OneSpan Threat View monitors the following types of data to analyze the collected threats and other information:
For information about data collection and GDPR compliance, see GDPR Compliance.
Retention of events data
Threat View collects the events in the corresponding database table. Threat View does not delete the table data by default but you can configure the retention time for the events data. By means of configurable variables, Threat View drops the relevant table partitions and enables you to automatically clean up the table.
We recommend the deletion of the events data at regular intervals.
Monitored ID data
Threat view generates and/or collects the following ID data:
Event ID
Threat View generates this to uniquely identify the event.
Session ID
Threat View generates this to uniquely identify the session.
User ID
Threat View generates this to uniquely identify the user.
Monitored device data
Threat View captures information about the used device. This information includes for example:
Device brand and model
Information about the operating system:
Type (Android or iOS)
Version
Device language
Device fingerprint
Time of the event
Monitored geolocation data
Threat View captures the latitude and longitude of the device to correlate the location with the collected threat event.
Geolocation data usage may be subject to the General Data Protection Regulation (GDPR) of the European Union, depending on the following conditions:
Geolocation granularity
The Threat View SDK will inherit and use the context related to geolocation data capturing that is provided by the mobile app in which the SDK has been integrated. This context depends on the geolocation precision level requested and granted by the mobile app itself as well as on the user overriding precise geolocation: if the mobile app has requested access to a precise location and/or fine-grained geolocation information and the device user has granted the mobile app the use of this detailed location information, the Threat View SDK will use this context.
Presence of a user ID on the geolocated device
If the developer of the mobile app that integrates the Threat View SDK sets the user ID and this user ID is available at the moment when Threat View generates events, Threat View will use the geolocation data for that user ID.
If these conditions apply, the monitored geolocation data is subject to the GDPR.
The usage of exact geolocation information is operation system-specific functionality and not Threat View-specific code. Even if the user has granted the mobile app to use precise geolocation, they can always disable this in the app settings. For more information about granting apps geolocation permissions, refer to the Android Developer Documentation and iOS Developer Documentation.
For more information about collection of geolocation data, see Overview of the Threat View Client SDK, for more information about the GDPR, see GDPR Compliance.
Network security information
Threat View collects information about network connectivity and security from OneSpan Threat Protection and its Network Security SDK for a specific device during a specific session. Network security information is no threat but is collected for analytical purposes. This enables you to use the obtained data and consider it as part of your threat landscape analysis.
Monitored app data
Threat View captures information about your mobile app that is installed on the user’s mobile device. This information includes for example:
App version
Date the app was installed on a specific device
Information about the app activity lifecycle: app start
Private/Work Profile (Running in Context)
Threat View indicates if the apps on the monitored devices are run from within a private space or work profile. This is available for Android only. In the Threat View user interface (Dashboard, All Events list etc.) this is the Running in Context event type.
Malware detection
Threat View integrates with OneSpan Threat Protection and its Malware Detection SDK, allowing Threat View to detect events caused by malware installed on the mobile device. This enables you to use the obtained data and consider this as part of your threat landscape analysis. Malware is detected on the basis of malware signature.
As the data on detected malware does not originate from Mobile Application Shielding, Threat View does not create a threat report for this data.
Types of monitored threats
Threat View captures information about real-time threats that are targeting the mobile app and allows you to get information about these threats. The captured information is based on data from Mobile Application Shielding and the Threat Protection SDKs for the threat types listed in the following table.
Threat View does not create a report for every threat type, and not every threat type is part of each visualization method or widget. For more information, see Visualization of monitored data.
Threat types by operating system | ||||
Threat type | Explanation | Supported for Android | Supported for iOS | Threat event report available |
|---|---|---|---|---|
App in Virtual Space | App is launched via a virtual space app which allows a user to potentially open several instances of an application, using different identities. |
|
| |
Debug Bridge Active | Android Debug Bridge (adb) is active on the device. |
|
| |
Developer Mode | Developer mode is enabled on the device. If a device is run in developer mode, certain development settings are enabled which carries potential security risks by opening certain attack vectors which could be abused. |
|
|
|
Emulated Input | Non-physical inputs (motion events) are known as emulated input. Emulated input might originate from the Android Debug Bridge (ADB), autoclick applications, screen-mirroring applications, screen reader applications etc. |
|
| |
Hooking Framework | Hooking frameworks can be used intercept function calls and alter the application’s behavior or flow at runtime. |
|
|
|
Library injection | To gain control of an application, attackers may inject code into the application to control it from within its own process. |
|
| |
Malware | The SDK detected installed malware on the mobile device. |
|
| |
Rooted / Jailbroken | Detects apps that are running on a rooted/jailbroken mobile device. On Android, this threat event type also indicates the probability that the app is rooted/jailbroken and displays it as a number between 0 and 100. |
|
|
|
Screen Mirroring | When a screen is mirrored, screen data could be exported and used in different ways. |
|
| |
Screen Recording | Applications can display sensitive information which could be extracted with a recording of the device screen. |
|
| |
Screenshot | Applications can display sensitive information which could be extracted by taking a screenshot. |
|
| |
Tapjacking | In tapjacking, a user is tricked into selecting a security-relevant control from an overlay that obscures the intended button. |
|
| |
Untrusted Keyboard | Custom keyboards installed on a device might have access to the internet and maliciously record sensitive data. |
|
| |
Untrusted Screenreader | Screenreaders provide accessibility aids but installed malware can also be activated as (untrusted) screenreader and interactively and remotely control the device and application. |
|
| |
.png?sv=2022-11-02&spr=https&st=2026-04-22T23%3A07%3A10Z&se=2026-04-22T23%3A22%3A10Z&sr=c&sp=r&sig=Fdu1tPgCXibprWgVhkZSffimqfslijp8CVyqRtoBQTY%3D)
For threat types that are specific to one operating system, there will be no data for the other operating system.