Approov Mobile SDK Interface Reference

Approov SDK Interface

The overall SDK interfaces may be accessed as follows:


import com.criticalblue.approovsdk.Approov;


#import <Approov/Approov.h>


import Approov

Note that the iOS SDK is actually written in Objective-C and the method references are described in this way. Other code examples in the documentation are in Swift, using the automatically generated bindings to the SDK methods.

Initialization


/**
 * Initialize the Approov SDK. This must be called prior to any other methods on the Approov
 * SDK. The SDK is initialized with an application context, a base configuration and an
 * optional update configuration and comment. The base configuration is a signed JWT
 * token string that is obtained from the Approov administration portal and contains all
 * necessary parameters to initialize the SDK. This must be stored as a resource in the
 * application using the SDK. An updated configuration may be transmitted while the SDK
 * is in use and this must be stored in the local storage of the app.
 *
 * @param appContext is the application context to use
 * @param initialConfig is the initial configuration string and must be present
 * @param dynamicConfig is any dynamic update configuration string or null if there is none
 * @param reserved is provided for future usage
 * @throws IllegalArgumentException if provided configuration is not valid
 */
public static void initialize(Context appContext, String initialConfig, String dynamicConfig, String reserved) throws IllegalArgumentException;

/**
 * Initialize the Approov SDK. This must be called prior to any other methods on the Approov
 * SDK. The SDK is initialized with a base configuration and an optional update configuration
 * and comment. The base configuration is a signed JWT token string that is obtained from the
 * Approov administration portal and contains all necessary parameters to initialize the SDK.
 * This must be stored as a resource in the application using the SDK. An updated configuration
 * may be transmitted while the SDK is in use and this must be stored in the local storage of the app.
 *
 * @param baseConfig is the initial configuration string and must be present
 * @param updateConfig is any dynamic update configuration string or null if there is none
 * @param comment is an optional comment that appears when the app is registered, or null otherwise
 * @param error the reference to an error object which will be set if an error occurred
 * @return YES if the Approov framework was successfully initialized or NO otherwise
 */
+ (BOOL)initialize:(nonnull NSString *)baseConfig updateConfig:(nullable NSString *)updateConfig
    comment:(nullable NSString * )comment error:(NSError *_Nullable *_Nullable)error;

/**
 * Initialize the Approov SDK. This must be called prior to any other methods on the Approov
 * SDK. The SDK is initialized with a base configuration and an optional update configuration
 * and comment. The base configuration is a signed JWT token string that is obtained from the
 * Approov administration portal and contains all necessary parameters to initialize the SDK.
 * This must be stored as a resource in the application using the SDK. An updated configuration
 * may be transmitted while the SDK is in use and this must be stored in the local storage of the app.
 *
 * @param baseConfig is the initial configuration string and must be present
 * @param updateConfig is any dynamic update configuration string or null if there is none
 * @param comment is an optional comment that appears when the app is registered, or null otherwise
 * @param error the reference to an error object which will be set if an error occurred
 * @return YES if the Approov framework was successfully initialized or NO otherwise
 */
class func initialize(_ baseConfig: String, updateConfig: String?, comment: String?) throws

Configuration Fetching


/**
  * Fetches the current configuration for the SDK. This may be the base configuration or may
  * be a new updated configuration returned from the Approov cloud service. Such updates of the
  * configuration allow new sets of certificate pins and other configuration to be passed to
  * an app instance that is running in the field.
  *
  * Normally this method returns the latest configuration that is available and is cached in the
  * SDK. Thus the method will return quickly. However, if this method is called when there has
  * been no prior call to fetch an Approov token then a network request to the Approov cloud
  * service will be made to obtain any latest configuration update. The maximum timeout period
  * is set to be quite short but the caller must be aware that this delay may occur.
  *
  * Note that the returned configuration should generally be kept in local storage for the app
  * so that it can be made available on initialization of the Approov SDK next time the app
  * is started.
  *
  * It is possible to see if a new configuration becomes available from the isConfigChanged()
  * method of the TokenFetchResult. This changed flag is only cleared for future token fetches
  * if a call to this method is made.
  *
  * @return String representation of the configuration.
  */
public static final String fetchConfig();

