Monitoring
When you enable the Server Monitoring option, you can view the information your protected app reports from the field, right in the dashboard. Access it from the Monitoring menu in the sidebar.
In plain terms — it's like watching the CCTV feed from a store you've set up. You see who visited (usage) and whether anything suspicious happened (threats) all in one place.
What's included#
Monitoring is organized per app (package) and provides two things.
Usage · Access#
Shows who is actually using the app, where, and on which version.
| Metric | Meaning |
|---|---|
| Active devices | Number of distinct devices that ran the app |
| DAU / WAU / MAU | Active users over a day / week / month |
| Version distribution | Which app versions are in use, and how much |
| Country distribution | Which countries the app is used in |
No personally identifying information is collected — only an anonymous identifier used to distinguish devices. (See Data Security)
Threats#
A record of when the app detects a risky environment or attack attempt. See which threats occurred, on which versions, and how often.
Threat types detected#
| Label | Meaning |
|---|---|
ROOT | Running on a rooted device (safeguards removed) |
EMULATOR | Running on a virtual device emulated on a PC |
FRIDA · HOOK | A real-time tampering tool (hooking) was detected |
DEBUGGER · ADB | A debugging connection was detected |
TAMPER | Signs that the app file was tampered with were found |
Interpreting the metrics#
- Threat counts near zero — this is normal. It means protection is working quietly in the background.
- A particular threat spiking — there may be attack attempts on that version or region, so review that app version.
- Rooting or emulators observed consistently — some of your users may simply be running in such environments. If the share of legitimate users is high, you can adjust the relevant options.
Data Security#
All information is isolated per account.
- Other customers cannot view your account's data.
- Even if another customer uses the same package name, the data is never merged across accounts.
Severity classification#
Threats are graded by their impact.
| Grade | Threat (example) |
|---|---|
| critical | Integrity (TAMPER) |
| high | Instrumentation (FRIDA · HOOK · DEBUGGER) |
| medium | ROOT |
| low | EMULATOR · ADB |
Delivery reliability (full transparency)#
- Authentication — each piece of telemetry is signed with a per-app HMAC key. The master key is never deployed to devices, so extracting one app cannot forge reports for another.
- fail-safe — delivery is non-blocking and best-effort. Even if our servers fail or the network has problems, app behavior is not affected at all.
- TLS — telemetry is sent over system-CA-based TLS. Certificate pinning is intentionally not applied, because the ingest certificate rotates automatically every 90 days (a single pin would force re-protecting every customer on each rotation). Tamper resistance is achieved through TLS plus the per-app HMAC.
- On-device detection vs. delivery — detection of the 7 threat types is high-confidence, while delivery follows the fail-safe design above.
Enabling monitoring#
- The Server Monitoring option must be enabled at upload time (on by default).
- Once the protected app runs on real devices, information starts arriving.
- Select the app under Monitoring in the sidebar to view it.
Next#
- Protection Options — configure which threats to detect
- Threat Model — the full scope of defenses