Android

The Evervault Android SDK is a library for encrypting data and collecting credit cards data on Android Devices. It's simple to integrate, easy to use and it supports a wide range of data types.

Features

Core encryption capabilities for various data types.
A secure and customizable PaymentCard Compose view.
Built-in data type recognition and appropriate encryption handling.

Quickstart

Install SDK

Our Android SDK distributed via maven, and can be installed using your preferred build tool.

If you are installing evervault-inputs from version 2.0.0 and onwards you will also need to add the JitPack repository to your build file:

1dependencyResolutionManagement {
2  repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
3  repositories {
4    mavenCentral()
5    maven { url = uri("https://jitpack.io") }
6  }
7}

Gradle DSL

1implementation("com.evervault.sdk:evervault-core:1.2")
2implementation("com.evervault.sdk:evervault-inputs:2.0.0")
3implementation("com.evervault.sdk:evervault-enclaves:2.0.0")

Maven

1<dependency>
2  <groupId>com.evervault.sdk</groupId>
3  <artifactId>evervault-core</artifactId>
4  <version>1.2</version>
5  </dependency>
6<dependency>
7  <groupId>com.evervault.sdk</groupId>
8  <artifactId>evervault-inputs</artifactId>
9  <version>2.0.0</version>
10  </dependency>
11<dependency>
12  <groupId>com.evervault.sdk</groupId>
13  <artifactId>evervault-enclaves</artifactId>
14  <version>2.0.0</version>
15  </dependency>

Initialize SDK

Before using the Evervault Android SDK, you need to configure it with your Evervault Team ID and App ID. This step is essential for establishing a connection with the Evervault encryption service.

1Evervault.shared.configure("<TEAM_ID>", "<APP_ID>")

Make sure to replace <TEAM_ID> and <APP_ID> with your actual Evervault Team ID and App ID which can be found in the Evervault Dashboard

Encrypting Data

Once the SDK is configured, you can use the encrypt method to encrypt sensitive data. The encrypt method accepts Java's primitive data types and an optional role

Here's an example of encrypting a social security number:

1val encryptedPassword = Evervault.shared.encrypt("123-12-1234")

A role defines an encryption policy to be applied to the return ciphertext. The encrypt function takes as an optional parameter role which is the id of the role created in your Evervault App

1val encryptedPassword = Evervault.shared.encrypt("123-12-1234", 'role-id')

The encrypt method returns an Any type, so you will need to safely cast the result based on the data type you provided. For Boolean, Numerics, and Strings, the encrypted data is returned as a String. For Arrays, Lists and Maps, the encrypted data maintains the same structure but is encrypted (except that Arrays become Lists). For ByteArray, the encrypted data is returned as encrypted ByteArray, which can be useful for encrypting files.

Decrypting Data

Decrypts data previously encrypted with the encrypt() function or through Relay. The decrypt() function allows you to decrypt previously encrypted data using a token.

The token is a time bound token for decrypting data. The token can be generated using our backend SDKs or through our REST API. The payload must be the same payload that was used to create the token and expires 10 minutes after creation. The payload must be a map and the response is Any which can, and should be, cast to Map<String, Any>

1val encrypted = Evervault.shared.encrypt("Super Secret Password")
2
3val decrypted = Evervault.shared.decrypt(token, mapOf("data" to encrypted)) as Map<String, Any>
4println(decrypted["data"]) // Output: "Super Secret Password"

Inputs

The Evervault Android SDK also provides a Compose view called PaymentCard. This view is designed for capturing credit card information and automatically encrypts the credit card number and CVC without exposing the unencrypted data. The PaymentCard view can be customized to fit your application's design.

Here's an example of using the PaymentCard composable:

1UserParentLayout {
2    val onDataChange: (PaymentCardData) -> Unit = {} // Handle card data
3    // ...
4    PaymentCard(onDataChange = onDataChange) {
5        // User custom payment card layout using the [PaymentCardInputScope] components with a combination of user own components and modifiers
6    }
7}

The encrypted credit card number and CVC are captured in the PaymentCardData, as well as the expiry month and year and validation fields.

Styling

The PaymentCard and its components can be customized to fit your application's design. The view excepts a number of parameters that enable you to customize the modifier, text and placeholder styles. The content parameter accepts a @Composable PaymentCardInputScope.() function, which can be used to customize the view's layout. The PaymentCardInputScope components can be customized with a modifier (Modifier), label (String or @Composable), placeholder (String or @Composable), text style (TextStyle), and input field colors (TextFieldColors).

