Security Guidance

Following are some of the security guidance to be followed by the Requestor App for secure use of the SDK.

Check Warnings

After you configure "cardinalSession" defined in Step 3 of the Flow Documentation, call "getWarnings" method on cardinal session to get a list of all the Warnings detected by the SDK. 

For Example, 

NSArray<Warning *> *warnings = [session getWarnings];

Following five vulnerabilities are detected by SDK:

Analyze the list of warnings to take further action.

Check SDK Version

After you initialize "threeDSService" defined in Step 3 of the Flow Documentation, call "getSDKVersion" method on threeDSService to get the version of the SDK.

For Example, 

NSError *error;
NSString *sdkVersion = [threeDSService getSDKVersion:&error];
if(error){
	//Check error object for detail.
}

After initializing, check the SDK Version to make sure you are using the latest version of the SDK.

Secure Deletion of Sensitive Data

After using the sensitive data returned by the SDK, make sure to secure delete all the local variables. For example, AuthenticationRequestParameters returns sensitive data. As soon as it's used, clear the object those sensitive data are referenced to.

Secure Deletion can be obtained either by a random value assignment after usage or use approved third-party solution for secure memory like: https://github.com/project-imas/memory-security

Closing Transaction Object

After completion of the transaction, always close the transaction object. This helps to clear all the memory consumed during that transaction. 

For example,

[transaction close];

CleanUp ThreeDSSerive Object

After completion of the whole flow, always clean the threeDSService object. This helps to clear all the memory consumed during that ThreeDSService object. 

For example,

NSError *error;
[threeDSService cleanup:&error];
if(error){
    //Error Cleaning Up the ThreeDSService. Check error for detail.
}