# Device Intelligence Check ## Run a device intelligence check This check can only be initiated through a Workflow Session and is not supported for direct API calls. [Learn more about Device Intelligence Checks](https://app.gitbook.com/s/KyFKMqftsmT6qln9zo5y/digital-fraud-intelligence/device-intelligence-check). {% hint style="info" %} Get in touch with your Account Manager or [contact us](https://www.complycube.com/sales) to enable this service. {% endhint %} ## Result object The `result` object is only returned when the status of the check is `complete` . It has two components - `outcome` and `breakdown`. ### Outcome The outcome attribute represents the overall check result. Returned values include: 1. `clear`: Indicates every analysis type conducted returned a successful result. 2. `attention`: Indicates at least one of the analysis results requires attention. ### Breakdown The breakdown comprises the following objects: `physicalDeviceAnalysis` **object** The physical device analysis results. It has the following constituents: * `deviceEmulator`: Indicates if the device is an emulator (:android: Android only). * `rootedApp`: Indicates the app has been rooted (:android: Android only). * `browserTampering`: Indicates the browser has been tampered with. * `jailbrokenDevice`: Indicates the device has been jailbroken (:apple: iOS only). * `clonedApp`: Indicates the presence of app cloning, such as a fully duplicated application or one launched within a non-primary profile (:android: Android only). * `virtualMachine`: Indicates if a browser running inside a virtual machine (e.g. VMWare) was used. * `locationSpoofing`: Indicates if a mobile device has location spoofing enabled. * `fridaDetection`: Indicates if Frida was being used. * `previouslyEnrolledDevice`: Indicates if the device has been used by other clients before during onboarding. `networkAnalysis` **object** The network analysis results. It has the following constituents: * `vpnDetection`: Indicates whether a virtual private network (VPN) was used. * `relayDetection`: Indicates whether the originating IP address belongs to a known relay service provider. `botDetectionAnalysis` **object** The bot detection analysis results. It has the following constituents: * `botDetection`: Indicates whether a bot was used. `timelineAnalysis` **object** The timeline analysis results. It has the following constituents: * `deviceTimelineAnalysis`: Indicates whether the client’s use of devices across multiple sessions is suspicious. * `networkTimelineAnalysis`: Indicates whether the client’s use of networks across multiple sessions is suspicious. `deviceData` **object** Data extracted about the devices. It has the following constituents: * `devices`: Array of the devices used. * `deviceId`: A unique identifier for the device. * `outcome`: Whether the device is suspicious, either `attention`, `not_processed` or `clear` . * `operatingSystem`: The operating system of the device. * `appName`: The name of the app being used. * `majorVersion`: The major version of the app. * `fullVersion`: The full version of the app. * `device`: The type of device e.g. `iOS-Device`. * `userAgent`: The user agent. * `incognito`: A boolean with `true` if the browser was in incognito or private mode. * `sessionsWhenDetected`: A list of sessions when the device was detected. * `sessionId` : ID of the workflow session. * `timestamp`: When the device was logged in this session. `deviceTimelineData` **object** Data extracted about the devices over multiple verification sessions. It has the following constituents: * `incidents`: A list of the suspicious incidents. * `sessionId`: ID of the session where it was suspicious. * `reason`: A [reason code](#device-incident-reason-codes) relating to the reason this incident was suspicious. `networkData` **object** Data extracted about the networks. It has the following constituents: * `networks`: Array of the networks used. * `ipAddress`: The IP address of the network. * `sessionsWhenDetected`: A list of sessions when the device was detected. * `sessionId` : ID of the session. * `timestamp`: When the device was logged in this session. * `networkSignals`: Data on network characteristics. * `timezoneMismatch`: Indicates if the browser timezone doesn't match the timezone inferred by the IP address. * `publicVPN`: Indicates whether the IP address is owned and used by a public VPN service provider. * `auxiliaryMobile`: Indicates if a VPN was detected through additional, mobile-specific network checks. * `deviceSignature`: Indicates whether the operating system detected from browser is different to the operating system inferred from the network. * `relayDetection`: Indicates if the request IP address belongs to a relay service provider such as [Apple Private relay](https://support.apple.com/en-us/102602) or [Cloudflare Warp](https://developers.cloudflare.com/warp-client/). * `geoLocationDetails`: Data about the location of the IP address of the associated network. * `accuracyRadius`: The IP address is likely to be within this radius (in km) of the specified location. * `address` : This will be the structured address, which includes the following: * `line`: The address line. * `city`: The address city. * `state`: The address state. * `postalCode`: The address postal code. * `latLong`: The address latitude and longitude. * `country`: The address country. This will be the [two-letter country ISO code](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2).. * `asn`: Data about the autonomous system managing the network. * `asn`: The autonomous system number (ASN) associated with the IP address. * `name`: The name of the organization that owns the ASN. * `network`: The network range associated with the ASN. * `datacenter`: Indicates if the IP address belongs to a known data centre or cloud hosting provider. * `result`: Boolean indicating whether the IP address is associated with a data centre. * `name`: The name of the data centre or hosting provider if available. `networkTimelineData` **object** Data extracted about the networks over multiple verification sessions. It has the following constituents: * `incidents`: A list of the suspicious incidents. * `sessionId`: ID of the session where it was suspicious. * `reason`: A [reason code](#network-incident-reason-codes) relating to the reason this incident was suspicious. #### **Device incident reason codes**
CodeDescription
new_operating_system_detectedA device with an operating system that has not been used before was recorded in this session. Does not flag on the first device used.
