Skip to content

Going to Production: Implementer Checklist for technical tasks

This page outlines the core technical areas that must be addressed before an Age Verification App based on the open-source toolbox can be deployed to production. The blueprint provides a working foundation, but it is intentionally a blueprint starting point and several areas require implementer action before the app is production-ready. This list focuses on technical tasks. Legal compliance, governance agreements, issuer registration, and enrolment method validation are equally important but are not covered here.

The high-level implementation tasks listed on ageverification.dev are further expanded and operationalised in the Production Hardening Guide: - Production Hardening Guide for iOS - Production Hardening Guide for Android

1. Distribution and Production Signing

Establish the production application identity (app ID / bundle ID) and signing infrastructure. Generate and custody signing keys in a controlled environment with multi-person approval controls. Set up a phased rollout pipeline through the official store tracks and produce a signed Software Bill of Material for every release.

2. Build and Code Hardening

Verify and tighten the production build configuration: disable debug flags, set the appropriate log level, restrict backup and export behaviour, remove cleartext-traffic permissions, and apply production-grade code obfuscation (R8 full mode / symbol stripping). Ensure no executable code can be loaded from the network at runtime.

3. Runtime Application Self-Protection (RASP)

Add a RASP layer — commercial or in-house — covering anti-debugging, anti-instrumentation, root/jailbreak detection, emulator detection, repackaging detection, and sensitive-screen protection. Detection signals feed the backend risk engine; they are not standalone hard blocks.

4. Device Integrity Attestation

Add device integrity (e.g. hardware-backed key attestation checks, Wire Play Integrity API (Android) and App Attest (iOS)) into every issuing flow, binding each attestation to a backend-issued nonce. Deploy a dedicated backend evaluator that verifies verdicts and feeds results into the risk engine. Issue wallet-instance attestations only after a successful integrity evaluation.

5. Network Hardening

Lock down the production Network Security Config (Android) and App Transport Security (iOS): no cleartext traffic, user CAs excluded for all flows. Certificate pinning is recommended with a documented and rehearsed rotation playbook.

6. Backend Security Controls

Deploy a server-side risk engine that consumes attestation verdicts and client signals and returns per-session decisions. Implement a force-update mechanism and a kill-switch capable of blocking specific app versions or device instances. Add rate limiting and anomaly detection across issuance and presentation flows.

7. Pre-Release Testing and Security Operations

Complete a penetration test before first release and on a recurring basis and remediate findings within a defined SLA. Publish a vulnerability disclosure programme. Write and exercise incident-response runbooks for key compromise, compromised release, and CVE scenarios. Define a device-inclusion/blocking policy and establish backend security monitoring with explicit time-to-detect and time-to-act objectives.