Two build-in layouts are provided:

Inline

InlinePaymentCard (the default layout) - This layout displays the card number, expiry and CVC fields inline.

1@Composable
2fun InlinePaymentCard(
3    modifier: Modifier = Modifier,
4    textStyle: TextStyle = TextStyle.Default,
5    placeholderTexts: PlaceholderTexts = PlaceholderDefaults.texts(),
6    placeholderTextStyle: TextStyle = textStyle.copy(color = MaterialTheme.colorScheme.secondary),
7    onDataChange: (PaymentCardData) -> Unit = {}
8)

Rows

RowsPaymentCard - Displays the credit card number on a single row. Below it, places the expiry and cvc fields next to each other.

1@Composable
2fun RowsPaymentCard(
3    modifier: Modifier = Modifier,
4    textStyle: TextStyle = TextStyle.Default,
5    placeholderTexts: PlaceholderTexts = PlaceholderDefaults.texts(),
6    placeholderTextStyle: TextStyle = textStyle.copy(color = MaterialTheme.colorScheme.secondary),
7    onDataChange: (PaymentCardData) -> Unit = {}
8)

You can also customize these layout through theming and modifiers:

1UserCustomTheme {
2    // ...
3    val modifier: Modifier = Modifier
4    val onDataChange: (PaymentCardData) -> Unit = {} // Handle card data
5    // ...
6    InlinePaymentCard(modifier = modifier, onDataChange = onDataChange)
7}

Custom Layout

If these two layouts do not fit your application's design, you can create your own layout by passing a @Composable function to the content parameter. The @Composable function will receive a PaymentCardInputScope (together with the PaymentCard Modifier) object, which contains the CardImage, CardNumberField, ExpiryField and CVCField fields. You can use these fields to create your own layout:

1UserParentLayout {
2    val onDataChange: (PaymentCardData) -> Unit = {} // Handle card data
3    // ...
4    PaymentCard(onDataChange = onDataChange) { modifier ->
5        Column(
6            modifier = modifier
7                .border(BorderStroke(1.dp, Color.LightGray), RoundedCornerShape(8.dp))
8                .padding(16.dp),
9            horizontalAlignment = Alignment.CenterHorizontally,
10            verticalArrangement = Arrangement.spacedBy(8.dp),
11        ) {
12            CardImage()
13
14            CardNumberField(
15                modifier = Modifier.fillMaxWidth(),
16                label = {
17                    Text(
18                        text = LabelTextsDefaults.CreditCardText,
19                        color = Color.Blue
20                    )
21                },
22                placeholder = {
23                    Text(
24                        text = PlaceholderTextsDefaults.CreditCardText,
25                        color = Color(0x75757575),
26                        fontSize = 12.sp
27                    )
28                },
29                textStyle = MaterialTheme.typography.titleLarge,
30                textFieldColors = customTextFieldColors()
31            )
32
33            ExpiryField(
34                modifier = Modifier.fillMaxWidth(),
35                label = {
36                    Text(
37                        text = LabelTextsDefaults.ExpirationDateText,
38                        color = Color.Blue
39                    )
40                },
41                placeholder = {
42                    Text(
43                        text = PlaceholderTextsDefaults.ExpirationDateText,
44                        color = Color(0x9E9E9E9E),
45                        fontSize = 10.sp
46                    )
47                },
48                textStyle = MaterialTheme.typography.titleMedium,
49                textFieldColors = customTextFieldColors()
50            )
51
52            CVCField(
53                modifier = Modifier.fillMaxWidth(),
54                label = {
55                    Text(
56                        text = LabelTextsDefaults.CvcText,
57                        color = Color.Blue
58                    )
59                },
60                placeholder = {
61                    Text(
62                        text = PlaceholderTextsDefaults.CvcText,
63                        color = Color(0xBDBDBDBD),
64                        fontSize = 8.sp
65                    )
66                },
67                textStyle = MaterialTheme.typography.bodyMedium,
68                textFieldColors = customTextFieldColors()
69            )
70        }
71    }
72}
73
74@Composable
75private fun customTextFieldColors(): TextFieldColors = TextFieldDefaults.colors(
76    focusedIndicatorColor = Color.Transparent,
77    unfocusedIndicatorColor = Color.Transparent,
78    disabledIndicatorColor = Color.Transparent,
79    focusedContainerColor = Color.Transparent,
80    unfocusedContainerColor = Color.Transparent,
81    disabledContainerColor = Color.Transparent,
82)

Optional Rendering

Fields can be optionally displayed by passing in a list of CardFields. For example if you with to only render the Card Number field use the following code.