many_devices_used_in_sessionMore than one device was used during this session. The only exception is in cross-device scenarios, such as when a session begins on a laptop and is later continued on a phone, which is a common scenario.
#### **Network incident reason codes** | Code | Description | | ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | | `large_network_location_variation` | The location of networks detected within a session varied by more than 100km (or what was configured in the workflow) | | `networks_in_different_countries` | The location of the networks detected across all sessions varied in terms of country. | | `new_country_detected` | A network with location from an unseen country was detected in this session. Does not flag for the first seen country. | | `multiple_new_countries_detected` | Multiple networks with locations from unseen countries were detected in this session. | | `many_networks_used_in_session` | Six or more networks were used in a single session. | ## Sample Response ```javascript { "id": "6231d54079f59b1530fc76e3", "entityName": "John Doe", "type": "device_intelligence_check", "clientId": "6230d4ab58ed4a434afbf2cc", "status": "complete", "result": { "outcome": "clear", "breakdown": { "physicalDeviceAnalysis": { "deviceEmulator": "clear", "rootedApp": "clear", "browserTampering": "clear", "jailbrokenDevice": "clear", "clonedApp": "clear", "virtualMachine": "clear", "locationSpoofing": "clear", "fridaDetection": "clear", "previouslyEnrolledDevice": "clear" }, "networkAnalysis": { "vpnDetection": "clear", "relayDetection": "clear" }, "botDetectionAnalysis": { "botDetection": "clear" }, "timelineAnalysis": { "deviceTimelineAnalysis": "clear", "networkTimelineAnalysis": "clear" }, "deviceData": { "devices": [ { "deviceId": "......", "outcome": "clear", "operatingSystem": "iOS", "appName": "CcSampleApp", "majorVersion": "67", "fullVersion": "67", "device": "iOS-Device", "userAgent": "CcSampleApp/67 CFNetwork/1568.200.51 Darwin/24.1.0" "incognito": false, "sessionsWhenDetected": [ { "sessionId": "l23j4ll2342", "timestamp": 7399001291 } ] }, { "deviceId": "......", "outcome": "attention", "operatingSystem": "iOS", "appName": "CcSampleApp", "majorVersion": "67", "fullVersion": "67", "device": "iOS-Device", "userAgent": "CcSampleApp/67 CFNetwork/1568.200.51 Darwin/24.1.0" "incognito": false, "sessionsWhenDetected": [ { "sessionId": "l23j4ll2342", "timestamp": 7399001291 } ], "clientsPreviouslyEnrolledWith": [ "jom3on9823c231230ss" ] } ] }, "deviceTimelineData": { "incidents": [ { "sessionId": "al3k4l2l3m4", "reason": "many_devices_used_in_session" }, { "sessionId": "l23j4ll2342", "reason": "new_operating_system_detected" } ] }, "networkData": { "networks": [ { "ipAddress": "82.2.156.115", "sessionsWhenDetected": [ { "sessionId": "l23j4ll2342", "timestamp": 7399001291 } ], "networkSignals": { "timezoneMismatch": "clear", "publicVPN": "clear", "auxiliaryMobile": "clear", "deviceSignature": "clear", "relayDetection": "clear" }, "geoLocationDetails": { "accuracyRadius": 10, "address": { "country": "GB", "city": "Tower Hamlets", "postalCode": "E14", "latLong": "51.5064,-0.02", }, "timezone": "Europe/London" }, "asn": { "asn": "4087", "name": "Virgin Media", "network": "83.2.0.0/16" }, "datacenter": { "result": false, "name": "" } } ] }, "networkTimelineData": { "incidents": [ { "sessionId": "al3k4l2l3m4", "reason": "multiple_new_countries_detected" }, { "sessionId": "al3k4l2l3m4", "reason": "many_networks_used_in_session" }, { "sessionId": "l23j4ll2342", "reason": "large_network_location_variation" } ] } } }, "updatedAt": "2025-01-01T12:17:06.046Z", "createdAt": "2025-01-01T12:17:04.809Z" } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.complycube.com/documentation/api-reference/check-types/device-intelligence-check.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.