL domain (hostname only) to the possible pins for that domain. If there is
* no map entry for a domain then that indicates that the connection is not specifically
* pinned. The type of pin requested determines the data in each of the pins. This is typically
* the base64 encoding of the hash of some aspect of the certificate. A connection is considered
* to be valid if any certificate in the chain presented is one with the same hash as one in
* the array of hashes. Note that if the isForceApplyPins flag was set on the last Approov
* token fetch then this clears the flag for future fetches as it indicates that the latest
* pin information has been read.
*
* @param pinType is the type of pinning information that is required
* @return Map from domain to the list of strings providing the pins
*/
public static final Map<String, List<String>> getPins(String pinType);
/**
* Provide access to the API-Pins information held in the current app configuration. This is a helper method that avoids
* the need for the app to access the configuration directly. Pins of a particular type are retrieved. If the
* SDK has not be initialized then nil is returned. A connection is considered to be valid if any certificate
* in the chain presented has the same hash as one in the list of hashes for the domain. Note that if the isForceApplyPins
* flag was set on the last Approov token fetch then this clears the flag for future fetches as it indicates that the
* latest pin information has been read.
*
* @param pinType is the format of the pins that should be retrieved
* @result NSDictionary mapping from domain names to a list of pins in base64 format for that domain
*/
+ (nullable NSDictionary<NSString *, NSArray<NSString *> *> *)getPins:(nonnull NSString *)pinType;
/**
* Provide access to the API-Pins information held in the current app configuration. This is a helper method that avoids
* the need for the app to access the configuration directly. Pins of a particular type are retrieved. If the
* SDK has not be initialized then nil is returned. A connection is considered to be valid if any certificate
* in the chain presented has the same hash as one in the list of hashes for the domain. Note that if the isForceApplyPins
* flag was set on the last Approov token fetch then this clears the flag for future fetches as it indicates that the
* latest pin information has been read.
*
* @param pinType is the format of the pins that should be retrieved
* @result NSDictionary mapping from domain names to a list of pins in base64 format for that domain
*/
class func getPins(_ pinType: String) -> [String : [String]]?
/**
* Potential status results from an attempt to fetch an Approov token
*/
public enum TokenFetchStatus {
SUCCESS, // token was successfully received
NO_NETWORK, // there is no token because there is no network connectivity currently
MITM_DETECTED, // there is no token because there is a Man-In-The-Middle (MITM) to the Approov cloud service
POOR_NETWORK, // no token could be obtained due to poor network connectivity
NO_APPROOV_SERVICE, // no token could be obtained, perhaps because Approov services are down
BAD_URL, // provided URL was not https or otherwise in the correct format
UNKNOWN_URL, // provided URL is not one that one configured for Approov
UNPROTECTED_URL, // provided URL does not need an Approov token
NO_NETWORK_PERMISSION, // app does not have ACCESS_NETWORK_STATE or INTERNET permission
MISSING_LIB_DEPENDENCY, // app is missing a needed library dependency
INTERNAL_ERROR // there has been an internal error in the SDK
}
/**
* Results from an Approov token fetch
*/
public class TokenFetchResult {
/**
* Gets the status of the last Approov token fetch.
*
* @return Approov token fetch status
*/
public TokenFetchStatus getStatus();
/**
* Gets the token string of the last Approov token fetch. This may be an empty string
* if the fetch did not succeed.
*
* @return Approov token string
*/
public String getToken();
/**
* Determines if a new configuration is available from fetchConfig().
*
* @return true if an updated configuration is available.
*/
public boolean isConfigChanged();
/**
* Determines if current user APIs must be updated to reflect a new version
* available from getPins(). Calling getPins() will clear this flag for the
* next Approov token fetch.
*
* @return true if pins should be updated.
*/
public boolean isForceApplyPins();
/**
* Gets a measurement configuration if the last token fetch was to perform an
* integrity measurement and was successful.
*
* @return Approov measurement configuration or null if no measurement made
*/
public byte[] getMeasurementConfig();
}
/*
* Enumeration of results that may be generated as a result of an Approov token fetch operation.
*/
typedef NS_ENUM(NSUInteger, ApproovTokenFetchStatus)
{
// Indicates that a token was successfully obtained.
