HomeGuidesAPI ReferenceChangelog
Log InChangelog
Guides
Changelog
Start typing to search…
These docs are for v2025.11.00. Click to read the latest docs for v2025.12.00.

Security

  • The SDK handles sensitive operations internally (e.g., token storage, biometric PIN entry).
  • Sensitive payment data is never exposed to your app or stored on device.
  • The authentication is handled by Aera Secure ID SDK (SID SDK) with RequireBiometricOrAppPinAuthentication mode. This means the supported methods of authentication include Application PIN and/or Biometric Authentication. The Application PIN is defined by the consumer as part of the onboarding flow. Rules for the Application PIN are set by Aera. The SID SDK is a dependency of the Wallets SDK and the DPA. The Wallets SDK interacts with it, handling all authentication/onboarding and signing related functionality. The Membership App does not interact with it directly.
  • The SDK will not function without Secure lock screen enabled before and after consumer onboarding.
  • The SDK uses Google Play Integrity API/Attestation to detect rooting/jailbreaking of devices or repackaged applications, putting Aera backend in the position to only allow devices following defined security policy. See "Google Play Integrity API" for setup instructions.
  • The SDK does not allow for backup, using android:allowbackup false, fullBackupContent false and dataExtractionRules exclusions. This can be overridden with tools:replace.
  • The Wallet SDK requires valid sessions between actions, screens and inside the WebView, and session keys are rotated for every action.

The Membership App using the SDK must additionally follow security best practices according to the risk profile and risk acceptance of the solution offered.

  • All sessions used with the Wallets SDK should be made with a secure connection between Mobile App, Mobile App backend and Wallet Provider
  • Set up Google Play Integrity as defined in the "Google Play Integrity API" section.
  • The Wallets dashboard is opened with the use of a WebView. For partial flow, the Membership App implementation should follow security best practices, see Android Security best practices for Webview , Unsafe File Inclusion and OWASP. Example mitigations include: allowlist, setAllowFileAccess off, usesClearTextTraffic off and SafeBrowsing.
  • Follow vendor provided security guides such as Android development, best practices.
  • Obfuscating the apps code via e.g. minification is good, but mainly helps improve performance. Take other measures to guard against reverse engineering into consideration.
  • OWASP maintains a Mobile Top 10 list that is necessary for secure App development Top 10 list.

Patches for security vulnerabilities are released at least every six months, based on monthly and annual reviews. Critical issues may be expedited and released sooner.

The solution is pentested by a third party before the initial release.

For any security-related questions, please contact [email protected].

Updated about 2 months ago