/**
 * Fetches the current configuration for the SDK. This may be the base configuration or may
 * be a new updated configuration returned from the Approov cloud service. Such updates of the
 * configuration allow new sets of certificate pins and other configuration to be passed to
 * an app instance that is running in the field.
 *
 * Normally this method returns the latest configuration that is available and is cached in the
 * SDK. Thus the method will return quickly. However, if this method is called when there has
 * been no prior call to fetch an Approov token then a network request to the Approov cloud
 * service will be made to obtain any latest configuration update. The maximum timeout period
 * is set to be quite short but the caller must be aware that this delay may occur.
 *
 * Note that the returned configuration should generally be kept in local storage for the app
 * so that it can be made available on initialization of the Approov SDK next time the app
 * is started.
 *
 * It is possible to see if a new configuration becomes available from the isConfigChanged
 * property of the TokenFetchResult. This changed flag is only cleared for future token fetches
 * if a call to this method is made.
 *
 * @return String representation of the configuration or nil if SDK not initialized.
 */
+ (nullable NSString *)fetchConfig;

/**
 * Fetches the current configuration for the SDK. This may be the base configuration or may
 * be a new updated configuration returned from the Approov cloud service. Such updates of the
 * configuration allow new sets of certificate pins and other configuration to be passed to
 * an app instance that is running in the field.
 *
 * Normally this method returns the latest configuration that is available and is cached in the
 * SDK. Thus the method will return quickly. However, if this method is called when there has
 * been no prior call to fetch an Approov token then a network request to the Approov cloud
 * service will be made to obtain any latest configuration update. The maximum timeout period
 * is set to be quite short but the caller must be aware that this delay may occur.
 *
 * Note that the returned configuration should generally be kept in local storage for the app
 * so that it can be made available on initialization of the Approov SDK next time the app
 * is started.
 *
 * It is possible to see if a new configuration becomes available from the isConfigChanged
 * property of the TokenFetchResult. This changed flag is only cleared for future token fetches
 * if a call to this method is made.
 *
 * @return String representation of the configuration or nil if SDK not initialized.
 */
class func fetchConfig() -> String?

Pin Extraction


/**
 * Fetches the pins from the current configuration of the SDK. This is returned as
 * as map from URL domain (hostname only) to the possible pins for that domain. If there is
 * no map entry for a domain then that indicates that the connection is not specifically
 * pinned. The type of pin requested determines the data in each of the pins. This is typically
 * the base64 encoding of the hash of some aspect of the certificate. A connection is considered
 * to be valid if any certificate in the chain presented is one with the same hash as one in
 * the array of hashes.
 *
 * @param pinType is the type of pinning information that is required
 * @return Map from domain to the list of strings providing the pins
 */
public static final Map<String, List<String>> getPins(String pinType);

/**
 * Provide access to the API-Pins information held in the current app configuration. This is a helper method that avoids
 * the need for the app to access the configuration directly. Pins of a particular type are retrieved. If the
 * SDK has not be initialized then nil is returned.
 *
 * @param pinType is the format of the pins that should be retrieved
 * @result NSDictionary mapping from domain names to a list of pins in base64 format for that domain
*/
+ (nullable NSDictionary<NSString *, NSArray<NSString *> *> *)getPins:(nonnull NSString *)pinType;

/**
 * Provide access to the API-Pins information held in the current app configuration. This is a helper method that avoids
 * the need for the app to access the configuration directly. Pins of a particular type are retrieved. If the
 * SDK has not be initialized then nil is returned.
 *
 * @param pinType is the format of the pins that should be retrieved
 * @result NSDictionary mapping from domain names to a list of pins in base64 format for that domain
*/
class func getPins(_ pinType: String) -> [String : [String]]?