ApproovTokenFetchStatusSuccess,
// Indicates that there is no valid cached token and there is currently no network connectivity so no new token
// could be obtained. This specific state is provided because the developer might choose to retry in this case
// because the subsequent API request will almost certainly fail too.
ApproovTokenFetchStatusNoNetwork,
// Indicates that no token could be obtained because the certificate presented on the Approov endpoint was not one
// that was expected. This might indicate the device is running on a network with a firewall that terminates TLS.
ApproovTokenFetchStatusMITMDetected,
// Indicates that no token could be obtained due to poor network connectivity
ApproovTokenFetchStatusPoorNetwork,
// no token could be obtained, perhaps because Approov services (primary and failover) are down
ApproovTokenFetchStatusNoApproovService,
// Indicates that the provided domain is not in the correct format or is not of the https scheme.
ApproovTokenFetchStatusBadURL,
// Indicates that the URL provided is a for a domain that has not be specified in the Approov administration portal.
// This may be an incorrect URL or may indicate that no Approov token is required for protecting this endpoint.
ApproovTokenFetchStatusUnknownURL,
// Indicates that no Approov token is needed for the domain. This is returned as a result of a configuration
// that is set server side, indicating that the domain is pinned but no Approov token is required.
ApproovTokenFetchStatusUnprotectedURL,
// Indicates that the Approov SDK has not been initialized.
ApproovTokenFetchStatusNotInitialized
};
/**
* This interface is used for the result value of the fetch Approov token methods.
*/
__attribute__((visibility("default"))) @interface ApproovTokenFetchResult: NSObject
// The result code generated by the Approov token fetch operation
@property (readonly) ApproovTokenFetchStatus status;
// The Approov token as a base64 string which should not be cached by the app client code. This is the empty string if
// no token could be obtained.
@property (readonly, nonnull) NSString *token;
// Provides a flag indicating if a new updated configuration JWT has been obtained from the server. Once set this
// remains true for subsequent token fetches until a fetchConfig() call is made.
@property (readonly) BOOL isConfigChanged;
// Provides a flag indicating if current user APIs must be updated to reflect a new version
// available from getPins(). Calling getPins() will clear this flag for the
// next Approov token fetch.
@property (readonly) BOOL isForceApplyPins;
// The measurement configuration is only provided if the last fetch operation for the domain initiated an integrity
// measurement, and the fetch was successful. This provides a binary buffer that must be provided to the
// getIntegrityMeasurementProof() or getDeviceMeasurementProof() to obtain a new proof.
@property (readonly, nullable) NSData *measurementConfig;
// ApproovTokenFetchCallback type definition
typedef void (^ApproovTokenFetchCallback)(ApproovTokenFetchResult *_Nonnull result);
/**
* Gets a loggable version of the result Approov token. This provides the decoded JSON payload along with the first six
* characters of the base64 encoded signature as an additional "sip" claim. This can be safely logged as it cannot be
* transformed into a valid token since the full signature is not provided, but it can be subsequently checked for
* validity if the shared secret is known with a very high probability. The loggable token is always valid JSON. If
* there is an error then the type is given with the key "error".
* Note that this is not applicable to JWE tokens.
*
* @return Loggable Approov token string
*/
- (nonnull NSString *)loggableToken;
@end
/**
* Gets a human readable string from an Approov token fetch status.
*
* @param approovTokenFetchStatus is the ApproovTokenFetchStatus
* @return the string for the ApproovTokenFetchStatusq
*/
+ (nonnull NSString *)stringFromApproovTokenFetchStatus:(ApproovTokenFetchStatus)approovTokenFetchStatus;
/*
* Enumeration of results that may be generated as a result of an Approov token fetch operation.
*/
enum ApproovTokenFetchStatus {
// Indicates that a token was successfully obtained.
case success
// Indicates that there is no valid cached token and there is currently no network connectivity so no new token
// could be obtained. This specific state is provided because the developer might choose to retry in this case
// because the subsequent API request will almost certainly fail too.
case noNetwork
// Indicates that no token could be obtained because the certificate presented on the Approov endpoint was not one
// that was expected. This might indicate the device is running on a network with a firewall that terminates TLS.
case mitmDetected
// Indicates that no token could be obtained due to poor network connectivity
case poorNetwork
// no token could be obtained, perhaps because Approov services (primary and failover) are down
case noApproovService
// Indicates that the provided domain is not in the correct format or is not of the https scheme.
case badURL
// Indicates that the URL provided is a for a domain that has not be specified in the Approov administration portal.
