Known Issues
Serialisation issue for PIN and password authenticator related errors affecting React Native and Flutter plugins
Flutter - Active - not resolved React Native - Resolved - Version 3.7.1+
Issue
The application crashes if a custom policy is implemented for the Pin or the Password authenticator and in case of a failed validation, the integrator of the SDK plugin sends an error to the SDK without filling the cause field of the error.
Affected components
- React Native plugin - Android 3.5.2, 3.6.0, 3.7.0
- Flutter plugin - Android 3.6.0, 3.7.0
Affected users
Affected are user registrations and authentications performed with the following conditions:
- Android platform is used
- Custom PinPolicy or PasswordPolicy is implemented
- Any of the following errors are returned to the SDK plugin without providing a cause
PinEnrollmentCustomValidationErrorPinChangeCustomValidationErrorPasswordEnrollmentCustomValidationErrorPasswordChangeRecoverableCustomValidationError
Effect
As a consequence of this issue, the application crashes in case a user provides an invalid pin / password during registration / authentication.
Preventative action
Always provide content in the cause field of the error given to the SDK plugin in case of a failed pin or password validation check.
Corrective action
Nevis is working on a solution to rectify this and automatically correct the serialisation issue with a future SDK plugin release.
Non-unique device identifier (Android SDK)
Active - not resolved
Issue
The device identifier generated during initial user registration is not unique and does not allow to differentiate between different installations of the app over multiple physical devices.
Affected components
- Android SDK 3.6.1, 3.6.2
- React Native plugin 3.6.0, 3.6.1
- Flutter plugin 3.6.0
Affected users
Affected are user registrations performed with the following versions:
- Android SDK 3.6.1 and 3.6.2
- React Native plugin 3.6.0 and 3.6.1
- Flutter plugin 3.6.0
Unaffected user registrations are:
- User registrations performed with prior versions to the ones listed above
- iOS users are not affected
Am I affected? Nevis Identity Suite
The following SQL query will list potentially affected users:
select c.USER_ID, v.ENTITY_ID as "CREDENTIAL_ID", v.VALUE as "DEVICE_ID", ua.VALUE as "USER_AGENT"
from TIDMA_PROPERTY_VALUE v
join TIDMA_CREDENTIAL c on v.ENTITY_ID = c.CREDENTIAL_ID
left join TIDMA_PROPERTY_VALUE ua on ua.ENTITY_ID = c.CREDENTIAL_ID and ua.PROPERTY_ID = (select PROPERTY_ID from TIDMA_PROPERTY where name = "fidouaf_user_agent")
where v.VALUE in (
select value FROM TIDMA_PROPERTY_VALUE
where PROPERTY_ID = (select PROPERTY_ID from TIDMA_PROPERTY where name = "fidouaf_device_id")
group by VALUE having count(VALUE) > 1
)
and exists(
select value FROM TIDMA_PROPERTY_VALUE pv
where pv.ENTITY_ID = v.ENTITY_ID and pv.PROPERTY_ID = (select PROPERTY_ID from TIDMA_PROPERTY where name = "fidouaf_user_agent")
and pv.value like "%Android%"
);
Effect
This issue has no direct impact for end users and is not a security relevant issue.
As a consequence of this issue, the device identifier cannot be trusted to be unique for an app installation on a physical device for affected users.
From a backend perspective, this affects the following attributes:
- Nevis Authentication Cloud:
DeviceRef, see Users endpoint HTTP API and Can the Device Ref of the authenticator change? - Nevis Identity Suite: The
fidouaf_device_idattribute in the nevisIDM Generic Dispatch Target credential as well as in the UAF credential.
Preventative action
Android SDK 3.7.0 addresses the issue for new user registrations. It is therefore recommended to move to this version as soon as possible to prevent any occurrence of the issue.
Corrective action
Nevis is working on a solution to rectify this and automatically correct affected user registrations with a future SDK release.