Skip to main content
Version: 3.7.x.x RR

Android installation

To satisfy customers with the highest security requirements, the Nevis Mobile Authentication SDK is hardened with state-of-the-art protection mechanisms.

SDK Versions 3.5 and lower

Between versions 3.5 and 3.6 the used hardening framework was changed. If you are using SDK version 3.5 or lower refer to this guide

The Nevis Mobile Authentication SDK binaries for Android are provided by Nevis in an archive file.

For convenience, Nevis also offers a public Maven repository where the debug flavor of the SDK is available.

info

To obtain the release flavor of the SDK, download it from our portal.

You will see a package called nevis-mobile-authentication-sdk-android-NEVIS_MOBILE_AUTHENTICATION_SDK_ANDROID_VERSION.zip where NEVIS_MOBILE_AUTHENTICATION_SDK_ANDROID_VERSION is the actual version of the Nevis Mobile Authentication Android SDK e.g.: 3.7.0.1590.

Installation from public Maven repository

The nevis-mobile-authentication-sdk-android-package GitHub repository, contains the debug flavor of the Nevis Mobile Authentication SDK. You can follow the following steps to integrate the SDK in your application using this repository.

The following steps assume that the NEVIS_MOBILE_AUTHENTICATION_SDK_ANDROID_VERSION contains the SDK version. Set the console environment variable as follows:

  1. Add the repositories containing the SDK aar in the build.gradle file of your application module:
build.gradle file using public Maven repository
buildscript {
repositories {
maven {
url "https://maven.pkg.github.com/nevissecurity/nevis-mobile-authentication-sdk-android-package"
credentials {
username = <GITHUB_USERNAME>
password = <GITHUB_PERSONAL_ACCESS_TOKEN>
}
}
}
}
tip

Accessing GitHub packages requires you to have a GitHub account. You have to provide a Personal Access Token, as described here.

  1. In the build.gradle file of your application module, add the SDK dependency and its required dependencies:
Dependency for debug flavor
dependencies {
debugImplementation "ch.nevis:nevis-mobile-authentication-sdk-android-debug:${NEVIS_MOBILE_AUTHENTICATION_SDK_ANDROID_VERSION}"
}

Installation from ZIP archive

The SDK is provided as compressed archive. After unpacking, you see the following structure:

  • debug contains the binary files and POM file of the debug flavor.
  • release contains the binary files POM file of the release flavor.
  • finalizer contains the finalization library.

For example the content of package version 3.7.0.1590 will look like:

Nevis Mobile Authentication SDK Android archive content
├── debug
│ ├── nevis-mobile-authentication-sdk-android-debug-3.7.0.1590-javadoc.jar
│ ├── nevis-mobile-authentication-sdk-android-debug-3.7.0.1590.aar
│ └── nevis-mobile-authentication-sdk-android-debug-3.7.0.1590.pom
├── finalizer
│ ├── *.pom
│ ├── *.protect-android.jar
│ └── finalizers
│ ├── linux
│ │ └── finalizer
│ ├── macos
│ │ └── finalizer
│ └── windows
│ └── finalizer.exe
└── release
├── nevis-mobile-authentication-sdk-android-3.7.0.1590-javadoc.jar
├── nevis-mobile-authentication-sdk-android-3.7.0.1590.aar
└── nevis-mobile-authentication-sdk-android-3.7.0.1590.pom
Finalizer version

The version of finalizer binaries and Gradle plugin differ from SDK version. This is deliberate.

  1. Publish the SDK to a dependency management framework

In this section we describe how to publish the SDK to a Maven repository. If you are using a different framework than Maven, you have to manage the publishing of the SDK and its transitive dependencies accordingly. The transitive dependencies of each flavor of the SDK are declared in the POM files.

You have to configure the Maven repository where the Android SDK is available. There are multiple choices.

tip

For more information about declaring Gradle repositories read the official guide.

You may install the debug and release flavors of the Android SDK into your local Maven repository. To do this, execute the following commands in terminal:

Installation to local Maven repository
export NEVIS_MOBILE_AUTHENTICATION_SDK_ANDROID_VERSION=3.7.0.1590

mvn install:install-file -Dfile=debug/nevis-mobile-authentication-sdk-android-debug-${NEVIS_MOBILE_AUTHENTICATION_SDK_ANDROID_VERSION}.aar -DgroupId=ch.nevis -DartifactId=nevis-mobile-authentication-sdk-android-debug -Dversion=${NEVIS_MOBILE_AUTHENTICATION_SDK_ANDROID_VERSION} -DpomFile=debug/nevis-mobile-authentication-sdk-android-debug-${NEVIS_MOBILE_AUTHENTICATION_SDK_ANDROID_VERSION}.pom

mvn install:install-file -Dfile=release/nevis-mobile-authentication-sdk-android-${NEVIS_MOBILE_AUTHENTICATION_SDK_ANDROID_VERSION}.aar -DgroupId=ch.nevis -DartifactId=nevis-mobile-authentication-sdk-android -Dversion=${NEVIS_MOBILE_AUTHENTICATION_SDK_ANDROID_VERSION} -DpomFile=release/nevis-mobile-authentication-sdk-android-${NEVIS_MOBILE_AUTHENTICATION_SDK_ANDROID_VERSION}.pom
note

We assume that you are in the root directory of the unpacked SDK package.

