Video Injection Prevention
To avoid any video injection attack or deepfake, the video injection prevention feature has to be implemented. Any liveness detection may be vulnerable without a video injection attack prevention. This is achieved by modification on both the client and server side as well as modification of the data transferred.
Compatibility
In order to use the video injection prevention and detection, the following requirements must be met:
- Digital Identity Service v1.25.0 or higher
- Web components v5.1.0 or higher
- Android components v6.4.0 or higher
- iOS components v6.4.0 or higher
Web components
In web components v5.0.0 was changed the structure of onPhotoTaken
callback. Previously, onPhotoTaken
function returned just images in png
or jpeg
format and some additional information about component capture process. After obtaining images from onPhotoTaken
callback, user application sends just these images to appropriate DIS endpoint for further processing as application/json
content type.
Now, onPhotoTaken
function returns one image (except smile liveness) and new data record
. Record represents a signed version of the image with some additional information’s in byte array format. See the callback definition in the Web Face Auto Capture Component, it’s similar in other web components.
In order to use video injection prevention, user application has to send the obtained record
to the appropriate DIS endpoint as octet-stream
content type. For more information about DIS endpoints, please see Digital Identity Service below.
Using images from onPhotoTaken
callback is still supported, video injection prevention will be not evaluated in that case.
Considerations on Platform and Browser
If you need really high security and the projects allows it, you should prevent your web app from running on desktops or laptops, as these platforms offer much more tools to disassemble and attack your application.
Also, you can increase the security by preventing the use of Firefox browser, as this one is guaranteeing highest level of privacy for the fraudsters.
Mobile components
In mobile components v6.4.0 we have changed the mobile components to support video injection prevention. Previosly, the result type for each mobile component contained one or more images which could be sent to appropriate DIS endpoint for further processing as application/json
content type.
Now, the result type for each mobile component contains one image property and one content
property. The image property can be used to present the mobile component result to the user of the mobile app. The content
property is an encrypted byte array which contains the mobile component result and data required for the video injection evaluation. See the Android FaceAutoCaptureResult or iOS FaceAutoCaptureResult, the similar you can find for each mobile library.
In order to use video injection prevention, the mobile app has to send obtained content
to the appropriate DIS endpoint as octet-stream
content type. For more information about DIS endpoints, please see Digital Identity Service below.
Digital Identity Service
In Digital Identity Service v1.25.0 and higher, there are new API calls to submit the data as the record
proprietary format. Both face liveness and document images can be submitted this way. This is supported only with the Customer Onboarding API.
To submit face photos from a liveness component (active or passive), the endpoint customers/liveness/records
must be used and the octet-stream
content type must be set for the API request. In order to submit a selfie photo, use the selfie link returned by this call in the customers/selfie
endpoint (alternatively you can also submit the selfie itself as the octet-stream
type).
Generally, every endpoint that accepts images as the application/json
content type can be used with the application/octet-stream
(binary) content type as well.
The submission of a document page photo in this new format is possible with the customers/document/pages
API endpoint where the octet-steam
content type has to be used.
To get the information about video injection detection, use the API endpoint customers/inspect
. Retrieve the object SecurityInspection/VideoInjectionInspection
, there the value evaluated
defines, if the data were uploaded as binary content, or as JPEG. In case of binary content, the value detected
defines, if the injection was detected.
Size of the binary content data
The size of the data to be transferred will depend on the camera resolution (whether it is 1920x1080 or 1280x720 pixels), on the quality of image and noise and on the background in the image. You can assume following sizes for the following components with a tolerance of +10% / -50%.
Capture component output | Average data size @ 1920x1080 |
---|---|
Document auto capture | 600 kB |
Face auto capture (passive) | 300 kB |
Smile Liveness capture | 600 kB |
MagnifEye Liveness capture | 900 kB |