link

# MobileID InApp risk attributes

Optionally, Signicat can configure your service to return risk attributes. These can be used to reduce fraud by means of improved risk evaluation.

Risk attributes can be retrieved with all operations: registration, authentication, Authorisation or Consent Signature. If you would like us to set this up for you, contact Signicat at support@signicat.com and let us know which attributes you would like to receive.


This guide is part of our MobileID InApp Finalise operation guides:


# Available attributes

The full list of available risk attributes is as follows:

Risk attribute Type Description
operating_system_fingerprint String A fingerprint of the operating system. This can be used for detecting whether the device is running a custom ROM or operating system
operating_system_version String The operating system version. Examples: 4.1.2, 6.0.1
input_method String The input method that was used to enter text in the application. Can be used to detect when a custom keyboard is used on the device. For more info on input methods please see: https://developer.android.com/guide/topics/text/creating-input-method
is_debuggable Boolean Indicates whether the application running can be debugged using a source level debugger, either by manifest entry or in emulator
is_debug_enabled Boolean Indicates whether debug is enabled on device, either by user setting (USB-debugging enabled) or when running in emulator (debugging enabled by default)
is_debugger_connected Boolean Indicates whether a debugger is connected to the application`
is_emulator Boolean Indicates whether the application is running in an emulator
is_root_available Boolean Indicates whether the device has been rooted/jail-broken.
is_secure_screen_lock_enabled Boolean Indicates whether the device has secure screen enabled or not
is_unknown_sources_enabled Boolean Indicates whether the device allows installation of applications outside the application store
server_client_ip String The host address the request originated from. It will contain the value of X-Forwarded-For (XFF) header from the request and can contain multiple IP addresses depending on proxy and load balancers. If XFF is not present we will use the remote address of the request. It can be either the IP of the client or the last proxy that sent the request, it is specified by the value of the Common Gateway Interface (CGI) variable REMOTE_ADDR.
signer_hashes Base64 A SHA-256 hash of the public key of certificate of the application signer. If there are more signers, each hash is comma separated. This can be used for detecting whether the application has been re-signed.
user_agent String HTTP User agent from smart device application.
device_hash Base64 SHA256 hash of the unique hardware device ID of the client device.
device_manufacturer String The manufacturer of the device. Examples: "Apple", "Samsung".
device_model String The device’s model. Examples: "iPad2,2", "Nexus S".
operating_system_type String Indicates the OperatingSystemType of the device, either Android or iOS.
application_hash Base64 SHA256 hash of the application name. The server can use this for detecting re-packaging.
client_side_ip JSON An array containing the client network interfaces. This includes the type of the network and the IP address, and the list can contain multiple interfaces if the end-user’s device is connected to more than one at the time of the transaction. Example: [{"Type":"Cellular","IPAddress":"123.123.123.123"},{"Type":"Wifi","IPAddress":"124.124.124.124"}]
hw_key_client_status String The status of the hardware-protected key signature preformed by the Encap client SDK.
hw_key_server_result String The result of the hardware-protected key signature verification on the Encap server.
battery_level Integer Provides the battery level of the device.
is_power_connected Boolean Indicates whether the device is being charged/connected to a charger.

These are the possible values for the hw_key_client_status attribute:

Status Description
OK_KEY_PROVIDED Activation of hardware-protected keys was successful on the client.
OK_SIGNED_SUCCESS Authentication challenge was successfully signed with the hardware-protected key on the client.
INFO_NO_HARDWARE_SUPPORT The client device does not have Secure Enclave, or it is running in a simulator. Only for iOS
INFO_NO_OPERATING_SYSTEM_SUPPORT The client operating system does not support hardware backed keys. It is supported on: Android 6 (most devices) Android 7 or later (all devices) iOS 10 or later (devices with Secure Enclave)
INFO_NOT_ACTIVATED_WITH_HW_KEY The registration was not activated with hardware-protected keys support for one or more of the following reasons: Encap API did not support hardware crypto protected keys Device Operating System did not support hardware crypto protected keys Device Hardware does not support hardware crypto protected keys
ERR_KEY_GENERATION_FAILED Unexpected error during generation of keypair on client.
ERR_RETRIEVE_PUBLIC_KEY_FAILED Unexpected error retrieving public key. Only on iOS.
ERR_RETRIEVE_PRIVATE_KEY_REF_FAILED Unexpected error when retrieving reference to private key.
ERR_SIGN_OPERATION_FAILED Unexpected error when generating signature.