// This may be an incorrect URL or may indicate that no Approov token is required for protecting this endpoint.
case unknownURL
// Indicates that no Approov token is needed for the domain. This is returned as a result of a configuration
// that is set server side, indicating that the domain is pinned but no Approov token is required.
case unprotectedURL
// Indicates that the Approov SDK has not been initialized.
case notInitialized
}
/**
* This interface is used for the result value of the fetch Approov token methods.
*/
class ApproovTokenFetchResult: NSObject {
// The result code generated by the Approov token fetch operation
private(set) var status: ApproovTokenFetchStatus?
// The Approov token as a base64 string which should not be cached by the app client code. This is the empty string if
// no token could be obtained.
private(set) var token = ""
// Provides a flag indicating if a new updated configuration JWT has been obtained from the server. Once set this
// remains true for subsequent token fetches until a fetchConfig() call is made.
private(set) var isConfigChanged = false
// Provides a flag indicating if current user APIs must be updated to reflect a new version
// available from getPins(). Calling getPins() will clear this flag for the
// next Approov token fetch.
private(set) var isForceApplyPins = false
// The measurement configuration is only provided if the last fetch operation for the domain initiated an integrity
// measurement, and was successful. This provides a binary buffer that must be provided to the
// getIntegrityMeasurementProof() or getDeviceMeasurementProof() to obtain a new proof.
private(set) var measurementConfig: Data?
/**
* Gets a loggable version of the result Approov token. This provides the decoded JSON payload along with the first six
* characters of the base64 encoded signature as an additional "sip" claim. This can be safely logged as it cannot be
* transformed into a valid token since the full signature is not provided, but it can be subsequently checked for
* validity if the shared secret is known with a very high probability. The loggable token is always valid JSON. If
* there is an error then the type is given with the key "error".
* Note that this is not applicable to JWE tokens.
*
* @return Loggable Approov token string
*/
func loggableToken() -> String {
}
}
/**
* Gets a human readable string from an Approov token fetch status.
*
* @param approovTokenFetchStatus is the ApproovTokenFetchStatus
* @return the string for the ApproovTokenFetchStatusq
*/
class func string(from approovTokenFetchStatus: ApproovTokenFetchStatus) -> String
/**
* Initiates a synchronous request to obtain an Approov token and other results. If an Approov token fetch
* has been completed previously and the tokens are unexpired then this may return the same one
* without a need to perform a network transaction. Note though that the caller should never cache the
* Approov token as it may become invalidated at any point.
*
* If a new Approov token is required then a more extensive app measurement is performed that involves
* communicating with the Approov cloud service. Thus this method may take up to several seconds to
* return and should not be called from a UI thread. There is also a chance that due to poor network
* connectivity or other factors an Approov token cannot be obtained, and this is reflected in the
* returned status.
*
* All calls must provide a URL which provides the high level domain of the API to which the Approov
* token is going to be sent. Different API domains will have different Approov tokens associated with
* them so it is important that the Approov token is only sent to requests for that domain. If the
* domain has not been configured in the admin portal then an error is obtained.
*
* @param url provides the top level domain URL for which a token is being fetched
* @return results of fetching a token
*/
public static final TokenFetchResult fetchApproovTokenAndWait(String url);
/**
* Initiates a synchronous request to obtain an Approov token and other results. If an Approov token fetch
* has been completed previously and the tokens are unexpired then this may return the same one
* without a need to perform a network transaction. Note though that the caller should never cache the
* Approov token as it may become invalidated at any point.
*
* If a new Approov token is required then a more extensive app measurement is performed that involves
* communicating with the Approov cloud service. Thus this method may take up to several seconds to
* return and should not be called from a UI thread. There is also a chance that due to poor network
* connectivity or other factors an Approov token cannot be obtained, and this is reflected in the
* returned status.
*
* All calls must provide a URL which provides the high level domain of the API to which the Approov
* token is going to be sent. Different API domains will have different Approov tokens associated with
* them so it is important that the Approov token is only sent to requests for that domain. If the
* domain has not been configured in the admin portal then an error is obtained. Note that the provided
* URL may be suffixed by "?measurement" to initiate a measurement process for use with integrity and
* device proofs.
