Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@onfido/react-native-sdk
Advanced tools
The Onfido Smart Capture SDKs provide a set of screens and functionalities that enable applications to implement user identity verification flows. Each SDK contains:
All Onfido Smart Capture SDKs are orchestrated using Onfido Studio workflows, with only minor customization differences between the available platforms.
Two environments exist to support the Onfido SDK integrations:
The environment being used is determined by the API token that is used to generate the necessary SDK token.
Once you are satisfied with your integration and are ready to go live, please contact Customer Support to obtain a live API token. You will have to replace the sandbox token in your code with the live token.
Check that you have entered correct billing details inside your Onfido Dashboard, before going live.
The React Native SDK supports:
This SDK supports React Native versions 0.72
If you are starting from scratch, you can follow the React Native CLI Quickstart. Once you have installed the React Native tools, you can run:
$ npx react-native init YourProjectName
You cannot use this SDK with Expo. If your project already uses Expo, you will need to follow the eject process, documented here.
Note: You will need to download and install Android Studio, configured as specified in the react-native guide for Android to run on an Android emulator.
Navigate to the root directory of your React Native project. The rest of this section will assume you are in the root directory. Run the following command:
$ npm install @onfido/react-native-sdk --save
Update your build.grade
files to reference the Android SDK, and enable multi-dex. If you build your project using the react-native init
, with a build.gradle
in the android/
and android/app/
directories, you can run this script to do it:
$ npm --prefix node_modules/@onfido/react-native-sdk/ run updateBuildGradle
If you want to manually update your build files, you can follow the steps the script takes:
Add the maven link android/build.gradle
:
allprojects {
repositories {
mavenCentral()
}
}
Enable multi-dex in android/app/build.gradle
:
android {
defaultConfig {
multiDexEnabled true
}
}
Note: You can skip this step if you don't have any custom application class.
After the release of version 9.0.0, the Onfido React Native SDK runs in a separate process (for Android only). This means that when the Onfido SDK starts, a new application instance will be created. To prevent re-executing the initializations you have in the Android application class, you can use the isOnfidoProcess
extension function and return from onCreate
as shown below.
This will prevent initialization-related crashes such as: FirebaseApp is not initialized in this process
class YourCustomApplication : MultiDexApplication() {
override fun onCreate() {
super.onCreate()
if (isOnfidoProcess()) {
return
}
// Your custom initialization calls ...
}
private fun isOnfidoProcess(): Boolean {
val pid = Process.myPid()
val manager = this.getSystemService(ACTIVITY_SERVICE) as ActivityManager
return manager.runningAppProcesses.any {
it.pid == pid && it.processName.endsWith(":onfido_process")
}
}
}
Change ios/Podfile
to use version 12:
platform :ios, '12.0'
Add descriptions for camera and microphone permissions to ios/YourProjectName/Info.plist
:
<plist version="1.0">
<dict>
<!-- Add these four elements: -->
<key>NSCameraUsageDescription</key>
<string>Required for document and facial capture</string>
<key>NSMicrophoneUsageDescription</key>
<string>Required for video capture</string>
<!-- ... -->
</dict>
</plist>
Open Xcode and create an empty Swift file in your project root. For example, if your project is called YourProjectName, you can open it from the command line:
open ios/YourProjectName.xcodeproj
Once Xcode is open, add an empty Swift file: File > New File > Swift > Next > "SwiftVersion" > Create > Don't create Header. This will update your iOS configuration with a Swift version. All changes are automatically saved, so you can close Xcode.
Install the pods:
cd ios
pod install
cd ..
Recent passports, national identity cards and residence permits contain a chip that can be accessed using Near Field Communication (NFC). The Onfido SDKs provide a set of screens and functionalities to extract this information, verify its authenticity and provide the resulting verification as part of a Document report.
From version 10.0.0 onwards, NFC is enabled by default in the Onfido React Native SDK for Android and iOS and offered to customers when both the document and the device support NFC.
For more information on how to configure NFC and the list of supported documents, please refer to the NFC for Document Report guide.
For iOS, the NFC feature requires Near Field Communication Tag Reading
capability in your app target. If you haven't added it before, please follow the steps in Apple's documentation.
