HomeGuidesAPI ReferenceChangelog
Log InChangelog
Guides
Changelog
Start typing to search…

Security

Device security

Also explained in the "Requirements" section:

  • The SDK will not function if the device does not meet security requirements, including having lock screen enabled and sufficient secure hardware
  • The SDK uses Play Integrity API/AppAttestation to detect rooting/jailbreaking of devices or repackaged applications, putting Aera backend in the position to only allow devices following defined security policy. Whitelist your Mobile App, see "Prerequisites". See "Google Play Integrity API" for Android setup instructions.

SDK security

  • The SDK handles sensitive operations internally (e.g., token storage, biometric PIN entry).
  • Sensitive payment data is never exposed to your app or stored on device.
  • The authentication is handled by Aera Secure ID SDK (SID SDK) with RequireBiometricOrAppPinAuthentication mode. This means the supported methods of authentication include Application PIN and/or Biometric Authentication. The Application PIN is defined by the consumer as part of the onboarding flow. Rules for the Application PIN are set by Aera. The SID SDK is a dependency of the Wallets SDK and the DPA. The Wallets SDK interacts with it, handling all authentication/onboarding and signing related functionality. The Membership App does not interact with it directly.
  • The SDK does not allow for backup, using android:allowbackup false, fullBackupContent false and dataExtractionRules exclusions. This can be overridden with tools:replace.
  • The Wallet SDK requires valid sessions between actions, screens and inside the WebView, and session keys are rotated for every action.
  • To ensure integrity, payment data is provided for displaying details in a Payment User Interface only, and any changes to the data between retrieval and signing will be detected and rejected.

Membership App security

The Membership App using the SDK must additionally follow security best practices according to the risk profile and risk acceptance of the solution offered.

  • All sessions used with the Wallets SDK should be made with a secure connection between Mobile App, Mobile App backend and Wallet Provider
  • Set up Google Play Integrity as defined in the "Google Play Integrity API" section.
  • Whitelist your Mobile App, see "Prerequisites"
  • The Wallets dashboard is opened with the use of a WebView. For partial flow, the Membership App implementation should follow security best practices, see Android Security best practices for Webview , Unsafe File Inclusion and OWASP. Example mitigations include: allowlist, setAllowFileAccess off, usesClearTextTraffic off and SafeBrowsing.
  • Follow vendor provided security guides such as Android development, best practices and iOS development, best practices.
  • Obfuscating the apps code via e.g. minification is good, but mainly helps improve performance. Take other measures to guard against reverse engineering into consideration.
  • OWASP maintains a Mobile Top 10 list that is necessary for secure App development Top 10 list.

Routines

Patches for security vulnerabilities are released at least every six months, based on monthly and annual reviews. Critical issues may be expedited and released sooner.

The Aera Secure ID SDK used by the Aera Wallets SDK may be used as a PSD2 SCA solution. Contact Aera for the baseline requirements for using the SDK as such.

The solution is pentested by a third party before release into production.

For any security-related questions, please contact [email protected].

Updated about 1 month ago