1import com.evervault.sdk.input.model.CardFields
2
3UserCustomTheme {
4    // ...
5    val modifier: Modifier = Modifier
6    val onDataChange: (PaymentCardData) -> Unit = {} //
7    PaymentCardView { onDataChange ->
8        PaymentCard(onDataChange = onDataChange, enabledFields = listOf(CardFields.CARD_NUMBER)) { modifier ->
9            Column(
10                modifier = modifier
11                    .border(BorderStroke(1.dp, Color.LightGray), RoundedCornerShape(8.dp))
12                    .padding(16.dp),
13                horizontalAlignment = Alignment.CenterHorizontally,
14                verticalArrangement = Arrangement.spacedBy(8.dp),
15            ) {
16                CardImage()
17
18                CardNumberField(
19                    modifier = Modifier.fillMaxWidth(),
20                    label = null,
21                    placeholder = {
22                        Text(
23                            text = PlaceholderTextsDefaults.CreditCardText,
24                            color = Color(0x75757575),
25                            fontSize = 12.sp
26                        )
27                    },
28                    textStyle = MaterialTheme.typography.titleLarge,
29                    textFieldColors = customTextFieldColors()
30                )
31            }
32        }
33    }
34}

Enclaves

The Evervault Enclaves SDK provides an accessible solution for developers to deploy Docker containers within a Secure Enclave. It enables you to interact with your Enclaves endpoints via standard HTTPS requests directly from your Android applications. A key feature that enables this is the attestation verification performed before completing the TLS handshake. For a deeper understanding of this process, you can explore our TLS Attestation documentation.

The attestation verification is executed using a custom Trust Manager on a OkHttpClient.Builder. This Trust Manager needs initialization with an AttestationData object:

1data class AttestationData(
2    val enclaveName: String,
3    val pcrs: List<PCRs>
4) {
5    constructor(enclaveName: String, vararg pcrs: PCRs)
6}
7
8data class PCRs(
9    val pcr0: String? = null,
10    val pcr1: String? = null,
11    val pcr2: String? = null,
12    val pcr8: String? = null
13)

It is crucial to ensure that the supplied PCRs align with the PCRs of the respective Enclave.

Then you configure the HTTP Client with the attestations:

1val client = OkHttpClient.Builder()
2    .trustManager(AttestationData(
3        enclaveName = enclaveName,
4        // Replace with legitimate PCR strings when not in debug mode
5        PCRs(
6            pcr0 = "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
7            pcr1 = "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
8            pcr2 = "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
9            pcr8 = "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
10        )
11    ))
12    .build()

Only use this client for requests to your Enclave. For all other requests, use a separate client.

Enclave PCR Manager

If the PCRs of your Enclave change, the attestation connection will fail from all clients that are not updated with the new PCRs. The EnclaveTrustManager is a service that can optionally be used to cache a list of PCRs that are returned from an API under your control. The EnclaveTrustManager can be used by passing a PcrCallback and the enclaveName as a parameter to AttestationData that is used to build the OkHttpClient. The EnclaveTrustManager will cache the response PCRs from the PcrCallback and refresh them at a default interval of 5 minutes. This refresh can be configured by passing the callbackInterval parameter.

This example below show how to call an endpoint that returns a list of PCRs as the callback function.

1val pcrRequest = Request.Builder()
2    .url(BuildConfig.PCR_CALLBACK_URL)
3    .build()
4
5val pcrCallback: PcrCallback = {
6    val pcrResponse = pcrClient.newCall(pcrRequest).execute()
7    val type = object : TypeToken<List<PCRs>>() {}.type
8    val responseMap: List<PCRs> = Gson().fromJson(pcrResponse.body!!.string(), type)
9    responseMap
10}
11
12val client = OkHttpClient.Builder()
13    .enclavesTrustManager(
14        AttestationData(
15            enclaveName = enclaveName,
16            pcrCallback
17        ),
18        appUuid
19    )
20    .build()

The endpoint returning the PCRs must return the PCRs in the format

1[
2  {
3    "pcr0": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
4    "pcr1": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
5    "pcr2": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
6    "pcr8": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
7  }
8]

Using the Evervault API as a PCR Provider

The Evervault API exposes an endpoint to retrieve the PCRs for all active versions of your Enclave which you can use to keep your clients in sync with your Enclave across deployments.

