# Device Attestation {% hint style="info" %} The Device Attestation result must be actively parsed and evaluated within your backend as part of your core business logic. Each flag should be assessed according to your specific risk model and use case. While some attributes may require contextual evaluation depending on your policies and fraud strategy, other attributes should immediately be treated as high-risk indicators. Please note that Device Attestation protects the SDK runtime environment only. For comprehensive application security, such as detecting app tampering, cloning, or unauthorized distribution, it is strongly recommended to implement additional protection mechanisms (e.g., Google Play Integrity or equivalent solutions) to safeguard the entire application. {% endhint %} ### For Mobile ```json { "deviceAttestation": { "risk": { "applicationStore": "receipt", "debugging": false, "hooking": false, "deviceMasked": false, "emulated": false, "rooted": false, "proxy": false, "gpsSpoofers": false, "screenSharing": false, "vpnRunning": false, "suspiciousFactoryReset": false, "sdkConnectionIntercepted": false, "payloadTampered": false }, "info": { "identifier": "3b3464596d481243ec3dd10e776d8cd1", "platform": "IOS", "manufacturer": "apple", "model": "iphone14,2", "version": "26.2.1", "cpuArchitecture": "darwin kernel version 25.2.0: fri jan 9 18:26:51 pst 2026; root:xnu-12377.62.10~267/release_arm64_t8110", "timezone": "7", "userAgent": "Demo/1 CFNetwork/3860.300.31 Darwin/25.2.0", "ipInfo": [ { "ip": "1.1.1.1", "countryCode": "AE" } ], "gpsCoordinates": [] } } } ``` ### For Web ```json { "deviceAttestation": { "risk": { "emulated": false, "proxy": false, "bot": false, "incognito": false, "tor": false, "antiFingerprintingDetected": false, "browserSpoofed": false }, "info": { "identifier": "391d6baa5425b6dd3b77694d426ecf42", "platform": "WEB", "manufacturer": "Apple", "model": "iPhone", "timezone": "7", "userAgent": "Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.2 Mobile/15E148 Safari/604.1", "ipInfo": [ { "ip": "1.1.1.1", "countryCode": "AE" } ], "gpsCoordinates": [], "browserName": "Mobile Safari", "browserPlatform": "iPhone", "browserVersion": "26.2", "browserType": "MOBILE", "osName": "iOS", "osVersion": "18.7", "siteReferrer": "https://example.com" } } } ``` ### Risk Attributes {% hint style="info" %} In general, each risk flag listed below should be evaluated according to your own business logic and specific use case. However, certain attributes should clearly be treated as red flags when processing the SDK result on your backend. These attributes include:
**applicationStore**\ **debugging**\ **hooking**\ **emulated** \ **rooted**\ **proxy**\ **sdkConnectionIntercepted**\ **payloadTampered** {% endhint %} | Attribute | Description | Additional info | | ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------- | | **applicationStore** | Indicates where the app is downloaded from | Mobile only | | **debugging** | Indicates if debugging is enabled on the device | Mobile only | | **hooking** | Indicates if the user is altering the behavior of the OS or apps by intercepting function calls or events | Mobile only | | **deviceMasked** | Indicates if the user has modified or spoofed device attributes to appear as another device | Mobile only | | **emulated** | Indicates if the user is using the app in an emulator | Mobile and Web | | **rooted** | Indicates if the user is using a jailbroken or rooted device | Mobile only | | **proxy** | Indicates if the traffic runs through a VPN, proxy, or other hosting facility | Mobile and Web | | **gpsSpoofers** | Indicates if the user is running GPS spoofers while using the app | Mobile only | | **screenSharing** | Indicates if the user's screen is remotely accessed or shared to an external display | Mobile only | | **vpnRunning** | Indicates if the user is running VPN apps while using the app | Mobile only | | **suspiciousFactoryReset** | The device shows evidence of a recent or abnormal factory reset, which may indicate an attempt to hide tampering or create a clean environment for fraudulent KYC activity | Mobile only | | **sdkConnectionIntercepted** | Someone is actively intercepting, modifying, or inspecting the SDK’s encrypted traffic | Mobile only | | **payloadTampered** | Indicates if the device attestation payload was modified in transit | Mobile only | | **bot** | Indicates if this is a bot activity | Web only | | **incognito** | Indicates if the user is running a browser in incognito mode | Web only | | **tor** | Indicates if the Tor browser is being used | Web only | | **antiFingerprintingDetected** | Indicates if any anti-fingerprinting tools are activated. Browser fingerprint data is being intentionally modified or obfuscated | Web only | | **browserSpoofed** | Indicates if the user has modified or spoofed the browser attributes | Web only | ### Info Attributes {% hint style="info" %} The unique device identifier listed below remains consistent across multiple installations of the same app. This is valuable because it enables you to associate multiple sessions with a single device. It should be leveraged for fraud detection purposes, for example, identifying cases where the same device is used by different individuals with different ID documents. {% endhint %}
AttributeDescriptionAdditional info
identifierUnique device identifierNote: This is a critical information that can be used to link multiple sessions to the same device
platformThe device platform (Android, iOS, or Web)

Possible values: 

ANDROID, IOS, WEB
manufacturerDevice manufacturer
modelDevice model
versionDevice version
cpuArchitectureCPU architecture
ipInfoArray of IP addresses and related countries
gpsCoordinatesArray of GPS coordinates in the form astring, e.g. "lat,long"Note: GPS coordinates are accessible only if the hosting application has been granted the appropriate permissions and the end user has approved access. The Uqudo SDK does not request location permissions directly
timezoneDevice timezone. A string representing the offset of a number of hours (and occasionally half or quarter hours) "ahead of GMT" or "behind GMT"
userAgentDevice user agent
browserNameBrowser name, e.g. ChromeWeb only
browserPlatformBrowser platform, e.g. MacIntelWeb only
browserVersionBrowser versionWeb only
browserTypeBrowser type, e.g. Desktop

Web only.
Possible values:

DESKTOP, MOBILE
osNameOS name, e.g. Mac OS XWeb only
osVersionOS version, e.g. 10.15.7Web only
siteReferrerReferer header content if presentWeb only