You're required to have the following key in your application's Info.plist
file:
<key>NFCReaderUsageDescription</key>
<string>Required to read ePassports</string>
You have to include the entries below in your app target's Info.plist
file to be able to read NFC tags properly:
<key>com.apple.developer.nfc.readersession.felica.systemcodes</key>
<array>
<string>12FC</string>
</array>
<key>com.apple.developer.nfc.readersession.iso7816.select-identifiers</key>
<array>
<string>A0000002471001</string>
<string>A0000002472001</string>
<string>00000000000000</string>
<string>D2760000850101</string>
</array>
NFC is enabled by default. To disable NFC, include the nfcOption
parameter with OnfidoNFCOptions.DISABLED
while configuring the Onfido.start
function:
config = {
sdkToken: "<YOUR_SDK_TOKEN>",
workflowRunId: "<YOUR_WORKFLOW_RUN_ID>",
nfcOption: OnfidoNFCOptions.DISABLED
}
For Android, a range of NFC library dependencies are included in the build automatically. In addition to configuring the nfcOption
parameter, you must remove any libraries from the build process.
Exclude dependencies required for NFC from your build:
dependencies {
implementation 'com.onfido.sdk.capture:onfido-capture-sdk:x.y.z' {
exclude group: 'net.sf.scuba', module: 'scuba-sc-android'
exclude group: 'org.jmrtd', module: 'jmrtd'
exclude group: 'com.madgag.spongycastle', module: 'prov'
}
}
If your application already uses the same libraries that the Onfido SDK needs for the NFC feature, you may encounter some dependency conflicts that will impact and could interfere with the NFC capture in our SDK. In such cases, we propose using the dependency resolution strategy below, by adding the following lines to your build.gradle
file:
implementation ("com.onfido.sdk:onfido-<variant>:19.1.0"){
exclude group: "org.bouncycastle"
}
implementation ("the other library that conflicts with Onfido on BouncyCastle") {
exclude group: "org.bouncycastle"
}
implementation "org.bouncycastle:bcprov-jdk15to18:1.69"
implementation "org.bouncycastle:bcutil-jdk15to18:1.69"
To configure NFC, include the nfcOption
parameter with the three options below while configuring the Onfido.start
function:
The Reach Native SDK has multiple initialization and customization options that provide flexibility to your integration, while remaining easy to integrate.
Onfido Studio is the platform used to create highly reusable identity verification workflows for use with the Onfido SDKs. For an introduction to working with workflows, please refer to our Getting Started guide, or the Onfido Studio product guide.
SDK sessions are orchestrated by a session-specific workflow_run_id
, itself derived from a workflow_id
, the unique identifier of a given workflow.
For details on how to generate a workflow_run_id
, please refer to the POST /workflow_runs/
endpoint definition in the Onfido API reference.
Note that in the context of the SDK, the
workflow_run_id
property is referred to asworkflowRunId
.
When defining workflows and creating identity verifications, we highly recommend saving the applicant_id
against a specific user for potential reuse. This helps to keep track of users should you wish to run multiple identity verifications on the same individual, or in scenarios where a user returns to and resumes a verification flow.
The SDK is authenticated using SDK tokens. Onfido Studio generates and exposes SDK tokens in the workflow run payload returned by the API when a workflow run is created.
SDK tokens for Studio can only be used together with the specific workflow run they are generated for, and remain valid for a period of five weeks.
Note: You must never use API tokens in the frontend of your application as malicious users could discover them in your source code. You should only use them on your server.
To use the SDK, you need to obtain an instance of the client object, using your generated SDK token and workflow run ID.
config = {
sdkToken: "<YOUR_SDK_TOKEN>",
workflowRunId: "<YOUR_WORKFLOW_RUN_ID>"
}
You can then launch the app with a call to Onfido.start
.
Onfido.start(config);
// listen for the result
An expanded example of a configuration can be found below:
import React, {Component} from 'react';
import {Button, View} from 'react-native';
import {
Onfido,
OnfidoCaptureType,
OnfidoCountryCode,
OnfidoDocumentType,
} from '@onfido/react-native-sdk';
export default class App extends Component {
startSDK() {
Onfido.start({
sdkToken: "<YOUR_SDK_TOKEN>",
workflowRunId: "<YOUR_WORKFLOW_RUN_ID>",
})
.then(res => console.warn('OnfidoSDK: Success:', JSON.stringify(res)))
.catch(err => console.warn('OnfidoSDK: Error:', err.code, err.message));
}
render() {
return (
<View style={{marginTop: 100}}>
<Button title="Start Onfido SDK" onPress={() => this.startSDK()} />
</View>
);
}
}
For both iOS and Android, the React Native SDK supports the customization of colors, fonts and strings used in the SDK flow.
