Evervault Android SDK

The Evervault Android SDK is a library that provides secure data encryption and secure credit card input. It's simple to integrate, easy to use and it supports a wide range of data types.

Features

Core encryption capabilities for various data types. A secure and customizable PaymentCardInput Compose view.
Built-in data type recognition and appropriate encryption handling.

Supported Platforms

Android

The Evervault Android SDK uses the Evervault Kotlin Multiplatform SDK to provide the core encryption functionality.

Installation

Our Android SDK distributed via maven, and can be installed using your preferred build tool.

Gradle DSL

1
implementation("com.evervault.sdk:evervault-core:1.0")
2
implementation("com.evervault.sdk:evervault-inputs:1.0")
3
implementation("com.evervault.sdk:evervault-cages:1.0")

Maven

1
<dependency>
2
  <groupId>com.evervault.sdk</groupId>
3
  <artifactId>evervault-core</artifactId>
4
  <version>1.0</version>
5
</dependency>
6
<dependency>
7
  <groupId>com.evervault.sdk</groupId>
8
  <artifactId>evervault-inputs</artifactId>
9
  <version>1.0</version>
10
</dependency>
11
<dependency>
12
  <groupId>com.evervault.sdk</groupId>
13
  <artifactId>evervault-cages</artifactId>
14
  <version>1.0</version>
15
</dependency>

Usage

Configuration

Before using the Evervault Android SDK, you need to configure it with your Evervault Team ID and App ID. This step is essential for establishing a connection with the Evervault encryption service.

1
Evervault.shared.configure("<TEAM_ID>", "<APP_ID>")

Make sure to replace <TEAM_ID> and <APP_ID> with your actual Evervault Team ID and App ID.

Once the SDK is configured, you can use the encrypt method to encrypt your sensitive data. The encrypt method accepts various data types, including Boolean, Numerics, Strings, Arrays, Lists, Maps and ByteArrays.

Here's an example of encrypting a password:

1
val encryptedPassword = Evervault.shared.encrypt("Super Secret Password")

The encrypt method returns an Any type, so you will need to safely cast the result based on the data type you provided. For Boolean, Numerics, and Strings, the encrypted data is returned as a String. For Arrays, Lists and Maps, the encrypted data maintains the same structure but is encrypted (except that Arrays become Lists). For ByteArray, the encrypted data is returned as encrypted ByteArray, which can be useful for encrypting files.

Decrypting Data

Decrypts data previously encrypted with the encrypt() function or through Relay.

The decrypt() function allows you to decrypt previously encrypted data using a token.

The token is a time bound token for decrypting data. The token can be generated using our backend SDKs or through our REST API.

The payload must be the same payload that was used to create the token and expires in a maximum of 10 minutes depending on the expiry set when creating the token.

The payload must be a map and the response is Any which can, and should be, cast to Map<String, Any>

1
val encrypted = Evervault.shared.encrypt("Super Secret Password")
2
3
val decrypted = Evervault.shared.decrypt(token, mapOf("data" to encrypted)) as Map<String, Any>
4
println(decrypted["data"]) // Output: "Super Secret Password"

Inputs

The Evervault Android SDK also provides a Compose view called PaymentCardInput. This view is designed for capturing credit card information and automatically encrypts the credit card number and CVC without exposing the unencrypted data. The PaymentCardInput view can be customized to fit your application's design.

Here's an example of using the PaymentCardInput view:

1
PaymentCardInput(onDataChange = { paymentCardData: PaymentCardData ->
2
    // Handle card data
3
})

The encrypted credit card number and CVC are captured in the PaymentCardData, as well as the expiry month and year and validation fields.

Styling

The PaymentCardInput can be customized to fit your application's design. The view accepts a layout parameter, which can be used to customize the view's layout. The layout parameter accepts a @Composable function, which can be used to customize the view's layout.

Two build-in layouts are provided:

inlinePaymentCardInputLayout() (the default layout) - This layout displays the card number, expiry and CVC fields inline.

To explicitly use this layout:

1
PaymentCardInput(
2
    layout = inlinePaymentCardInputLayout(),
3
    onDataChange = { paymentCardData: PaymentCardData ->
4
        // Handle card data
5
    }
6
)

rowsPaymentCardInputLayout() - puts the credit card number on a single row. Below it, places the expiry and cvc fields next to each other.