*
* @param url provides the top level domain URL for which a token is being fetched
* @return results of fetching a token
*/
+ (nonnull ApproovTokenFetchResult *)fetchApproovTokenAndWait:(nonnull NSString *)url;
/**
* Initiates a synchronous request to obtain an Approov token and other results. If an Approov token fetch
* has been completed previously and the tokens are unexpired then this may return the same one
* without a need to perform a network transaction. Note though that the caller should never cache the
* Approov token as it may become invalidated at any point.
*
* If a new Approov token is required then a more extensive app measurement is performed that involves
* communicating with the Approov cloud service. Thus this method may take up to several seconds to
* return and should not be called from a UI thread. There is also a chance that due to poor network
* connectivity or other factors an Approov token cannot be obtained, and this is reflected in the
* returned status.
*
* All calls must provide a URL which provides the high level domain of the API to which the Approov
* token is going to be sent. Different API domains will have different Approov tokens associated with
* them so it is important that the Approov token is only sent to requests for that domain. If the
* domain has not been configured in the admin portal then an error is obtained. Note that the provided
* URL may be suffixed by "?measurement" to initiate a measurement process for use with integrity and
* device proofs.
*
* @param url provides the top level domain URL for which a token is being fetched
* @return results of fetching a token
*/
class func fetchTokenAndWait(_ url: String) -> ApproovTokenFetchResult
/**
* Interface that must be implemented to receive token fetch callbacks for the
* fetchApproovToken() method.
*/
public interface TokenFetchCallback {
/**
* Callback function to be implemented in the business logic.
*
* @param result is the TokenFetchResult
*/
void approovCallback(TokenFetchResult result);
}
/**
* Initiates an asynchronous request to obtain an Approov token and other results. The call returns
* immediately and when the token is fetched (or if the request times out due to an error) then
* a callback method is called on the supplied interface instance object. This callback is made
* on a different thread. If an Approov token fetch has been completed previously and the tokens
* are unexpired then this callback may be very rapid without a need to perform a network transaction.
* Note though that the caller should never cache the Approov token as it may become invalidated at
* any point.
*
* If a new Approov token is required then a more extensive app measurement is performed that involves
* communicating with the Approov cloud service. Thus this method may take up to several seconds to
* return and should not be called from a UI thread. There is also a chance that due to poor network
* connectivity or other factors an Approov token cannot be obtained, and this is reflected in the
* returned status.
*
* All calls must provide a url which provides the high level domain of the API to which the Approov
* token is going to be sent. Different API domains will have different Approov tokens associated with
* them so it is important that the Approov token is only sent to requests for that domain. If the
* domain has not been configured in the admin portal then an error is obtained.
*
* @param callback is an instance that implements TokenFetchCallback whose callback
* @param url provides the top level domain url for which a token is being fetched
*/
public static final void fetchApproovToken(TokenFetchCallback callback, String url);
// ApproovTokenFetchCallback type definition
typedef void (^ApproovTokenFetchCallback)(ApproovTokenFetchResult *_Nonnull result);
/**
* Initiates an asynchronous request to obtain an Approov token and other results. The call returns
* immediately and when the token is fetched (or if the request times out due to an error) then
* a callback function is called with the result. This callback is made on a different thread. If
* an Approov token fetch has been completed previously and the token are unexpired then this callback
* may be very rapid without a need to perform a network transaction. Note though that the caller
* should never cache the Approov token as it may become invalidated at any point.
*
* If a new Approov token is required then a more extensive app measurement is performed that involves
* communicating with the Approov cloud service. Thus this method may take up to several seconds to
* return and should not be called from a UI thread. There is also a chance that due to poor network
* connectivity or other factors an Approov token cannot be obtained, and this is reflected in the
* returned status.
*
* All calls must provide a url which provides the high level domain of the API to which the Approov
* token is going to be sent. Different API domains will have different Approov tokens associated with
* them so it is important that the Approov token is only sent to requests for that domain. If the
* domain has not been configured in the admin portal then an error is obtained. Note that the provided
* URL may be suffixed by "?measurement" to initiate a measurement process for use with integrity and
* device proofs.