The customization of colors and other appearance attributes for Android is implemented according to the same methodology as the native Android SDK. You can find detailed documentation here.
For a complete list and visualizations of the customizable attributes, refer to our SDK customization guide.
To customize supported dimensions, you can add an Android resource file called dimens.xml
in the following directory of your project: android/app/src/main/res/values
.
For example:
<resources>
<dimen name="onfidoButtonCornerRadius">8dp</dimen>
</resources>
The following dimension is currently supported:
onfidoButtonCornerRadius
: The corner radius of all buttons in the SDK, provided in the dp
unitFor iOS, you can customize colors and other appearance attributes by adding a colors.json
file to your Xcode project as a bundle resource. The file should contain a single json object with the desired keys and values. For example:
{
"onfidoPrimaryColor": "#FF0000",
"backgroundColor": {
"light": "#FCFCFD",
"dark": "#000000"
},
"onfidoPrimaryButtonTextColor": "#FFFFFF",
"onfidoPrimaryButtonColorPressed": "#FFA500",
"interfaceStyle": <"unspecified" | "light" | "dark">,
"secondaryTitleColor": "#FF0000",
"secondaryBackgroundPressedColor": "#FF0000",
"buttonCornerRadius": 20,
"fontFamilyTitle": "FONT_NAME_FOR_TITLES",
"fontFamilyBody": "FONT_NAME_FOR_CONTENT",
}
For a complete list and visualizations of the customizable attributes, refer to our SDK customization guide.
The React Native SDK supports the dark theme. By default, the user's active device theme will be automatically applied to the Onfido SDK. However, you can opt out from dynamic theme switching at run time and instead set a theme statically at the build time as shown below. In this case, the flow will always be displayed in the selected theme regardless of the user's device theme.
Dark theme customization for Android is implemented according to the same methodology as the native Android SDK. You can find detailed documentation here.
Dark theme customization for iOS is implemented according to the same methodology as the native Android SDK. You can find detailed documentation here.
The React Native SDK supports and maintains translations for over 40 languages, available for use with both Android and iOS.
The SDK will detect and use the end user's device language setting. If the device's language is not supported by Onfido, the SDK will default to English (en_US
).
For a complete list of the languages Onfido supports, refer to our SDK customization guide.
You can also provide a custom translation for a specific language or locale that Onfido does not currently support, by having an additional XML strings file inside your resources folder for the desired locale. See our Android localization documentation for more details.
For iOS, you can also provide a custom translation for a specific language or locale that Onfido does not currently support. To configure this on the React Native SDK:
localisation: {
ios_strings_file_name: '<Your .strings file name in iOS app bundle>',
},
cd ios
, and open your Xcode workspace.Onfido provides the possibility to integrate with our Smart Capture SDK, without the requirement of using this data only through the Onfido API. Media callbacks enable you to control the end user data collected by the SDK after the end user has submitted their captured media. As a result, you can leverage Onfido’s advanced on-device technology, including image quality validations, while still being able to handle end users’ data directly. This unlocks additional use cases, including compliance requirements and multi-vendor configurations, that require this additional flexibility.
This feature must be enabled for your account. Please contact your Onfido Solution Engineer or Customer Success Manager.
To use this feature, use Onfido.addCustomMediaCallback
and provide the callback.
Onfido.addCustomMediaCallback(
mediaResult => {
if (mediaResult.captureType === 'DOCUMENT') {
// Callback code here
} else if (mediaResult.captureType === 'FACE') {
// Callback code here
} else if (mediaResult.captureType === 'VIDEO') {
// Callback code here
}
}
);
The callbacks return an object including the information that the SDK normally sends directly to Onfido. The callbacks are invoked when the end user confirms submission of their image through the SDK’s user interface.
Note: Currently, end user data will still automatically be sent to the Onfido backend, but you are not required to use Onfido to process this data.
The callback returns 3 possible objects. Please note that captureType
refers to the type of the media capture in each case.