Token Fetch Interface


/**
 * Potential status results from an attempt to fetch an Approov token
 */
public enum TokenFetchStatus {
        SUCCESS,                // token was successfully received
        NO_NETWORK,             // there is no token because there is no network connectivity currently
        MITM_DETECTED,          // there is no token because there is a Man-In-The-Middle (MITM) to the Approov cloud service
        POOR_NETWORK,           // no token could be obtained due to poor network connectivity
        NO_APPROOV_SERVICE,     // no token could be obtained, perhaps because Approov services are down
        BAD_URL,                // provided URL was not https or otherwise in the correct format
        UNKNOWN_URL,            // provided URL is not one that one configured for Approov
        UNPROTECTED_URL,        // provided URL does not need an Approov token
        NO_NETWORK_PERMISSION,  // app does not have ACCESS_NETWORK_STATE or INTERNET permission
        MISSING_LIB_DEPENDENCY, // app is missing a needed library dependency
        INTERNAL_ERROR          // there has been an internal error in the SDK
    }

/**
 * Results from an Approov token fetch
 */
public class TokenFetchResult {
  /**
   * Gets the status of the last Approov token fetch.
   *
   * @return Approov token fetch status
   */
  public TokenFetchStatus getStatus();

  /**
   * Gets the token string of the last Approov token fetch. This may be an empty string
   * if the fetch did not succeed.
   *
   * @return Approov token string
   */
  public String getToken();

  /**
   * Determines if a new configuration is available from fetchConfig().
   *
   * @return true if an updated configuration is available.
   */
  public boolean isConfigChanged();

  /**
   * Gets a measurement configuration if the last token fetch was to perform an
   * integrity measurement.
   *
   * @return Approov measurement configuration or null if no measurement made
   */
  public byte[] getMeasurementConfig();
}

/*
 * Enumeration of results that may be generated as a result of an Approov token fetch operation.
 */
typedef NS_ENUM(NSUInteger, ApproovTokenFetchStatus)
{
    // Indicates that a token was successfully obtained.
    ApproovTokenFetchStatusSuccess,

    // Indicates that there is no valid cached token and there is currently no network connectivity so no new token
    // could be obtained. This specific state is provided because the developer might choose to retry in this case
    // because the subsequent API request will almost certainly fail too.
    ApproovTokenFetchStatusNoNetwork,

    // Indicates that no token could be obtained because the certificate presented on the Approov endpoint was not one
    // that was expected. This might indicate the device is running on a network with a firewall that terminates TLS.
    ApproovTokenFetchStatusMITMDetected,

    // Indicates that no token could be obtained due to poor network connectivity
    ApproovTokenFetchStatusPoorNetwork,

    // no token could be obtained, perhaps because Approov services (primary and failover) are down
    ApproovTokenFetchStatusNoApproovService,

    // Indicates that the provided domain is not in the correct format or is not of the https scheme.
    ApproovTokenFetchStatusBadURL,

    // Indicates that the URL provided is a for a domain that has not be specified in the Approov administration portal.
    // This may be an incorrect URL or may indicate that no Approov token is required for protecting this endpoint.
    ApproovTokenFetchStatusUnknownURL,

    // Indicates that no Approov token is needed for the domain. This is returned as a result of a configuration
    // that is set server side, indicating that the domain is pinned but no Approov token is required.
    ApproovTokenFetchStatusUnprotectedURL,

    // Indicates that the Approov SDK has not been initialized.
    ApproovTokenFetchStatusNotInitialized
};

/**
 * This interface is used for the result value of the fetch Approov token methods.
 */
__attribute__((visibility("default"))) @interface ApproovTokenFetchResult: NSObject

// The result code generated by the Approov token fetch operation
@property (readonly) ApproovTokenFetchStatus status;

// The Approov token as a base64 string which should not be cached by the app client code. This is the empty string if
// no token could be obtained.
@property (readonly, nonnull) NSString *token;