These are the possible values for the hw_key_server_result attribute:

Status Description Validation strategy
SIGNATURE_VERIFICATION_SUCCESS Verification of the hardware-protected key signature was successful Operation is successful in both strategy modes.
SIGNATURE_VERIFICATION_FAILED Verification of the hardware-protected key signature failed. Operation will fail in SUPPORTED mode.
NOT_ACTIVATED_WITH_HW_KEY Signature could not be verified because registration was not activated with hardware-protected keys. Operation will not fail regardless of strategy mode.
NOT_PROVIDED_BY_CLIENT The client is on an Encap version that does not support the hardware-protected key feature. Operation will not fail regardless of strategy mode. The device will be activated without hardware-protected keys, and the device will be able to perform all operations but will not be able to use the hardware-protected key feature. To enable this feature the client must enrol on Encap version 3.8 or newer.

# Responses with risk attributes

Response for authentication and Authorisation, with optional risk attributes:

{
	"status":"SUCCESS",
	"data": {
		"sub":"WGrzaZJTOm7hJ-uDN4zK9zMhPgg1qznE",
		"externalRef":"ca389fae-153d-11ec-82a8-0242ac130003",
		"deviceId":"e44ac7ad-9b7c-4b9c-a449-4a71d6d3fed9",
		"deviceName":"sampleDevice",
		"mobileid.deviceModel":"SM-N975F",
		"mobileid.osVersion":"11",
		"mobileid.deviceManufacturer":"samsung",
		"mobileid.rootAvailable":"false",
		"mobileid.authLevel":"TWO_FACTOR",
		"mobileid.emulator":"false",
		"mobileid.osType":"Android",
		"mobileid.debuggable":"true",
		"mobileid.debuggerConnected":"false",
		...
			}
}

For Consent Signature, risk attributes can optionally be returned as part of the signed JSON Web Token (JWT):

{
	"sub":"e44ac7ad-9b7c-4b9c-a449-4a71d6d3fed9",
	"risk_attributes":	"
		{
			"isEmulator":"false",
			"postContextContent":"postMessage",
			"deviceHash":"l5AXvoKEtzZuhmLH01Nvb5Vod5VNh4IdOIYdrklQxVE=",
			"signerHashes":"BhBKoLKPrChrrgawgxOsacN8NaZGKFPbMtLsX6ex7Q4=",
			"osVersion":"11",
			"osType":"Android",
			"hwKeyServerResult":"SIGNATURE_VERIFICATION_SUCCESS",
			"postContextTitle":"postTitle",
			"deviceManufacturer":"samsung",
			"applicationHash":"j3SeY/fYH+jgAZo0SidqJMoWA2rAr2ATmJOGnOD2VrQ=",
			"preContextTitle":"preTitle",
			"isDebuggerConnected":"false",
			"osFingerprint":"samsung/d2seea/d2s:11/RP1A.200720.012/N975FXXU7FUH3:user/release-keys",
			"userAgent":"Dalvik/2.1.0 (Linux; U; Android 11; SM-N975F Build/RP1A.200720.012)",
			"hwKeyClientStatus":"OK_SIGNED_SUCCESS",
			"authenticationLevel":"TWO_FACTOR",
			"inputMethod":"com.touchtype.swiftkey/com.touchtype.KeyboardService",
			"deviceModel":"SM-N975F",
			"location":"
				{
					\"accuracy\":\"2000.0\",
					\"altitude\":null,
					\"latitude\":\"63.44144144144144\",
					\"longitude\":\"10.397050785704865\"
				}",
			"isDebuggable":"true",
			"isDebugEnabled":"true",
			"authMethod":"DEVICE:PIN",
			"isRootAvailable":"false",
			"isUnknownSourcesEnabled":"false",
			"isSecureScreenLockEnabled":"true",
			"serverClientIp":"172.16.17.170"
		}",
	"external_ref":"ca389fae-153d-11ec-82a8-0242ac130003",
	"signicat_signtext":"I confirm my purchase of broadband subscription Medium500.",
	"account_name":"nbidmobile:default:ca389fae-153d-11ec-82a8-0242ac130003",
	"iss":"Signicat AS",
	"iat": 1631598509,
	"jti":"e94b257c-f7ff-44b7-87bf-78b2b73331d4"
}

# Further reading

Last updated: 25/04/2022 09:50 UTC