Mobile Device Integrity Attestation

Overview#

A paramedic transporting sensitive patient records on their field tablet must be certain their device has not been compromised by unauthorised software. The Mobile Device Integrity Attestation module detects jailbroken and rooted devices at app launch, surfacing device posture signals to both the client and the backend so access decisions can account for runtime integrity. Combined with app attestation (Play Integrity on Android, DCAppAttest on iOS) and screen-capture suppression on PHI routes, the module ensures that field responders handling protected health information are working on devices that the platform can verify and trust.

For regulated field operations such as emergency response, law enforcement, and clinical transport, refusing access on compromised devices or requiring supervisor approval balances risk tolerance with operational reality. The module is built on OWASP MASVS L2 standards (MSTG-RESILIENCE) and operates in report-only mode under current policy, logging all signals for server-side access decisions without forcibly blocking responder operations.

Key Features#

• Best-Effort Jailbreak/Root Detection: Probes for a broad set of known iOS jailbreak artefacts and Android root indicators across filesystem, package, and build-property signals, without requiring external native modules.

• Report-Only by Default: Signals are logged and sent to the server but never force-quit the app or block legitimate responders. The detector always resolves successfully and never throws exceptions.

• Development Device Exemption: Web bundles, Windows/macOS builds, and debug (DEV) builds automatically report as 'unsupported' so development and testing workflows are not disrupted.

• Debugger and Instrumentation Detection: Identifies attached JavaScript debuggers (Metro Chrome DevTools) and React DevTools hooks, keeping those signals separate from OS-level root/jailbreak signals so server-side logic can distinguish tampered devices from instrumented runtimes.

• App Attestation Framework: Structural hooks for Play Integrity (Android) and DCAppAttest (iOS) enable high-trust operations to require platform-verified app integrity tokens, moving from client-side signaling to cryptographically verified app build attestation.

• Privacy Overlay on App Background: Full-bleed screen-capture suppression (MASVS-STORAGE-9) masks PHI when the app is backgrounded or multitasked, preventing task-switcher thumbnails and iOS multitasker snapshots from exposing sensitive patient or incident data.

• Structured Logging: All signals (filesystem probes, build tags, debugger state) are logged with security.device.integrity.violation events for SIEM correlation and audit trail integration.

Use Cases#

• Field Paramedics and EMT Operations: Transporting patients with protected health information on mobile devices; the platform signals device posture to enable supervisory override workflows when a responder's device shows root/jailbreak indicators.

• Law Enforcement Field Operations: Officers accessing classified investigation databases or sensitive surveillance data on agency-issued or personal devices; device integrity feeds into risk-based access gates.

• Clinical Field Teams: Community health workers, contact tracers, and mobile nurses handling patient records in field settings where device compromise could expose protected health information.

• Custody and Evidence Chain Responders: Personnel recording evidence or managing chain-of-custody workflows where device tamper signals trigger mandatory sign-off from a supervisor before high-trust mutations are allowed.

Integration#

Device integrity signals flow through the mobile client's middleware to every high-trust API request via the X-Argus-Attestation header. The header carries:

• Device posture verdict (ok, suspected, or unsupported)
• Signal names (filesystem probe hits, build tag matches, debugger hooks)
• Debugger state (dev-build, react-devtools-hook)
• App attestation platform token (pending until expo-integrity module is bundled)

The server-side access gate examines this header alongside organisational policy to:

• Permit with audit: Allow the operation and log the device posture in the structured audit trail
• Escalate: Require step-up authentication or supervisor override for suspected devices
• Deny: Reject high-trust operations when policy forbids unattested app execution on rooted/jailbroken devices

The detector itself is intentionally conservative: all filesystem probes and constants lookups are wrapped in try-catch blocks, and the DEV short-circuit ensures that developer devices running rooted simulators or sideloaded debug builds are never mistakenly blocked.

Open Standards#

• OWASP Mobile Application Security Verification Standard (MASVS) L2: The module is built to MASVS L2 requirements; MSTG-RESILIENCE-1 (detect tampered runtime) and MSTG-RESILIENCE-2 (respond to integrity violations) govern the jailbreak/root detection logic, and MSTG-RESILIENCE-4 (detect emulators and verify app integrity) governs the Play Integrity and App Attest hooks.

• OWASP Application Security Verification Standard (ASVS) 5.0, Chapter V14 (Data Protection): The server-side access gate and PHI-bearing screen protections are implemented to ASVS V14 L3 requirements, covering data classification, client-side protection, and the attestation mandate for high-trust operations.

• OWASP MASVS-STORAGE-9: The privacy overlay that suppresses PHI from task-switcher thumbnails and iOS multitasker snapshots directly implements this MASVS control, using Android WindowManager FLAG_SECURE and an iOS applicationWillResignActive blur overlay.

• Google Play Integrity API: Android app attestation is implemented via the Play Integrity API, which provides a cryptographically verified verdict binding the app build identity to the device hardware, delivered as the X-Argus-Attestation header on high-trust requests.

• Apple App Attest (DCAppAttestService): iOS app attestation uses Apple's DCAppAttestService to produce a platform-issued token that ties the app to an authenticated Apple device, carried in the same X-Argus-Attestation header so the server can enforce identical policy across both mobile platforms.

• OAuth 2.0 Bearer Token (RFC 6750): All high-trust requests that carry device integrity and attestation signals are authenticated with a standard Bearer token in the Authorization header, ensuring the posture signal and the authenticated identity travel together to the access gate.

• HIPAA (Health Insurance Portability and Accountability Act): The PHI data-class definitions, screen-capture suppression requirements, and report-only posture policy are all shaped by HIPAA's technical safeguard obligations, which govern the use of protected health information on field mobile devices.

Security and Compliance#

• OWASP MASVS L2 Alignment: Implements MSTG-RESILIENCE-1 (detect tampered runtime environment), MSTG-RESILIENCE-2 (respond to integrity violations), and MSTG-RESILIENCE-4 (detect emulators and app integrity).

• No Definitive Verdict: The heuristics are best-effort signals, not absolute proof. A clean filesystem does not guarantee an unrooted device, and the detector is designed to be conservative rather than heavy-handed, respecting that legitimate developers and field responders may run custom ROMs or sideloaded environments.

• Privacy Preserving: No device identifiers, user data, or file contents are logged, only abstract signal categories that indicate which class of heuristic fired.

• Audit Trail Integration: Every integrity check and violation signal is routed through the structured logging facade for SIEM and compliance reporting.

Availability#

• Enterprise Plan: Included
• Professional Plan: Included

Last Reviewed: 2026-05-14 Last Updated: 2026-05-14