Skip to content

Going to Production: Implementer Checklist for technical tasks

This page outlines the core technical areas that must be addressed before an Age Verification App based on the open-source toolbox can be deployed to production. The blueprint provides a working foundation, but it is intentionally a blueprint starting point and several areas require implementer action before the app is production-ready. This list focuses on technical tasks. Legal compliance, governance agreements, issuer registration, and enrolment method validation are equally important but are not covered here.

It is not an exhaustive task list and a more detailed and formally structured implementation checklist is currently being developed and will be published separately.

1. Distribution and Production Signing

Establish the production application identity (app ID / bundle ID) and signing infrastructure. Generate and custody signing keys in a controlled environment with multi-person approval controls. Set up a phased rollout pipeline through the official store tracks and produce a signed SBOM for every release.

2. Build and Code Hardening

Verify and tighten the production build configuration: disable debug flags, restrict backup and export behaviour, remove cleartext-traffic permissions, and apply production-grade code obfuscation (R8 full mode / symbol stripping). Ensure no executable code can be loaded from the network at runtime.

3. Runtime Application Self-Protection (RASP)

Add a RASP layer — commercial or in-house — covering anti-debugging, anti-instrumentation, root/jailbreak detection, emulator detection, repackaging detection, and sensitive-screen protection. Detection signals feed the backend risk engine; they are not standalone hard blocks.

4. Device Integrity Attestation

Add device integrity (e.g. Key attestation checks, Wire Play Integrity API (Android) and App Attest (iOS)) into every issuing flow, binding each attestation to a backend-issued nonce. Deploy a dedicated backend evaluator that verifies verdicts and feeds results into the risk engine. Issue wallet-instance attestations only after a successful integrity evaluation.

5. Network Hardening

Lock down the production Network Security Config (Android) and App Transport Security (iOS): no cleartext traffic, user CAs excluded for sensitive flows. Certificate pinning is proposed (or equivalent certificate transparency). When certificate pinning is adopted, a documented and rehearsed rotation playbook is a prerequisite.

6. Backend Security Controls

Deploy a server-side risk engine that consumes attestation verdicts and client signals and returns per-session decisions. Implement a force-update mechanism and a kill-switch capable of blocking specific app versions or device instances. Add rate limiting and anomaly detection across issuance and presentation flows.

7. Pre-Release Testing and Security Operations

Complete a penetration test before first release and remediate findings within a defined SLA. Publish a vulnerability disclosure programme. Write and exercise incident-response runbooks for key compromise, compromised release, and CVE scenarios. Define a device-inclusion/blocking policy and establish backend security monitoring with explicit time-to-detect and time-to-act objectives.