// Provides a flag indicating if a new updated configuration JWT has been obtained from the server. Once set this
// remains true for subsequent token fetches until a fetchConfig() call is made.
@property (readonly) BOOL isConfigChanged;

// The measurement configuration is only provided if the last fetch operation for the domain initiated an integrity
// measurement. This provides a binary buffer that must be provided to the getIntegrityMeasurementProof() or
// getDeviceMeasurementProof() to obtain a new proof. */
@property (readonly, nullable) NSData *measurementConfig;

// ApproovTokenFetchCallback type definition
typedef void (^ApproovTokenFetchCallback)(ApproovTokenFetchResult *_Nonnull result);

/**
 * Gets a loggable version of the result Approov token. This provides the decoded JSON payload along with the first six
 * characters of the base64 encoded signature as an additional "sip" claim. This can be safely logged as it cannot be
 * transformed into a valid token since the full signature is not provided, but it can be subsequently checked for
 * validity if the shared secret is known with a very high probability. The loggable token is always valid JSON. If
 * there is an error then the type is given with the key "error".
 * Note that this is not applicable to JWE tokens.
 *
 * @return Loggable Approov token string
 */
- (nonnull NSString *)loggableToken;

@end

/**
 * Gets a human readable string from an Approov token fetch status.
 *
 * @param approovTokenFetchStatus is the ApproovTokenFetchStatus
 * @return the string for the ApproovTokenFetchStatusq
 */
+ (nonnull NSString *)stringFromApproovTokenFetchStatus:(ApproovTokenFetchStatus)approovTokenFetchStatus;

/*
 * Enumeration of results that may be generated as a result of an Approov token fetch operation.
 */  
enum ApproovTokenFetchStatus {
    // Indicates that a token was successfully obtained.
    case success  

    // Indicates that there is no valid cached token and there is currently no network connectivity so no new token
    // could be obtained. This specific state is provided because the developer might choose to retry in this case
    // because the subsequent API request will almost certainly fail too.
    case noNetwork

    // Indicates that no token could be obtained because the certificate presented on the Approov endpoint was not one
    // that was expected. This might indicate the device is running on a network with a firewall that terminates TLS.
    case mitmDetected

    // Indicates that no token could be obtained due to poor network connectivity
    case poorNetwork

    // no token could be obtained, perhaps because Approov services (primary and failover) are down
    case noApproovService

    // Indicates that the provided domain is not in the correct format or is not of the https scheme.
    case badURL

    // Indicates that the URL provided is a for a domain that has not be specified in the Approov administration portal.
    // This may be an incorrect URL or may indicate that no Approov token is required for protecting this endpoint.
    case unknownURL

    // Indicates that no Approov token is needed for the domain. This is returned as a result of a configuration
    // that is set server side, indicating that the domain is pinned but no Approov token is required.
    case unprotectedURL

    // Indicates that the Approov SDK has not been initialized.
    case notInitialized
}

/**
 * This interface is used for the result value of the fetch Approov token methods.
 */
class ApproovTokenFetchResult: NSObject {

    // The result code generated by the Approov token fetch operation
    private(set) var status: ApproovTokenFetchStatus?

    // The Approov token as a base64 string which should not be cached by the app client code. This is the empty string if
    // no token could be obtained.
    private(set) var token = ""

    // Provides a flag indicating if a new updated configuration JWT has been obtained from the server. Once set this
    // remains true for subsequent token fetches until a fetchConfig() call is made.
    private(set) var isConfigChanged = false

    // The measurement configuration is only provided if the last fetch operation for the domain initiated an integrity
    // measurement. This provides a binary buffer that must be provided to the getIntegrityMeasurementProof() or
    // getDeviceMeasurementProof() to obtain a new proof. */
    private(set) var measurementConfig: Data?

