Security Checks

The SDK performs security checks and collects device information during initialization. Warnings produced during the 3DS SDK initialization process can be retrieved using the getWarnings method, which returns a list of Warning objects. These can be checked by the app to determine whether or not to proceed with the checkout process:

	/* check warnings */
	List<Warning> warnings = ThreeDS2Service.INSTANCE.getWarnings();
	if (warnings.size() > 0) {
		// process warnings
		// abort the checkout if necessary
	}

The Warning object consists of the following fields:

Name	Type	Description
id	String	Warning identifier.
message	String	Warning message.
severity	Severity (enum)	Warning severity level (LOW, MEDIUM, HIGH).

The following warnings are documented in the EMVCo specification:

Security Warning ID	Description	Severity Level
SW01	The device is jailbroken.	HIGH
SW02	The integrity of the SDK has been tampered.	HIGH
SW03	An emulator is being used to run the app.	HIGH
SW04	A debugger is attached to the app.	MEDIUM
SW05	The OS or the OS version is not supported.	HIGH

To be notified of security issues at runtime, it is recommended to use the Security Event Listener as well.

Security Checks Performed During Initialization

The following security checks are performed during initialization of the SDK:

• Root detection: Several ways of detecting if the device is rooted
• SDK tampering detection: including app signer fingerprint validation, hook detection, and malicious app detection
• Checks to make sure the app was installed from trusted app stores
• Emulator detection
• Detection of an attached debugger
• OS version detection

These initialization checks result in warnings accessible via the getWarnings detailed above. The message will contain a description of the issue encountered.

Security Checks Performed at Runtime

The following security checks are performed at runtime:

• Emulator detection (high severity): during Transaction.getAuthenticationRequestParameters()
• Debugging detection (medium severity): during Transaction.doChallenge()
• Root detection (high severity): during Transaction.doChallenge()
• Hook detection (high severity): during ThreeDS2Service.createTransaction(), and during the challenge process when the Submit/Resend/Cancel buttons are clicked.
• Debug enabled detection (low severity): during Transaction.doChallenge()

These runtime checks result in firing of the Security Event Listener alarm event, and the activity closing for high severity issues. In the development version of the SDK (without _deploy in the file name), these checks are not performed.