Declare mavenLocal() repository:

Local Maven repository declaration
allprojects {
repositories {
mavenLocal()
}
}
  1. Add debug flavor dependency (for development)

In the build.gradle file of your application module, add the SDK dependency and its required dependencies:

Dependency for debug flavor
dependencies {
debugImplementation "ch.nevis:nevis-mobile-authentication-sdk-android-debug:${NEVIS_MOBILE_AUTHENTICATION_SDK_ANDROID_VERSION}"
}
  1. Add release flavor dependency (for production)

In the build.gradle file of your application module, add the SDK dependency and its required dependencies:

Dependency for release flavor
dependencies {
releaseImplementation "ch.nevis:nevis-mobile-authentication-sdk-android:${NEVIS_MOBILE_AUTHENTICATION_SDK_ANDROID_VERSION}"
}

Finalization

There are a number of protection mechanisms only included in the release flavor that require a procedure during the building of the application called finalization.

The finalization updates the binaries of the library with information about your application to execute those protection mechanisms during runtime. If you use Gradle to build the application, the finalization can be done using a Gradle plugin.

The debug flavor does not require finalization.

Remove references of previous finalization tool

In case you are already a user of the Nevis Mobile Authentication SDK for Android version 3.5.x or prior, and you want to change to version 3.6.x or above first you have to remove the references of previous finalization tool following this chapter. Otherwise, you can skip this chapter.

info

Apply the following changes in build.gradle file of your application module.

  1. Delete the finalizer plugin dependency from buildscript block in build.gradle file where NEVIS_MOBILE_AUTHENTICATION_SDK_ANDROID_VERSION is the version of the currently used Nevis Mobile Authentication SDK for Android.
buildscript {
dependencies {
...

classpath "ch.nevis:nevis-mobile-authentication-sdk-android-finalizer:${NEVIS_MOBILE_AUTHENTICATION_SDK_ANDROID_VERSION}"

...
}
}
  1. Delete applying finalize plugin line in build.gradle file.
apply plugin: 'finalize'
tip

You probably apply it inside a condition that ensures it is applied only in case of release builds, in this case delete it and the condition as well. E.g.:

if (project.gradle.startParameter.taskNames.find { name -> name.endsWith("Release") } != null) { apply plugin: 'finalize' }

Install Finalization Gradle plugin

  1. Declare Maven repository

You have to configure the Maven repository where the Finalization Gradle plugin is available. There are multiple choices.

tip

For more information about declaring Gradle repositories read the official guide.

You may install the Finalization Gradle plugin into your local Maven repository. To do this execute the following commands in terminal: Replace the placeholders (*) in the commands below with the real file names and versions.

Installation to local Maven repository
# Linux / macOs
mvn install:install-file -Dfile=finalizer/*.protect-android.jar -DpomFile=finalizer/*.protect-android-*.pom

# Windows
mvn install:install-file -Dfile=finalizer\*.protect-android.jar -DpomFile=finalizer\*.protect-android-*.pom
note

We assume that you are in the root directory of the unpacked SDK package.

Declare mavenLocal() repository:

Local Maven repository declaration
allprojects {
repositories {
mavenLocal()
}
}
  1. Add Finalization Gradle plugin dependency

In the build.gradle file of your application module, add following dependency. Replace the placeholders (*) in the gradle classpath below with the real package namespace as indicated by the finalizer file name and versions.

Dependency for Finalization Gradle plugin
buildscript {
...

dependencies {
...

classpath group: '*.protect-android', name: '*.protect-android', version: '*'

...
}
...
}

Set FINALIZE_ANDROID_ROOT environment variable

FINALIZE_ANDROID_ROOT environment variable must be set for *.finalize-android Gradle plugin to specify the path of the finalizer executable. Replace the placeholders (*) in the environment variable with the real package namespace as indicated by the finalizer file name. If you unpacked the content of the zip file into a directory called nevis-mobile-authentication-sdk-android-3.7.0.1590 inside your HOME directory then the environment variable should look like:

# On Linux
export FINALIZE_ANDROID_ROOT=$HOME/nevis-mobile-authentication-sdk-android-3.7.0.1590/finalizer/finalizers/linux

# On macOs
export FINALIZE_ANDROID_ROOT=$HOME/nevis-mobile-authentication-sdk-android-3.7.0.1590/finalizer/finalizers/macos

# On Windows
set FINALIZE_ANDROID_ROOT=%HOME%\nevis-mobile-authentication-sdk-android-3.7.0.1590\finalizer\finalizers\windows

Modify build.gradle files

note

Apply the following changes in build.gradle file of your application module.