    /**
     * Gets a loggable version of the result Approov token. This provides the decoded JSON payload along with the first six
     * characters of the base64 encoded signature as an additional "sip" claim. This can be safely logged as it cannot be
     * transformed into a valid token since the full signature is not provided, but it can be subsequently checked for
     * validity if the shared secret is known with a very high probability. The loggable token is always valid JSON. If
     * there is an error then the type is given with the key "error".
     * Note that this is not applicable to JWE tokens.
     *
     * @return Loggable Approov token string
     */
    func loggableToken() -> String {
    }
}

/**
 * Gets a human readable string from an Approov token fetch status.
 *
 * @param approovTokenFetchStatus is the ApproovTokenFetchStatus
 * @return the string for the ApproovTokenFetchStatusq
 */
class func string(from approovTokenFetchStatus: ApproovTokenFetchStatus) -> String

Synchronous Token Fetch


/**
 * Initiates a synchronous request to obtain an Approov token and other results. If an Approov token fetch
 * has been completed previously and the tokens are unexpired then this may return the same one
 * without a need to perform a network transaction. Note though that the caller should never cache the
 * Approov token as it may become invalidated at any point.
 *
 * If a new Approov token is required then a more extensive app measurement is performed that involves
 * communicating with the Approov cloud service. Thus this method may take up to several seconds to
 * return and should not be called from a UI thread. There is also a chance that due to poor network
 * connectivity or other factors an Approov token cannot be obtained, and this is reflected in the
 * returned status.
 *
 * All calls must provide a URL which provides the high level domain of the API to which the Approov
 * token is going to be sent. Different API domains will have different Approov tokens associated with
 * them so it is important that the Approov token is only sent to requests for that domain. If the
 * domain has not been configured in the admin portal then an error is obtained.
 *
 * @param url provides the top level domain URL for which a token is being fetched
 * @return results of fetching a token
 */
public static final TokenFetchResult fetchApproovTokenAndWait(String url);

/**
 * Initiates a synchronous request to obtain an Approov token and other results. If an Approov token fetch
 * has been completed previously and the tokens are unexpired then this may return the same one
 * without a need to perform a network transaction. Note though that the caller should never cache the
 * Approov token as it may become invalidated at any point.
 *
 * If a new Approov token is required then a more extensive app measurement is performed that involves
 * communicating with the Approov cloud service. Thus this method may take up to several seconds to
 * return and should not be called from a UI thread. There is also a chance that due to poor network
 * connectivity or other factors an Approov token cannot be obtained, and this is reflected in the
 * returned status.
 *
 * All calls must provide a URL which provides the high level domain of the API to which the Approov
 * token is going to be sent. Different API domains will have different Approov tokens associated with
 * them so it is important that the Approov token is only sent to requests for that domain. If the
 * domain has not been configured in the admin portal then an error is obtained. Note that the provided
 * URL may be suffixed by "?measurement" to initiate a measurement process for use with integrity and
 * device proofs.
 *
 * @param url provides the top level domain URL for which a token is being fetched
 * @return results of fetching a token
 */
+ (nonnull ApproovTokenFetchResult *)fetchApproovTokenAndWait:(nonnull NSString *)url;

/**
 * Initiates a synchronous request to obtain an Approov token and other results. If an Approov token fetch
 * has been completed previously and the tokens are unexpired then this may return the same one
 * without a need to perform a network transaction. Note though that the caller should never cache the
 * Approov token as it may become invalidated at any point.
 *
 * If a new Approov token is required then a more extensive app measurement is performed that involves
 * communicating with the Approov cloud service. Thus this method may take up to several seconds to
 * return and should not be called from a UI thread. There is also a chance that due to poor network
 * connectivity or other factors an Approov token cannot be obtained, and this is reflected in the
 * returned status.
 *
 * All calls must provide a URL which provides the high level domain of the API to which the Approov
 * token is going to be sent. Different API domains will have different Approov tokens associated with
 * them so it is important that the Approov token is only sent to requests for that domain. If the
 * domain has not been configured in the admin portal then an error is obtained. Note that the provided
 * URL may be suffixed by "?measurement" to initiate a measurement process for use with integrity and
 * device proofs.
 *
 * @param url provides the top level domain URL for which a token is being fetched
 * @return results of fetching a token
 */
class func fetchTokenAndWait(_ url: String) -> ApproovTokenFetchResult