1// Data type to deserialize the Evervault API's response
2data class PCRContainer(
3    val data: List<PCRs>
4)
5
6fun invokeEnclaveWithEvervaultPCRProvider(enclaveName: String, appId: String, url: String) {
7  val pcrClient = OkHttpClient.Builder().build()
8  val pcrRequest = Request.Builder()
9      .url("https://api.evervault.com/enclaves/$enclaveName/attestation")
10      .header("x-evervault-app-id", appId)
11      .build()
12
13  try {
14    val pcrCallback: PcrCallback = {
15      val pcrResponse = pcrClient.newCall(pcrRequest).execute()
16      val type = object : TypeToken<PCRContainer>() {}.type
17      val responseMap: PCRContainer = Gson().fromJson(pcrResponse.body!!.string(), type)
18      responseMap.data
19    }
20
21    val jsonPayload = JSONObject()
22    jsonPayload.put("a", 1)
23    jsonPayload.put("b", 2)
24
25    val request = Request.Builder()
26      .url(url)
27      .header("content-type", "application/json")
28      .post(requestBody)
29      .build()
30
31    val enclaveClient = OkHttpClient.Builder()
32      .enclavesTrustManager(
33          AttestationData(
34              enclaveName = enclaveName,
35              pcrCallback
36          ),
37          appUuid
38      )
39      .build()
40
41    val response = client.newCall(request).execute()
42  } catch (e: Exception) {
43      when(e) {
44          is IOException, is PCRCallbackError -> {
45              e.printStackTrace()
46              return "Error: ${e.message}"
47          }
48          else -> throw e
49      }
50  }
51}

Considerations

It's crucial to note that the PCR values associated with a Enclave change with each new deployment. Consequently, older versions of your app with hardcoded PCRs may stop functioning. To alleviate this, you can accommodate previous deployments by providing multiple PCRs objects or use the EnclaveTrustManager:

1AttestationData(
2    enclaveName = enclaveName,
3    listOf(
4        PCRs(
5            pcr0 = "fd4b",
6            pcr1 = "bc3f",
7            pcr2 = "2c10",
8            pcr8 = "dfb3"
9        ),
10        PCRs(
11            pcr0 = "c779",
12            pcr1 = "bc3f",
13            pcr2 = "4cbf",
14            pcr8 = "dfb3"
15        )
16    )
17)

Using the EnclaveTrustManager by passing a PcrCallback to the AttestationData allows you do update your PCRs remotely via an endpoint you control. When a Enclave is deployed and the PCRs change the list of PCRs returned from the endpoint should expand to hold the new PCRs e.g

1[
2  {
3    "pcr0": "fd4b", // Old PCRs
4    "pcr1": "bc3f",
5    "pcr2": "2c10",
6    "pcr8": "dfb3"
7  },
8  {
9    "pcr0": "c779", // New PCRs
10    "pcr1": "bc3f",
11    "pcr2": "4cbf",
12    "pcr8": "dfb3"
13  }
14]

The EnclaveTrustManager will cache the new PCRs and old PCRs. Over time you can then remove the old PCRs from your endpoints response leaving just the new PCRs.

1[
2  {
3    "pcr0": "c779", // New PCRs
4    "pcr1": "bc3f",
5    "pcr2": "4cbf",
6    "pcr8": "dfb3"
7  }
8]

This allows for the updating of a Enclave without having to re-publish your client with new PCRs.

Please be aware that the Android SDK is compatible only with Enclaves that have the API Key Authentication set to false in your enclave.toml file:

1api_key_auth = false

Only use the OkHttpClient configured with the AttestationData for requests to your Enclave. For all other requests, use a separate client. If you have multiple Enclaves, you will need to configure a separate OkHttpClient for each Enclave.
When calling an endpoint of your Enclave, use make sure you do not have any underscore _ in the request url. Replace any underscore, such as the one in your App ID, with hyphens -.

These considerations are essential to remember for a seamless integration and operation of the Evervault Enclaves SDK in your Android applications.

Google Pay

The Evervault SDK provides a Google Pay component that allows your customers to make payments in your app using credit and debit cards saved to their Google Account. Read the Google Pay guide for more information.

Proguard Rules

If you are using code shrinking with ProGuard you will need to specify exclusion rules for evervault-core dependencies. To do this add the following lines to your proguard-rules.pro

1## Keep the BouncyCastle provider classes
2-keep class org.bouncycastle.jce.provider.** { *; }
3
4## Keep all classes from the org.bouncycastle package
5-keep class org.bouncycastle.** { *; }
6
7## Keep all classes that implement javax.crypto interfaces
8-keep class * extends javax.crypto.** { *; }

Sample App

The Evervault Android SDK Package includes a sample app, located in the sampleapplication directory. The sample app demonstrates various use cases of the SDK, including string encryption, file (image) encryption, the usage of the PaymentCard view with customized styling and how to contruct an attested Enclave client.