*
* @param callbackHandler is a function that takes an ApproovTokenFetchResult when the token is obtained
* @param url provides the top level domain url for which a token is being fetched
*/
+ (void)fetchApproovToken:(nonnull ApproovTokenFetchCallback)callbackHandler :(nonnull NSString *)url;
// ApproovTokenFetchCallback type definition
typealias ApproovTokenFetchCallback = (ApproovTokenFetchResult) -> Void
/**
* Initiates an asynchronous request to obtain an Approov token and other results. The call returns
* immediately and when the token is fetched (or if the request times out due to an error) then
* a callback function is called with the result. This callback is made on a different thread. If
* an Approov token fetch has been completed previously and the token are unexpired then this callback
* may be very rapid without a need to perform a network transaction. Note though that the caller
* should never cache the Approov token as it may become invalidated at any point.
*
* If a new Approov token is required then a more extensive app measurement is performed that involves
* communicating with the Approov cloud service. Thus this method may take up to several seconds to
* return and should not be called from a UI thread. There is also a chance that due to poor network
* connectivity or other factors an Approov token cannot be obtained, and this is reflected in the
* returned status.
*
* All calls must provide a url which provides the high level domain of the API to which the Approov
* token is going to be sent. Different API domains will have different Approov tokens associated with
* them so it is important that the Approov token is only sent to requests for that domain. If the
* domain has not been configured in the admin portal then an error is obtained. Note that the provided
* URL may be suffixed by "?measurement" to initiate a measurement process for use with integrity and
* device proofs.
*
* @param callbackHandler is a function that takes an ApproovTokenFetchResult when the token is obtained
* @param url provides the top level domain url for which a token is being fetched
*/
class func fetchToken(_ callbackHandler: ApproovTokenFetchCallback, _ url: String)
/**
* Sets a hash of the given data value into any future Approov tokens obtained in the 'pay'
* claim. If the data values are transmitted to the API backend along with the
* Approov token then this allows the backend to check that the data value was indeed
* known to the app at the time of the token fetch and hasn't been spoofed. If the
* data is the same as any previous one set then the token does not need to be updated.
* Otherwise the next token fetch causes a new attestation to fetch a new token. Note that
* this should not be done frequently due to the additional latency on token fetching that
* will be caused. The hash appears in the 'pay' claim of the Approov token as a base64
* encoded string of the SHA256 hash of the data. Note that the data is hashed locally and
* never sent to the Approov cloud service.
*
* @param data is the data whose SHA256 hash is to be included in future Approov tokens
*/
public static final void setDataHashInToken(String data);
/**
* Sets a hash of the given data value into any future Approov tokens obtained in the 'pay'
* claim. If the data values are transmitted to the API backend along with the
* Approov token then this allows the backend to check that the data value was indeed
* known to the app at the time of the token fetch and hasn't been spoofed. If the
* data is the same as any previous one set then the token does not need to be updated.
* Otherwise the next token fetch causes a new attestation to fetch a new token. Note that
* this should not be done frequently due to the additional latency on token fetching that
* will be caused. The hash appears in the 'pay' claim of the Approov token as a base64
* encoded string of the SHA256 hash of the data. Note that the data is hashed locally and
* never sent to the Approov cloud service.
*
* @param data is the data whose SHA256 hash is to be included in future Approov tokens
*/
+ (void)setDataHashInToken:(nonnull NSString *)data;
/**
* Sets a hash of the given data value into any future Approov tokens obtained in the 'pay'
* claim. If the data values are transmitted to the API backend along with the
* Approov token then this allows the backend to check that the data value was indeed
* known to the app at the time of the token fetch and hasn't been spoofed. If the
* data is the same as any previous one set then the token does not need to be updated.
* Otherwise the next token fetch causes a new attestation to fetch a new token. Note that
* this should not be done frequently due to the additional latency on token fetching that
* will be caused. The hash appears in the 'pay' claim of the Approov token as a base64
* encoded string of the SHA256 hash of the data. Note that the data is hashed locally and
* never sent to the Approov cloud service.
*
* @param data is the data whose SHA256 hash is to be included in future Approov tokens
*/
class func setDataHashInToken(_ data: String)
/**
* Obtains an integrity measurement proof that is used to show that the app and its
* environment have not changed since the time of the original integrity measurement.
* The proof does an HMAC calculation over the secret integrity measurement value which
* is salted by a provided nonce. This proves that the SDK is able to reproduce the
* integrity measurement value.
