Security

• The SDK handles sensitive operations internally (e.g., token storage, biometric PIN entry).
• Sensitive payment data is never exposed to your app or stored on device.
• The authentication is handled by Aera Secure ID with RequireBiometricOrAppPinAuthentication mode. This means the supported methods of authentication include Application PIN and/or Biometric Authentication. The Application PIN is defined by the consumer as part of the onboarding flow. Rules for the Application PIN are set by Aera.
• The SDK will not function without Secure lock screen enabled before and after consumer onboarding.
• The SDK uses Google Play Integrity API to detect rooting of devices or repackaged applications, putting Aera backend in the position to only allow devices following defined security policy.
• The SDK does not allow for backup, using android:allowbackup false, fullBackupContent false and dataExtractionRules exclusions. This can be overridden with tools:replace.

The Membership App using the SDK must additionally follow security best practices according to the risk profile and risk acceptance of the solution offered.

• All sessions used with the Wallets SDK should be made with a secure connection between Mobile App, Mobile App backend and Wallet Provider
• Follow vendor provided security guides such as Android development, best practices.
• OWASP maintains a Mobile Top 10 list that is necessary for secure App development Top 10 list.

Patches for security vulnerabilities are released at least every six months, based on monthly and annual reviews. Critical issues may be expedited and released sooner.

For any security-related questions, please contact [email protected].