Asynchronous Token Fetch


/**
 * Interface that must be implemented to receive token fetch callbacks for the
 * fetchApproovToken() method.
 */
public interface TokenFetchCallback {
   /**
    * Callback function to be implemented in the business logic.
    *
    * @param result is the TokenFetchResult
    */
   void approovCallback(TokenFetchResult result);
}

/**
 * Initiates an asynchronous request to obtain an Approov token and other results. The call returns
 * immediately and when the token is fetched (or if the request times out due to an error) then
 * a callback method is called on the supplied interface instance object. This callback is made
 * on a different thread. If an Approov token fetch has been completed previously and the tokens
 * are unexpired then this callback may be very rapid without a need to perform a network transaction.
 * Note though that the caller should never cache the Approov token as it may become invalidated at
 * any point.
 *
 * If a new Approov token is required then a more extensive app measurement is performed that involves
 * communicating with the Approov cloud service. Thus this method may take up to several seconds to
 * return and should not be called from a UI thread. There is also a chance that due to poor network
 * connectivity or other factors an Approov token cannot be obtained, and this is reflected in the
 * returned status.
 *
 * All calls must provide a url which provides the high level domain of the API to which the Approov
 * token is going to be sent. Different API domains will have different Approov tokens associated with
 * them so it is important that the Approov token is only sent to requests for that domain. If the
 * domain has not been configured in the admin portal then an error is obtained.
 *
 * @param callback is an instance that implements TokenFetchCallback whose callback
 * @param url provides the top level domain url for which a token is being fetched
 */
public static final void fetchApproovToken(TokenFetchCallback callback, String url);

// ApproovTokenFetchCallback type definition
typedef void (^ApproovTokenFetchCallback)(ApproovTokenFetchResult *_Nonnull result);

/**
 * Initiates an asynchronous request to obtain an Approov token and other results. The call returns
 * immediately and when the token is fetched (or if the request times out due to an error) then
 * a callback function is called with the result. This callback is made on a different thread. If
 * an Approov token fetch has been completed previously and the token are unexpired then this callback
 * may be very rapid without a need to perform a network transaction. Note though that the caller
 * should never cache the Approov token as it may become invalidated at any point.
 *
 * If a new Approov token is required then a more extensive app measurement is performed that involves
 * communicating with the Approov cloud service. Thus this method may take up to several seconds to
 * return and should not be called from a UI thread. There is also a chance that due to poor network
 * connectivity or other factors an Approov token cannot be obtained, and this is reflected in the
 * returned status.
 *
 * All calls must provide a url which provides the high level domain of the API to which the Approov
 * token is going to be sent. Different API domains will have different Approov tokens associated with
 * them so it is important that the Approov token is only sent to requests for that domain. If the
 * domain has not been configured in the admin portal then an error is obtained. Note that the provided
 * URL may be suffixed by "?measurement" to initiate a measurement process for use with integrity and
 * device proofs.
 *
 * @param callbackHandler is a function that takes an ApproovTokenFetchResult when the token is obtained
 * @param url provides the top level domain url for which a token is being fetched
 */
+ (void)fetchApproovToken:(nonnull ApproovTokenFetchCallback)callbackHandler :(nonnull NSString *)url;

// ApproovTokenFetchCallback type definition
typealias ApproovTokenFetchCallback = (ApproovTokenFetchResult) -> Void

