Video Injection Prevention

To avoid any video injection attack or deepfake, the video injection prevention feature has to be implemented. Any liveness detection may be vulnerable without a video injection attack prevention. This is achieved by modification on both the client and server side as well as modification of the data transferred.

Compatibility#

In order to use the video injection prevention and detection, the following requirements must be met:

• Digital Identity Service v1.25.0 or higher
• Web components v5.1.0 or higher
• Android components v6.4.0 or higher
• iOS components v6.4.0 or higher

Web components#

In web components v5.0.0 was changed the structure of onPhotoTaken callback. Previously, onPhotoTaken function returned just images in png or jpeg format and some additional information about component capture process. After obtaining images from onPhotoTaken callback, user application sends just these images to appropriate DIS endpoint for further processing as application/json content type.

Now, onPhotoTaken function returns one image (except smile liveness) and new data record. Record represents a signed version of the image with some additional information’s in byte array format. See the callback definition in the Web Face Auto Capture Component, it’s similar in other web components.

In order to use video injection prevention, user application has to send the obtained record to the appropriate DIS endpoint as octet-stream content type. For more information about DIS endpoints, please see Digital Identity Service below.

Using images from onPhotoTaken callback is still supported, video injection prevention will be not evaluated in that case.

Considerations on Platform and Browser#

If you need really high security and the projects allows it, you should prevent your web app from running on desktops or laptops, as these platforms offer much more tools to disassemble and attack your application.

Also, you can increase the security by preventing the use of Firefox browser, as this one is guaranteeing highest level of privacy for the fraudsters.

Mobile components#

In mobile components v6.4.0 we have changed the mobile components to support video injection prevention. Previosly, the result type for each mobile component contained one or more images which could be sent to appropriate DIS endpoint for further processing as application/json content type.

Now, the result type for each mobile component contains one image property and one content property. The image property can be used to present the mobile component result to the user of the mobile app. The content property is an encrypted byte array which contains the mobile component result and data required for the video injection evaluation. See the Android FaceAutoCaptureResult or iOS FaceAutoCaptureResult, the similar you can find for each mobile library.

In order to use video injection prevention, the mobile app has to send obtained content to the appropriate DIS endpoint as octet-stream content type. For more information about DIS endpoints, please see Digital Identity Service below.

Digital Identity Service#

In Digital Identity Service v1.25.0 and higher, there are new API calls to submit the data as the record proprietary format. Both face liveness and document images can be submitted this way. This is supported only with the Customer Onboarding API.

To submit face photos from a liveness component (active or passive), the endpoint customers/liveness/records must be used and the octet-stream content type must be set for the API request. In order to submit a selfie photo, use the selfie link returned by this call in the customers/selfie endpoint (alternatively you can also submit the selfie itself as the octet-stream type).

Generally, every endpoint that accepts images as the application/json content type can be used with the application/octet-stream (binary) content type as well.

The submission of a document page photo in this new format is possible with the customers/document/pages API endpoint where the octet-steam content type has to be used.

To get the information about video injection detection, use the API endpoint customers/inspect. Retrieve the object SecurityInspection/VideoInjectionInspection, there the value evaluated defines, if the data were uploaded as binary content, or as JPEG. In case of binary content, the value detected defines, if the injection was detected.

Size of the binary content data#

The size of the data to be transferred will depend on the camera resolution (whether it is 1920x1080 or 1280x720 pixels), on the quality of image and noise and on the background in the image. You can assume following sizes for the following components with a tolerance of +10% / -50%.