Device Intelligence Check

Run a device intelligence check

This check can only be initiated through a Workflow Session and is not supported for direct API calls.

Learn more about Device Intelligence Checks.

Result object

The result object is only returned when the status of the check is complete . It has two components - outcome and breakdown.

Outcome

The outcome attribute represents the overall check result. Returned values include:

1. clear: Indicates every analysis type conducted returned a successful result.

2. attention: Indicates at least one of the analysis results requires attention.

Breakdown

The breakdown comprises the following objects:

physicalDeviceAnalysis object

The physical device analysis results. It has the following constituents:

• deviceEmulator: Indicates if the device is an emulator ( Android only).

• rootedApp: Indicates the app has been rooted ( Android only).

• browserTampering: Indicates the browser has been tampered with.

• jailbrokenDevice: Indicates the device has been jailbroken ( iOS only).

• clonedApp: Indicates the presence of app cloning, such as a fully duplicated application or one launched within a non-primary profile ( Android only).

• virtualMachine: Indicates if a browser running inside a virtual machine (e.g. VMWare) was used.

• locationSpoofing: Indicates if a mobile device has location spoofing enabled.

• fridaDetection: Indicates if Frida was being used.

• previouslyEnrolledDevice: Indicates if the device has been used by other clients before during onboarding.

networkAnalysis object

The network analysis results. It has the following constituents:

• vpnDetection: Indicates whether a virtual private network (VPN) was used.

• relayDetection: Indicates whether the originating IP address belongs to a known relay service provider.

botDetectionAnalysis object

The bot detection analysis results. It has the following constituents:

• botDetection: Indicates whether a bot was used.

timelineAnalysis object

The timeline analysis results. It has the following constituents:

• deviceTimelineAnalysis: Indicates whether the client’s use of devices across multiple sessions is suspicious.

• networkTimelineAnalysis: Indicates whether the client’s use of networks across multiple sessions is suspicious.

deviceData object

Data extracted about the devices. It has the following constituents:

• devices: Array of the devices used.

  • deviceId: A unique identifier for the device.

  • outcome: Whether the device is suspicious, either attention, not_processed or clear .

  • operatingSystem: The operating system of the device.

  • appName: The name of the app being used.

  • majorVersion: The major version of the app.

  • fullVersion: The full version of the app.

  • device: The type of device e.g. iOS-Device.

  • userAgent: The user agent.

  • incognito: A boolean with true if the browser was in incognito or private mode.

  • sessionsWhenDetected: A list of sessions when the device was detected.

    • sessionId : ID of the workflow session.

    • timestamp: When the device was logged in this session.

deviceTimelineData object

Data extracted about the devices over multiple verification sessions. It has the following constituents:

• incidents: A list of the suspicious incidents.

  • sessionId: ID of the session where it was suspicious.

  • reason: A reason code relating to the reason this incident was suspicious.

networkData object

Data extracted about the networks. It has the following constituents:

• networks: Array of the networks used.

  • ipAddress: The IP address of the network.

  • sessionsWhenDetected: A list of sessions when the device was detected.

    • sessionId : ID of the session.

    • timestamp: When the device was logged in this session.

  • networkSignals: Data on network characteristics.

    • timezoneMismatch: Indicates if the browser timezone doesn't match the timezone inferred by the IP address.

    • publicVPN: Indicates whether the IP address is owned and used by a public VPN service provider.

    • auxiliaryMobile: Indicates if a VPN was detected through additional, mobile-specific network checks.

    • deviceSignature: Indicates whether the operating system detected from browser is different to the operating system inferred from the network.

    • relayDetection: Indicates if the request IP address belongs to a relay service provider such as Apple Private relay or Cloudflare Warp.

  • geoLocationDetails: Data about the location of the IP address of the associated network.

    • accuracyRadius: The IP address is likely to be within this radius (in km) of the specified location.

    • address : This will be the structured address, which includes the following:

      • line: The address line.

      • city: The address city.

      • state: The address state.

      • postalCode: The address postal code.

      • latLong: The address latitude and longitude.

      • country: The address country. This will be the two-letter country ISO code..

  • asn: Data about the autonomous system managing the network.

    • asn: The autonomous system number (ASN) associated with the IP address.

    • name: The name of the organization that owns the ASN.

    • network: The network range associated with the ASN.

  • datacenter: Indicates if the IP address belongs to a known data centre or cloud hosting provider.

    • result: Boolean indicating whether the IP address is associated with a data centre.

    • name: The name of the data centre or hosting provider if available.

networkTimelineData object

Data extracted about the networks over multiple verification sessions. It has the following constituents:

• incidents: A list of the suspicious incidents.

  • sessionId: ID of the session where it was suspicious.

  • reason: A reason code relating to the reason this incident was suspicious.

Device incident reason codes

Network incident reason codes

Sample Response