/**
 * Initiates an asynchronous request to obtain an Approov token and other results. The call returns
 * immediately and when the token is fetched (or if the request times out due to an error) then
 * a callback function is called with the result. This callback is made on a different thread. If
 * an Approov token fetch has been completed previously and the token are unexpired then this callback
 * may be very rapid without a need to perform a network transaction. Note though that the caller
 * should never cache the Approov token as it may become invalidated at any point.
 *
 * If a new Approov token is required then a more extensive app measurement is performed that involves
 * communicating with the Approov cloud service. Thus this method may take up to several seconds to
 * return and should not be called from a UI thread. There is also a chance that due to poor network
 * connectivity or other factors an Approov token cannot be obtained, and this is reflected in the
 * returned status.
 *
 * All calls must provide a url which provides the high level domain of the API to which the Approov
 * token is going to be sent. Different API domains will have different Approov tokens associated with
 * them so it is important that the Approov token is only sent to requests for that domain. If the
 * domain has not been configured in the admin portal then an error is obtained. Note that the provided
 * URL may be suffixed by "?measurement" to initiate a measurement process for use with integrity and
 * device proofs.
 *
 * @param callbackHandler is a function that takes an ApproovTokenFetchResult when the token is obtained
 * @param url provides the top level domain url for which a token is being fetched
 */
class func fetchToken(_ callbackHandler: ApproovTokenFetchCallback, _ url: String)

Token Binding


/**
 * Sets a hash of the given data value into any future Approov tokens obtained in the 'pay'
 * claim. If the data values are transmitted to the API backend along with the
 * Approov token then this allows the backend to check that the data value was indeed
 * known to the app at the time of the token fetch and hasn't been spoofed. If the
 * data is the same as any previous one set then the token does not need to be updated.
 * Otherwise the next token fetch causes a new attestation to fetch a new token. Note that
 * this should not be done frequently due to the additional latency on token fetching that
 * will be caused. The hash appears in the 'pay' claim of the Approov token as a base64
 * encoded string of the SHA256 hash of the data. Note that the data is hashed locally and
 * never sent to the Approov cloud service.
 *
 * @param data is the data whose SHA256 hash is to be included in future Approov tokens
 */
public static final void setDataHashInToken(String data);

/**
 * Sets a hash of the given data value into any future Approov tokens obtained in the 'pay'
 * claim. If the data values are transmitted to the API backend along with the
 * Approov token then this allows the backend to check that the data value was indeed
 * known to the app at the time of the token fetch and hasn't been spoofed. If the
 * data is the same as any previous one set then the token does not need to be updated.
 * Otherwise the next token fetch causes a new attestation to fetch a new token. Note that
 * this should not be done frequently due to the additional latency on token fetching that
 * will be caused. The hash appears in the 'pay' claim of the Approov token as a base64
 * encoded string of the SHA256 hash of the data. Note that the data is hashed locally and
 * never sent to the Approov cloud service.
 *
 * @param data is the data whose SHA256 hash is to be included in future Approov tokens
 */
+ (void)setDataHashInToken:(nonnull NSString *)data;

/**
 * Sets a hash of the given data value into any future Approov tokens obtained in the 'pay'
 * claim. If the data values are transmitted to the API backend along with the
 * Approov token then this allows the backend to check that the data value was indeed
 * known to the app at the time of the token fetch and hasn't been spoofed. If the
 * data is the same as any previous one set then the token does not need to be updated.
 * Otherwise the next token fetch causes a new attestation to fetch a new token. Note that
 * this should not be done frequently due to the additional latency on token fetching that
 * will be caused. The hash appears in the 'pay' claim of the Approov token as a base64
 * encoded string of the SHA256 hash of the data. Note that the data is hashed locally and
 * never sent to the Approov cloud service.
 *
 * @param data is the data whose SHA256 hash is to be included in future Approov tokens
 */
class func setDataHashInToken(_ data: String)

Integrity Measurement Proof


/**
 * Obtains an integrity measurement proof that is used to show that the app and its
 * environment have not changed since the time of the original integrity measurement.
 * The proof does an HMAC calculation over the secret integrity measurement value which
 * is salted by a provided nonce. This proves that the SDK is able to reproduce the
 * integrity measurement value.
 *
 * @param nonce is a 16-byte (128-bit) nonce value used to salt the proof HMAC
 * @param measurementConfig is the measurement configuration obtained from a previous token fetch results
 * @return 32-byte (256-bit) measurement proof value
 */
public static final byte[] getIntegrityMeasurementProof(byte[] nonce, byte[] measurementConfig);

