000035997 - Questions and Answers about Jailbroken or Rooted Mobile Devices in RSA Adaptive Authentication (OnPrem) 7.x

Document created by RSA Customer Support Employee on Feb 9, 2018Last modified by RSA Customer Support Employee on Feb 9, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035997
Applies ToRSA Product Set: Adaptive Authentication (OnPrem)
RSA Product/Service Type: Adaptive Authentication (OnPrem)
RSA Version/Condition: 7.x
  • Q> How can we detect Jailbroken or Rooted mobile devices in AA?

This functionality is available with RSA Mobile SDK. RSA Mobile SDK collects mobile device information in JSON format and later send to AdaptiveAuthentication for risk assessment. One of the device elements includes a positive integer value indicating whether the device is rooted or jailed. This element is only supported with Android and iOS.
Using Mobile SDK requires a different license than AA.

Some basic concepts:
  • Collecting means retrieving the information from the mobile device.
  • There are different levels for collection
  • The collection output is a JSON string with the data retrieved from the device.
  • The field in the output that indicates if the device has been rooted or jailbroken, is field “Compromised”.
User-added image

  • Q> Can the “compromised” field be incorporated into the risk policy rules?  For example, if we hypothetically didn’t want to allow a login from a jailbroken device, would we either mandatory challenge or deny?

A> Yes, this field information can be used in the Policy Management rules.  It can be used in expressions like this:
User-added image
It will only apply for transactions coming from the mobile channel, so you can also validate the channel when doing so.

  • Q> Does this happen for mobile web also? Or only when using the Mobile SDK in the app? 

A> No, it does not.  Mobile web traffic is received as web, so it does not capture the compromised field.  This data is only captured by the Mobile SDK in the app.


  • Q> Is there a way we can find the Compromised attribute in the AA database tables?

A> This information about the “Compromised Device” is not available in any logs nor DB.  It is used in real time when the transaction is received.  

As a workaround, a Test rule can be created with the compromised condition.

User-added image

That way the rule will be triggered any time a transaction comes from a compromised device, but since it is in test mode it will not create a case.  It will be registered in the “EVENT_LOG” table under the [TEST_POLICY_RULE_ID] field and also in the audit and forensic logs.