Apply the finalizer plugin and configure it. The following sample shows a simple and adequate configuration. Replace the placeholders (*) with the real package namespace as indicated by the Finalizer Gradle plugin file name.

apply plugin: '*.finalize-android'

finalizeAndroid {
buildVariants {
release {
disabled false
log "$buildDir/finalization.log"
}
}
}

Manifest placeholders

The plugin requires access to the AndroidManifest.xml when executed. So, if you use manifest placeholders, they have to be resolved before the plugin runs. If you want to resolve the placeholders on a variant basis, and you use Android Gradle Plugin 7.0 or newer, use androidComponent as in the following example:

Manifest placeholders with Android Gradle plugin 7 or newer
android {

androidComponents {
onVariants(selector().all(), variant -> {
variant.manifestPlaceholders = [attributeName : "$attributeValue"]
})

If you use an earlier version of the Android Gradle Plugin than 7.0, and use the merged flavor of the variant to resolve the placeholders, execute the plugin after project evaluation:

Manifest placeholders with Android Gradle plugin 6 or older

android { applicationVariants.all {
variant ->
variant.getMergedFlavor().manifestPlaceholders = [attributeName : "$attributeValue"]
}
}

[...]

project.afterEvaluate { apply plugin: 'finalize' }

android.enableJetifier flag

Finalization can fail for instance when using Androidx libraries if third party libraries are not migrated automatically. If finalization fails, we recommend enabling library migration in gradle.properties:

Setting android.enableJetifier in gradle.properties
android.enableJetifier=true

Example - application module build.gradle file using both release and debug SDK dependencies

In the following example, the two out-of-the box build types provided by the Android Gradle plugin are used: release and debug. It is assumed that the SDK dependencies are published to the local Maven repository, see installation chapter.

As only the release flavor of the SDK requires finalization, the finalization plugin is only applied during assembly of the release build type. Replace the placeholders (*) in the gradle classpath and plugin name below with the real package namespace as indicated by the finalizer file name and version.

Application Module build.gradle example
repositories {
// It is assumed that the Nevis SDK is deployed to the local Maven
// repository
mavenLocal()
// Maven Central and Google repositories have the transitive dependencies
// required by the Nevis SDK
mavenCentral()
google()
}

buildscript {
repositories {
// It is assumed that the Nevis SDK finalizer library is deployed
// to the local Maven repository
mavenLocal()
// The Android Gradle Plugin is accessible from the Google repository
// mavenCentral is required to get its transitive dependencies
google()
mavenCentral()
}
dependencies{
classpath group: '*.protect-android', name: '*.protect-android', version: '*'
classpath 'com.android.tools.build:gradle:7.0.3'
}
}

apply plugin: 'com.android.application'
android {
compileSdkVersion 30

defaultConfig {
minSdkVersion 24
targetSdkVersion 30
}

defaultConfig {
applicationId "ch.nevis.doc.sdksampleapp"
versionCode 1
versionName "1.0"
}

compileOptions {
sourceCompatibility JavaVersion.VERSION_1_8
targetCompatibility JavaVersion.VERSION_1_8
}
}

// Apply the SDK finalization plugin.
apply plugin: '*.finalize-android'

finalizeAndroid {
buildVariants {
release {
disabled false
log "$buildDir/finalization.log"
}
}
}

// Add the SDK dependencies to your application.
dependencies {
debugImplementation "ch.nevis:nevis-mobile-authentication-sdk-android-debug:${NEVIS_MOBILE_AUTHENTICATION_SDK_ANDROID_VERSION}"
releaseImplementation "ch.nevis:nevis-mobile-authentication-sdk-android:${NEVIS_MOBILE_AUTHENTICATION_SDK_ANDROID_VERSION}"
}

Enable Multidexing

If your Android Gradle plugin does not enable multidexing by default, set multiDexEnabled to true in the defaultConfig section of your top level build.gradle file. The finalization can cause the total number of methods to go beyond the Dalvik Executable specification limit of 64k. Therefore, multiDexing must be enabled for your application.

Backup Setup

The Android Mobile Authentication SDK does not support backing up and restoring its contents.

If your application does not require backing up any of its contents, disable the backup in the AndroidManifest.xml of your application as described in the Android documentation:

Android Manifest Backup Configuration
<manifest ... >
...
<application android:allowBackup="false" ... >
...
</application>
</manifest>

If your application requires backing up contents, you must list them explicitly in AndroidManifest.xml to avoid backing up the SDK contents.

caution

If the contents of the Android Mobile Authentication SDK are backed up and then restored, the SDK can fail during initialization.