# MobileID InApp risk attributes
Optionally, Signicat can configure your service to return risk attributes. These can be used to reduce fraud by means of improved risk evaluation.
Risk attributes can be retrieved with all operations: registration, authentication, Authorisation or Consent Signature. If you would like us to set this up for you, contact Signicat at support@signicat.com and let us know which attributes you would like to receive.
This guide is part of our MobileID InApp Finalise operation guides:
Page contents
# Available attributes
The full list of available risk attributes is as follows:
| Risk attribute | Type | Description |
|---|---|---|
operating_system_fingerprint | String | A fingerprint of the operating system. This can be used for detecting whether the device is running a custom ROM or operating system |
operating_system_version | String | The operating system version. Examples: 4.1.2, 6.0.1 |
input_method | String | The input method that was used to enter text in the application. Can be used to detect when a custom keyboard is used on the device. For more info on input methods please see: https://developer.android.com/guide/topics/text/creating-input-method |
is_debuggable | Boolean | Indicates whether the application running can be debugged using a source level debugger, either by manifest entry or in emulator |
is_debug_enabled | Boolean | Indicates whether debug is enabled on device, either by user setting (USB-debugging enabled) or when running in emulator (debugging enabled by default) |
is_debugger_connected | Boolean | Indicates whether a debugger is connected to the application` |
is_emulator | Boolean | Indicates whether the application is running in an emulator |
is_root_available | Boolean | Indicates whether the device has been rooted/jail-broken. |
is_secure_screen_lock_enabled | Boolean | Indicates whether the device has secure screen enabled or not |
is_unknown_sources_enabled | Boolean | Indicates whether the device allows installation of applications outside the application store |
server_client_ip | String | The host address the request originated from. It will contain the value of X-Forwarded-For (XFF) header from the request and can contain multiple IP addresses depending on proxy and load balancers. If XFF is not present we will use the remote address of the request. It can be either the IP of the client or the last proxy that sent the request, it is specified by the value of the Common Gateway Interface (CGI) variable REMOTE_ADDR. |
signer_hashes | Base64 | A SHA-256 hash of the public key of certificate of the application signer. If there are more signers, each hash is comma separated. This can be used for detecting whether the application has been re-signed. |
user_agent | String | HTTP User agent from smart device application. |
device_hash | Base64 | SHA256 hash of the unique hardware device ID of the client device. |
device_manufacturer | String | The manufacturer of the device. Examples: "Apple", "Samsung". |
device_model | String | The device’s model. Examples: "iPad2,2", "Nexus S". |
operating_system_type | String | Indicates the OperatingSystemType of the device, either Android or iOS. |
application_hash | Base64 | SHA256 hash of the application name. The server can use this for detecting re-packaging. |
client_side_ip | JSON | An array containing the client network interfaces. This includes the type of the network and the IP address, and the list can contain multiple interfaces if the end-user’s device is connected to more than one at the time of the transaction. Example: [{"Type":"Cellular","IPAddress":"123.123.123.123"},{"Type":"Wifi","IPAddress":"124.124.124.124"}] |
hw_key_client_status | String | The status of the hardware-protected key signature preformed by the Encap client SDK. |
hw_key_server_result | String | The result of the hardware-protected key signature verification on the Encap server. |
battery_level | Integer | Provides the battery level of the device. |
is_power_connected | Boolean | Indicates whether the device is being charged/connected to a charger. |
These are the possible values for the hw_key_client_status attribute:
| Status | Description |
|---|---|
OK_KEY_PROVIDED | Activation of hardware-protected keys was successful on the client. |
OK_SIGNED_SUCCESS | Authentication challenge was successfully signed with the hardware-protected key on the client. |
INFO_NO_HARDWARE_SUPPORT | The client device does not have Secure Enclave, or it is running in a simulator. Only for iOS |