These can be DOCUMENT
, FACE
or VIDEO
.
captureType
is DOCUMENT
), the callback returns:{
captureType: String
side: String
type: String
issuingCountry: String?
fileData: String
fileName: String
fileType: String
}
Notes:
issuingCountry
is optional based on end-user selection, and can be null
.fileData
is a String representation of the byte array data corresponding to the captured photo of the document.fileData
but no additional data.captureType
is FACE
), the callback returns:{
captureType: String
fileData: String
fileName: String
fileType: String
}
Note: fileData
is a String representation of the byte array data corresponding to the captured live photo.
captureType
is VIDEO
), the callback returns:{
captureType: String
fileData: String
fileName: String
fileType: String
}
Note: fileData
is a String representation of the byte array data corresponding to the captured video.
Please note that, for your convenience, Onfido provides the byteArrayStringToBase64
helper function to convert the fileData
from String to a Base64 format. Here is an example of how to use it:
let byteArrayString = mediaResult.fileData;
let base64FileData = Onfido.byteArrayStringToBase64(byteArrayString);
While the SDK is responsible for capturing and uploading the user's media and data, identity verification reports themselves are generated based on workflows created using Onfido Studio.
For a step-by-step walkthrough of creating an identity verification using Onfido Studio and our SDKs, please refer to our Quick Start Guide.
If your application initializes the Onfido React Native SDK using the options defined in the Advanced customization section of this document, you may create checks and retrieve report results manually using the Onfido API. You may also configure webhooks to be notified asynchronously when the report results have been generated.
This section on 'Advanced customization' refers to the process of initializing the Onfido React Native SDK without the use of Onfido Studio. This process requires a manual definition of the verification steps and their configuration.
The flow step parameters described below are mutually exclusive with workflowRunId
, requiring an alternative method of instantiating the client and starting the flow.
Note that this initialization process is not recommended as the majority of new features are exclusively released for Studio workflows.
The SDK is authenticated using SDK tokens. As each SDK token must be specific to a given applicant and session, and a new token must be generated each time you initialize the Onfido React Native SDK.
Parameter | Notes |
---|---|
applicant_id | required Specifies the applicant for the SDK instance. |
application_id | required The application ID (for iOS "application bundle ID") that was set up during development. For iOS, this is usually in the form com.your-company.app-name , or com.example.yourapp for Android. Make sure to use a valid application_id or you'll receive a 401 error. |
application_id
is usually in the form of com.your-company.app-name
.
ios/YourProjectName
, click on the project root, click the General tab, under Targets click your project name, and check the Bundle Identifier field.application_id
is usually in the form of com.example.yourapp
.
build.config
. For example, in android/app/build.gradle
, it is the value of applicationId
.It's important to note that manually generated SDK tokens in React Native expire after 90 minutes and cannot be renewed. SDK tokens generated in Onfido Studio when creating workflow runs are not affected by this limit.
For details on how to manually generate SDK tokens, please refer to the POST /sdk_token/
endpoint definition in the Onfido API reference.
Note: You must never use API tokens in the frontend of your application as malicious users could discover them in your source code. You should only use them on your server.
You can launch the app with a call to Onfido.start
, manually defining the verification steps and configurations required for your flow:
import React, {Component} from 'react';
import {Button, View} from 'react-native';
import {
Onfido,
OnfidoCaptureType,
OnfidoCountryCode,
OnfidoDocumentType,
} from '@onfido/react-native-sdk';
export default class App extends Component {
startSDK() {
Onfido.start({
sdkToken: "<YOUR_SDK_TOKEN>",
flowSteps: {
welcome: true,
captureFace: {
type: OnfidoCaptureType.VIDEO,
},
captureDocument: {
docType: OnfidoDocumentType.DRIVING_LICENCE,
countryCode: OnfidoCountryCode.GBR
},
},
})
.then(res => console.warn('OnfidoSDK: Success:', JSON.stringify(res)))
.catch(err => console.warn('OnfidoSDK: Error:', err.code, err.message));
}
render() {
return (
<View style={{marginTop: 100}}>
<Button title="Start Onfido SDK" onPress={() => this.startSDK()} />
</View>
);
}
}
sdkToken
: Required. This is the SDK token obtained by making a call to the SDK token API, as documented above.
flowSteps
: Required. This object is used to toggle on or off the individual screens a user will see during the verification flow, and to set configurations for each screen.
welcome
: Optional. This toggles the welcome screen on or off. If omitted, this screen does not appear in the flow. Valid values are true
or false
proofOfAddress
: Optional. This toggles the proof of address screen on or off. If omitted, this screen does not appear in the flow. Valid values are true
or false
captureDocument
: Optional. This object contains configurations for the document capture screen. If docType
and countryCode
are not specified, a screen will appear allowing the user to choose the document type and issuing country. If all parameters are not specified or the step is omitted, this screen will not appear in the flow.
docType
: Required if countryCode
is specified.