To use this layout:

1
PaymentCardInput(
2
    layout = rowsPaymentCardInputLayout(),
3
    onDataChange = { paymentCardData: PaymentCardData ->
4
        // Handle card data
5
    }
6
)

You can also customize these layout through theming and modifiers:

1
MaterialTheme(
2
    colorScheme = MaterialTheme.colorScheme.copy(
3
        primary = Color.Black,
4
        secondary = Color.White,
5
        primaryContainer = Color.LightGray,
6
    ),
7
) {
8
    PaymentCardInput(
9
        modifier = Modifier
10
            .clip(RoundedCornerShape(8.dp)),
11
        textStyle = TextStyle.Default.copy(fontSize = 16.sp),
12
        onDataChange = it
13
    )
14
}

If these two layouts do not fit your application's design, you can create your own layout by passing a @Composable function to the layout parameter. The @Composable function will receive a PaymentCardInputScope object, which contains the CardImage, CardNumberField, ExpiryField and CVCField fields. You can use these fields to create your own layout:

1
PaymentCardInput(
2
    layout = {
3
        Column {
4
            CardImage()
5
            Row {
6
                CardNumberField()
7
                Column {
8
                    ExpiryField()
9
                    CVCField()
10
                }
11
            }
12
        }
13
    },
14
    onDataChange = { paymentCardData: PaymentCardData ->
15
        // Handle card data
16
    }
17
)

Cages (Beta)

The Evervault Cages SDK provides an accessible solution for developers to deploy Docker containers within a Secure Enclave. It enables you to interact with your Cages endpoints via standard HTTP requests directly from your Android applications. A key feature that enables this is the attestation verification performed before completing the TLS handshake. For a deeper understanding of this process, you can explore our TLS Attestation documentation.

The attestation verification is executed using a custom Trust Manager on a OkHttpClient.Builder. This Trust Manager needs initialization with one or more AttestationData objects:

1
data class AttestationData(
2
    val cageName: String,
3
    val pcrs: List<PCRs>
4
) {
5
    constructor(cageName: String, vararg pcrs: PCRs)
6
}
7
8
data class PCRs(
9
    val pcr0: String,
10
    val pcr1: String,
11
    val pcr2: String,
12
    val pcr8: String
13
)

It is crucial to ensure that the supplied PCRs align with the PCRs of the respective Cage.

Then you configure the HTTP Client with the attestations:

1
2
val client = OkHttpClient.Builder()
3
    .trustManager(AttestationData(
4
        cageName = cageName,
5
        // Replace with legitimate PCR strings when not in debug mode
6
        PCRs(
7
            pcr0 = "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
8
            pcr1 = "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
9
            pcr2 = "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
10
            pcr8 = "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
11
        )
12
    ))
13
    .build()

Only use this client for requests to your Cage. For all other requests, use a separate client.

Considerations

It's crucial to note that the PCR values associated with a Cage change with each new deployment. Consequently, older versions of your app with hardcoded PCRs may stop functioning. To alleviate this, you can accommodate previous deployments by providing multiple PCRs objects:

1
AttestationData(
2
    cageName = cageName,
3
    listOf(
4
        PCRs(
5
            pcr0 = "fd4b",
6
            pcr1 = "bc3f",
7
            pcr2 = "2c10",
8
            pcr8 = "dfb3"
9
        ),
10
        PCRs(
11
            pcr0 = "c779",
12
            pcr1 = "bc3f",
13
            pcr2 = "4cbf",
14
            pcr8 = "dfb3"
15
        )
16
    )
17
)

Please be aware that the Android SDK is compatible only with Cages that have the API Key Authentication set to false in your cage.toml file:

1
api_key_auth = false

Only use the OkHttpClient configured with the AttestationData for requests to your Cage. For all other requests, use a separate client. If you have multiple Cages, you will need to configure a separate OkHttpClient for each Cage.
When calling an endpoint of your Cage, use make sure you do not have any underscore _ in the request url. Replace any underscore, such as the one in your App ID, with hyphens -.

These considerations are essential to remember for a seamless integration and operation of the Evervault Cages SDK in your Android applications.

Sample App

The Evervault Android SDK Package includes a sample app, located in the sampleapplication directory. The sample app demonstrates various use cases of the SDK, including string encryption, file (image) encryption, and the usage of the PaymentCardInput view with customized styling.

Android SDK