/**
 * Obtains an integrity measurement proof that is used to show that the app and its
 * environment have not changed since the time of the original integrity measurement.
 * The proof does an HMAC calculation over the secret integrity measurement value which
 * is salted by a provided nonce. This proves that the SDK is able to reproduce the
 * integrity measurement value. This may return nil if the SDK has not been initialized
 * or if the parameters are in invalid.
 *
 * @param nonce is a 16-byte (128-bit) nonce value used to salt the proof HMAC
 * @param measurementConfig is the measurement configuration obtained from a previous token fetch results
 * @return 32-byte (256-bit) measurement proof value or nil if there was an error
 */
+ (nullable NSData *)getIntegrityMeasurementProof:(nonnull NSData *)nonce :(nonnull NSData *)measurementConfig

/**
 * Obtains an integrity measurement proof that is used to show that the app and its
 * environment have not changed since the time of the original integrity measurement.
 * The proof does an HMAC calculation over the secret integrity measurement value which
 * is salted by a provided nonce. This proves that the SDK is able to reproduce the
 * integrity measurement value. This may return nil if the SDK has not been initialized
 * or if the parameters are in invalid.
 *
 * @param nonce is a 16-byte (128-bit) nonce value used to salt the proof HMAC
 * @param measurementConfig is the measurement configuration obtained from a previous token fetch results
 * @return 32-byte (256-bit) measurement proof value or nil if there was an error
 */
class func getIntegrityMeasurementProof(_ nonce: Data, _ measurementConfig: Data) -> Data?

Device Measurement Proof

   
/**
 * Obtains a device measurement proof that is used to show that the device environment
 * has not changed since the time of the original integrity measurement. This allows the
 * app version, including the Approov SDK, to be updated while preserving the device
 * measurement. The proof does an HMAC calculation over the secret device measurement
 * value which is salted by a provided nonce. This proves that the SDK is able to reproduce
 * the device measurement value.
 *
 * @param nonce is a 16-byte (128-bit) nonce value used to salt the proof HMAC
 * @param measurementConfig is the measurement configuration obtained from a previous token fetch results
 * @return 32-byte (256-bit) measurement proof value
 */
public static final byte[] getDeviceMeasurementProof(byte[] nonce, byte[] measurementConfig);

/**
 * Obtains a device measurement proof that is used to show that the device environment
 * has not changed since the time of the original integrity measurement. This allows the
 * app version, including the Approov SDK, to be updated while preserving the device
 * measurement. The proof does an HMAC calculation over the secret device measurement
 * value which is salted by a provided nonce. This proves that the SDK is able to reproduce
 * the device measurement value. This may return nil if the SDK has not been initialized
 * or if the parameters are in invalid.
 *
 * @param nonce is a 16-byte (128-bit) nonce value used to salt the proof HMAC
 * @param measurementConfig is the measurement configuration obtained from a previous token fetch results
 * @return 32-byte (256-bit) measurement proof value or nil if there was an error
 */
+ (nullable NSData *)getDeviceMeasurementProof:(nonnull NSData *)nonce :(nonnull NSData *)measurementConfig

/**
 * Obtains a device measurement proof that is used to show that the device environment
 * has not changed since the time of the original integrity measurement. This allows the
 * app version, including the Approov SDK, to be updated while preserving the device
 * measurement. The proof does an HMAC calculation over the secret device measurement
 * value which is salted by a provided nonce. This proves that the SDK is able to reproduce
 * the device measurement value. This may return nil if the SDK has not been initialized
 * or if the parameters are in invalid.
 *
 * @param nonce is a 16-byte (128-bit) nonce value used to salt the proof HMAC
 * @param measurementConfig is the measurement configuration obtained from a previous token fetch results
 * @return 32-byte (256-bit) measurement proof value or nil if there was an error
 */
class func getDeviceMeasurementProof(_ nonce: Data, _ measurementConfig: Data) -> Data?