OnfidoDocumentType
: PASSPORT
, DRIVING_LICENCE
, NATIONAL_IDENTITY_CARD
, RESIDENCE_PERMIT
, RESIDENCE_PERMIT
, VISA
, WORK_PERMIT
. countryCode
: Required if docType
is specified.
OnfidoCountryCode
: Any ISO 3166-1 alpha-3 code. For example: OnfidoCountryCode.USA
.allowedDocumentTypes
: Optional. If specified, docType
and countryCode
must not be specified. This parameter allows you to specify a list of document types that can be selected for all available issuing countries.
OnfidoDocumentType
: PASSPORT
, DRIVING_LICENCE
, NATIONAL_IDENTITY_CARD
, RESIDENCE_PERMIT
, RESIDENCE_PERMIT
, VISA
, WORK_PERMIT
.captureFace
: Optional. This object contains configuration options for the face capture screen. If omitted, this screen does not appear in the flow.
type
: Required if captureFace
is specified.
OnfidoCaptureType
: PHOTO
, VIDEO
, MOTION
.showIntro
: Optional. A boolean parameter that toggles on or off the intro screen in the Selfie step, or whether to show a preview of the captured video for user confirmation in the Video step. The default value is true
.
showConfirmation
: Optional. A boolean parameter that toggles on or off the confirmation screen in the Video step (Android only). The default value is true
.
manualVideoCapture
: Optional. A boolean parameter that enables manual video capture (iOS only). The default value is false
.
recordAudio
: Required if the captureFace
type is specified as MOTION
. Valid values are true
or false
.
localisation
: Optional. This object contains custom localization configurations. See the Localization section above for more details.
config = {
sdkToken: "<YOUR_SDK_TOKEN>",
localisation: {
ios_strings_file_name: 'Localizable',
},
flowSteps: {
...
},
}
theme
: Parameter to configure dark theme customization (documented above). Valid values in OnfidoTheme
: AUTOMATIC
, LIGHT
, DARK
.
If the start function is successful, a json file response will include a face
section if captureFace
was specified, a document
section if captureDocument
was specified, or both sections if they were both requested in the config.
For example:
{
document: {
front: { id: "123-abc" },
back: { id: "345-def" },
nfcMediaId: { id: "789-def" }
},
face: {
id: "456-567",
variant: "VIDEO" // PHOTO or VIDEO
},
}
The SDK will reject the promise any time the Onfido SDK exits without a success. This includes cases where:
A json file failure response will include an error code and an error message.
For example:
{
code: "config_error",
message: "sdkToken is missing"
}
When the Onfido SDK session concludes, a range of callback functions may be triggered.
For documentation regarding handling callbacks, please refer to our native iOS and Android documentation.
Resolving dependency conflicts
Here are some helpful resources if you are experiencing dependency conflicts between this React Native SDK and other packages your app uses:
General advice
If you see issues, you can try removing node_modules
, build directories, and cache files. A good tool to help with this is react-native-clean-project
Below is a list of known differences in expected behavior between the Onfido Android and iOS SDKs this React Native SDK wraps:
passport
uploaded through the iOS SDK will have the side
attribute set to null
, while those uploaded via Android will have side
as front
.Should you encounter any technical issues during integration, please contact Onfido's Customer Support team via email, including the word ISSUE: at the start of the subject line.
Alternatively, you can search the support documentation available via the customer experience portal, public.support.onfido.com.
We recommend you update your SDK to the latest version release as frequently as possible. Customers on newer versions of the Onfido SDK consistently see better performance across user onboarding and fraud mitigation, so we strongly advise keeping your SDK integration up-to-date.
You can review our full SDK versioning policy here.
The Onfido React Native SDK is available under the MIT license.
Copyright 2024 Onfido, Ltd. All rights reserved.
FAQs
Onfido React Native SDK
We found that @onfido/react-native-sdk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.