Categories of Gathered Data
In-App Protection gathers only technical and device-related data required to evaluate the security and integrity of the application runtime environment. These data do not include direct identification data such as name, address, email address, phone number, or national identification number. Where the gathered data can be linked directly or indirectly to a natural person, they should be treated as pseudonymous personal data under GDPR.
This chapter describes all supported categories of data that may be stored by In-App Protection. The actual scope of stored data depends on the specific SDK configuration and enabled features used in a given deployment. As a result, not every deployment will store all identifiers, flags, or event records described in this chapter. The full description of flags and events is in the respective SDK documentation.
Device-Related Identifiers
This category covers identifiers used to distinguish a device or client instance.
System-assigned device ID
An identifier assigned by the system to a device record. This identifier is derived using device fingerprinting techniques, but the underlying device fingerprint is not stored by the system.
Customer-assigned device ID
An identifier assigned by the customer to a device and provided to the system.
Customer-assigned client ID
An identifier assigned by the customer to a client, installation, or application instance and provided to the system.
Device Security and Integrity Attributes
This category covers technical attributes that describe the current security posture of the device, application runtime, and network environment. In In-App Protection, these attributes are primarily represented as device flags. A flag expresses whether a specific security-relevant condition is currently detected for a given device record.
The following flags can be stored in this category:
Device compromise and app integrity
- ROOTED – indicates that the Android device appears to be rooted.
- JAILBROKEN – indicates that the iOS device appears to be jailbroken.
- REPACKAGED_SOURCE – indicates that the application appears to have been repackaged or modified from its expected distribution source.
- UNWANTED_APPS – indicates presence of applications considered unwanted or risky from a security perspective.
Runtime and environment security
- EMULATOR – indicates that the application appears to be running in an emulator.
- ADB_ENABLED – indicates that Android Debug Bridge is enabled on the device.
- DEVELOPER_MODE – indicates that developer mode is enabled on the device.
- HTTP_PROXY – indicates that an HTTP proxy is configured on the device.
- DISABLED_PLAY_PROTECT – indicates that Google Play Protect is disabled.
Device protection configuration
- NO_SCREEN_LOCK – indicates that no device screen lock is configured.
- NO_BIOMETRY – indicates that biometric authentication is not configured or not available.
These attributes are technical security indicators. On their own, they do not directly identify a natural person. However, where they are stored together with a device ID, customer-assigned device ID, customer-assigned client ID, or another identifier that makes the device record linkable to a specific user or client, they should be treated as pseudonymous personal data under GDPR.
Security Event Records
In-App Protection can also store events. An event is a timestamped record describing that a particular security-relevant action, change, or detection occurred on a device or within an application session. Events represent historical telemetry, unlike flags, which represent the current or last known state of a device.
The following event groups can be stored:
Network security events
Events describing network conditions that may affect security:
- VPN_ACTIVE - VPN was activated.
- VPN_NOT_ACTIVE - VPN was deactivated.
Runtime events
Events describing runtime inspection or debugging conditions:
- JAVA_DEBUGGER - JAVA debugger detected.
- NATIVE_DEBUGGER - NATIVE debugger detected.
System and device state events
Events describing changes in application lifecycle, device security, or software versions:
- CRASH - Source application crashed.
- SCREEN_CAPTURE_ON - The screen is being captured.
- SCREEN_CAPTURE_OFF - The screen stops being captured.
- DEVICE_REATTACHED - The device is re-attached with an already known device ID.
- SDK_VERSION_CHANGED - The version of the SDK has changed.
User action events
Events triggered by changes in customer-provided identifiers:
- CLIENT_APP_DEVICE_ID_CHANGED - New customer-assigned device ID was assigned to the device.
- CLIENT_APP_USER_ID_CHANGED - New customer-assigned client ID was assigned to the device.
Security event records are technical telemetry about device, application, and runtime behavior. They do not contain direct identification data such as name, email address, phone number, or national identification number. However, where event records are associated with a device ID, customer-assigned device ID, customer-assigned client ID, or another persistent identifier, they should be treated as pseudonymous personal data under GDPR.
GDPR Categorization Summary
For GDPR purposes, the gathered data are categorized as follows:
Device-Related Identifiers
These are identifiers used to distinguish a device or client instance and can therefore constitute pseudonymous personal data:
- system-assigned device ID
- customer-assigned device ID
- customer-assigned client ID
Security Telemetry
These are technical records describing detected security conditions, runtime conditions, network conditions, application lifecycle changes, and similar observations:
- device flags
- device events
Not gathered by this component
In-App Protection does not gather direct identification data such as:
- name
- postal address
- email address
- phone number
- national identification number
- IP address