INFO_NO_OPERATING_SYSTEM_SUPPORT | The client operating system does not support hardware backed keys. It is supported on: Android 6 (most devices) Android 7 or later (all devices) iOS 10 or later (devices with Secure Enclave) |
INFO_NOT_ACTIVATED_WITH_HW_KEY | The registration was not activated with hardware-protected keys support for one or more of the following reasons: Encap API did not support hardware crypto protected keys Device Operating System did not support hardware crypto protected keys Device Hardware does not support hardware crypto protected keys |
ERR_KEY_GENERATION_FAILED | Unexpected error during generation of keypair on client. |
ERR_RETRIEVE_PUBLIC_KEY_FAILED | Unexpected error retrieving public key. Only on iOS. |
ERR_RETRIEVE_PRIVATE_KEY_REF_FAILED | Unexpected error when retrieving reference to private key. |
ERR_SIGN_OPERATION_FAILED | Unexpected error when generating signature. |
These are the possible values for the hw_key_server_result attribute:
| Status | Description | Validation strategy |
|---|---|---|
SIGNATURE_VERIFICATION_SUCCESS | Verification of the hardware-protected key signature was successful | Operation is successful in both strategy modes. |
SIGNATURE_VERIFICATION_FAILED | Verification of the hardware-protected key signature failed. | Operation will fail in SUPPORTED mode. |
NOT_ACTIVATED_WITH_HW_KEY | Signature could not be verified because registration was not activated with hardware-protected keys. | Operation will not fail regardless of strategy mode. |
NOT_PROVIDED_BY_CLIENT | The client is on an Encap version that does not support the hardware-protected key feature. | Operation will not fail regardless of strategy mode. The device will be activated without hardware-protected keys, and the device will be able to perform all operations but will not be able to use the hardware-protected key feature. To enable this feature the client must enrol on Encap version 3.8 or newer. |
# Responses with risk attributes
Response for authentication and Authorisation, with optional risk attributes:
{
"status":"SUCCESS",
"data": {
"sub":"WGrzaZJTOm7hJ-uDN4zK9zMhPgg1qznE",
"externalRef":"ca389fae-153d-11ec-82a8-0242ac130003",
"deviceId":"e44ac7ad-9b7c-4b9c-a449-4a71d6d3fed9",
"deviceName":"sampleDevice",
"mobileid.deviceModel":"SM-N975F",
"mobileid.osVersion":"11",
"mobileid.deviceManufacturer":"samsung",
"mobileid.rootAvailable":"false",
"mobileid.authLevel":"TWO_FACTOR",
"mobileid.emulator":"false",
"mobileid.osType":"Android",
"mobileid.debuggable":"true",
"mobileid.debuggerConnected":"false",
...
}
}
For Consent Signature, risk attributes can optionally be returned as part of the signed JSON Web Token (JWT):
{
"sub":"e44ac7ad-9b7c-4b9c-a449-4a71d6d3fed9",
"risk_attributes": "
{
"isEmulator":"false",
"postContextContent":"postMessage",
"deviceHash":"l5AXvoKEtzZuhmLH01Nvb5Vod5VNh4IdOIYdrklQxVE=",
"signerHashes":"BhBKoLKPrChrrgawgxOsacN8NaZGKFPbMtLsX6ex7Q4=",
"osVersion":"11",
"osType":"Android",
"hwKeyServerResult":"SIGNATURE_VERIFICATION_SUCCESS",
"postContextTitle":"postTitle",
"deviceManufacturer":"samsung",
"applicationHash":"j3SeY/fYH+jgAZo0SidqJMoWA2rAr2ATmJOGnOD2VrQ=",
"preContextTitle":"preTitle",
"isDebuggerConnected":"false",
"osFingerprint":"samsung/d2seea/d2s:11/RP1A.200720.012/N975FXXU7FUH3:user/release-keys",
"userAgent":"Dalvik/2.1.0 (Linux; U; Android 11; SM-N975F Build/RP1A.200720.012)",
"hwKeyClientStatus":"OK_SIGNED_SUCCESS",
"authenticationLevel":"TWO_FACTOR",
"inputMethod":"com.touchtype.swiftkey/com.touchtype.KeyboardService",
"deviceModel":"SM-N975F",
"location":"
{
\"accuracy\":\"2000.0\",
\"altitude\":null,
\"latitude\":\"63.44144144144144\",
\"longitude\":\"10.397050785704865\"
}",
"isDebuggable":"true",
"isDebugEnabled":"true",
"authMethod":"DEVICE:PIN",
"isRootAvailable":"false",
"isUnknownSourcesEnabled":"false",
"isSecureScreenLockEnabled":"true",
"serverClientIp":"172.16.17.170"
}",
"external_ref":"ca389fae-153d-11ec-82a8-0242ac130003",
"signicat_signtext":"I confirm my purchase of broadband subscription Medium500.",
"account_name":"nbidmobile:default:ca389fae-153d-11ec-82a8-0242ac130003",
"iss":"Signicat AS",
"iat": 1631598509,
"jti":"e94b257c-f7ff-44b7-87bf-78b2b73331d4"
}
# Further reading
- MobileID InApp overview
- Mobile app-initiated operations via OIDC
- Mobile app-initiated operations: URL construction
- Mobile app-initiated operations: Finalise operation
- Backend-initiated operations via OIDC
- Backend-initiated operations: URL construction
- Backend-initiated operations: Finalise operation
- MobileID InApp upgrade guide
- MobileID InApp release notes