*
* @param nonce is a 16-byte (128-bit) nonce value used to salt the proof HMAC
* @param measurementConfig is the measurement configuration obtained from a previous token fetch results
* @return 32-byte (256-bit) measurement proof value
*/
public static final byte[] getIntegrityMeasurementProof(byte[] nonce, byte[] measurementConfig);
/**
* Obtains an integrity measurement proof that is used to show that the app and its
* environment have not changed since the time of the original integrity measurement.
* The proof does an HMAC calculation over the secret integrity measurement value which
* is salted by a provided nonce. This proves that the SDK is able to reproduce the
* integrity measurement value. This may return nil if the SDK has not been initialized
* or if the parameters are in invalid.
*
* @param nonce is a 16-byte (128-bit) nonce value used to salt the proof HMAC
* @param measurementConfig is the measurement configuration obtained from a previous token fetch results
* @return 32-byte (256-bit) measurement proof value or nil if there was an error
*/
+ (nullable NSData *)getIntegrityMeasurementProof:(nonnull NSData *)nonce :(nonnull NSData *)measurementConfig
/**
* Obtains an integrity measurement proof that is used to show that the app and its
* environment have not changed since the time of the original integrity measurement.
* The proof does an HMAC calculation over the secret integrity measurement value which
* is salted by a provided nonce. This proves that the SDK is able to reproduce the
* integrity measurement value. This may return nil if the SDK has not been initialized
* or if the parameters are in invalid.
*
* @param nonce is a 16-byte (128-bit) nonce value used to salt the proof HMAC
* @param measurementConfig is the measurement configuration obtained from a previous token fetch results
* @return 32-byte (256-bit) measurement proof value or nil if there was an error
*/
class func getIntegrityMeasurementProof(_ nonce: Data, _ measurementConfig: Data) -> Data?
/**
* Obtains a device measurement proof that is used to show that the device environment
* has not changed since the time of the original integrity measurement. This allows the
* app version, including the Approov SDK, to be updated while preserving the device
* measurement. The proof does an HMAC calculation over the secret device measurement
* value which is salted by a provided nonce. This proves that the SDK is able to reproduce
* the device measurement value.
*
* @param nonce is a 16-byte (128-bit) nonce value used to salt the proof HMAC
* @param measurementConfig is the measurement configuration obtained from a previous token fetch results
* @return 32-byte (256-bit) measurement proof value
*/
public static final byte[] getDeviceMeasurementProof(byte[] nonce, byte[] measurementConfig);
/**
* Obtains a device measurement proof that is used to show that the device environment
* has not changed since the time of the original integrity measurement. This allows the
* app version, including the Approov SDK, to be updated while preserving the device
* measurement. The proof does an HMAC calculation over the secret device measurement
* value which is salted by a provided nonce. This proves that the SDK is able to reproduce
* the device measurement value. This may return nil if the SDK has not been initialized
* or if the parameters are in invalid.
*
* @param nonce is a 16-byte (128-bit) nonce value used to salt the proof HMAC
* @param measurementConfig is the measurement configuration obtained from a previous token fetch results
* @return 32-byte (256-bit) measurement proof value or nil if there was an error
*/
+ (nullable NSData *)getDeviceMeasurementProof:(nonnull NSData *)nonce :(nonnull NSData *)measurementConfig
/**
* Obtains a device measurement proof that is used to show that the device environment
* has not changed since the time of the original integrity measurement. This allows the
* app version, including the Approov SDK, to be updated while preserving the device
* measurement. The proof does an HMAC calculation over the secret device measurement
* value which is salted by a provided nonce. This proves that the SDK is able to reproduce
* the device measurement value. This may return nil if the SDK has not been initialized
* or if the parameters are in invalid.
*
* @param nonce is a 16-byte (128-bit) nonce value used to salt the proof HMAC
* @param measurementConfig is the measurement configuration obtained from a previous token fetch results
* @return 32-byte (256-bit) measurement proof value or nil if there was an error
*/
class func getDeviceMeasurementProof(_ nonce: Data, _ measurementConfig: Data) -> Data?
/**
* Sets the information about a current activity. This may be set for an expected app
* launch activity so that analysis can be performed to determine if the activity may have
* been launched in an automatic way. A flag indicating this can then be included as an
* annotation in the Approov token.
*
* @param activity is the current activity that is being run
*/
public static final void setActivity(Activity activity);