YinkoShield
Brief

knowledge center · technical reference + field notes

The unobserved interval. Checkpoint architectures. Attack catalogues.

Technical, dated, source-backed, and separated from product claims. The technical reference for execution evidence infrastructure, plus field notes from running it at scale — claims sourced to a deployment, a spec section, or a field observation.

RSS feed

44 articles published since 2025·03.

A senior YinkoShield analyst briefing two operators inside the threat-intelligence operations room — multi-monitor world maps and code traces visible in the background.

threat-intelligence operations · notes from production

themes · technical reference

Browse by theme.

Pick a theme. Each one collects the articles, attack catalogues, architectural arguments, and operational references for one slice of execution evidence infrastructure — written for security architects, engineering teams, and technical reviewers at payment schemes, banking regulators, internal audit functions, and dispute-investigation teams.

  1. theme 01

    The Unobserved Interval

    The runtime stretch between credential authentication and execution submission, mapped under Play Integrity, FIDO2, EMV, behavioural biometrics, and PSD2 SCA.

    5 articles · EXPLORE THEME →

  2. theme 02

    Checkpoint architectures

    What today's checkpoint substrates prove, mapped accurately — Play Integrity, App Attest, EMV, FIDO2, SafetyNet legacy, behavioural biometrics, hardware attestation.

    7 articles · EXPLORE THEME →

  3. theme 03

    Mobile runtime attacks

    Thirteen attack classes plus one regional threat-intel report. Overlay, accessibility, IME, screen-capture, snapshot-timing, run-as, instrumentation, root-cloaking, memory rewrites — each documented with mechanism, syscalls touched, checkpoints bypassed, and the signed Evidence Token shape produced when the substrate sees it.

    14 articles · EXPLORE THEME →

  4. theme 04

    POS, mPOS, and SST runtime threats

    Five attack classes across the non-mobile surface area: terminal tampering, side-loaded apps on Android mPOS, OS downgrade attacks, kiosk-shell escape on Linux SST, and attestation drift across distributed fleets. Each scoped to its certification regime — PCI PTS, PCI MPoC, country-specific SST cert.

    5 articles · EXPLORE THEME →

  5. theme 05

    Evidence architecture

    The positive technical proposition. Six articles across four primitives — append-only ledger, forward chaining, self-signing devices, local key custody, host-side correlation, signal vs verdict separation. The substrate side of the story.

    6 articles · EXPLORE THEME →

  6. theme 06

    Audit, dispute, and evidence formats

    The operational reference: the structural shape of the JWS-compact wire format (Minimal + Standard profiles), the eight-stage verifier contract, the chargeback dispute workflow, the regulator-readable boundary, and the cross-language conformance property across four reference verifiers. Field schema and pseudocode bodies are in the YEI-001 normative specification.

    5 articles · EXPLORE THEME →

most recent

2026·05

Audit, dispute, and evidence formats

Cross-language conformance — four reference verifiers, identical output

Four reference verifiers across four runtimes share one corpus and produce identical verdicts. Cross-language conformance is the property; the corpus is gated.

READ THE ARTICLE →
archive · every article, newest first

  1. 2026·05 Audit, dispute, and evidence formats

    Cross-language conformance — four reference verifiers, identical output

    Four reference verifiers across four runtimes share one corpus and produce identical verdicts. Cross-language conformance is the property; the corpus is gated.

    READ →
  2. 2026·05 Audit, dispute, and evidence formats

    Regulator-readable evidence — what is auditable, what stays operator-side

    Public artefacts are sufficient for architectural pre-qualification. Full audit and dispute replay require the normative spec body and operator-held evidence.

    READ →
  3. 2026·04 Audit, dispute, and evidence formats

    Dispute evidence workflow — chargeback investigator path

    Dispute opens, operator queries the corpus by tctx, replays the signed sequence, presents three audience-scoped views — investigator, cardholder, regulator.

    READ →
  4. 2026·04 Audit, dispute, and evidence formats

    Verifier pipeline — the eight-step contract

    Eight stages, in order: parse, header, key, signature, chain, freshness, policy, emit. Contract is public; pseudocode bodies and failure enum sit in the spec.

    READ →
  5. 2026·04 Audit, dispute, and evidence formats

    Evidence Token format — structural shape and the two profiles

    JWS-compact ES256 wire shape with two profiles — Minimal for chain verification, Standard adds the signal payload. Field schema sits in the YEI-001 spec.

    READ →
  6. 2026·04 Evidence architecture

    Signal / verdict separation — the substrate observes, the operator decides

    The substrate signs signals. The operator decides verdicts. One signal stream feeds many policy regimes — re-policed and re-played without re-signing.

    READ →
  7. 2026·03 Evidence architecture

    Host-side correlation — composing signed evidence with operator pipelines

    EEI does not replace auth, fraud, AML, or dispute pipelines. It gives each of them a signed device-side column they did not have before.

    READ →
  8. 2026·03 Evidence architecture

    Local key custody — device, operator, and vendor boundaries

    The private key never leaves the device. The operator holds the public-key registry and verifier. YinkoShield holds none of it — by design, not promise.

    READ →
  9. 2026·03 Evidence architecture

    Self-signing devices — device-resident keypair semantics

    ES256 keypair per device, hardware-backed where available. Non-exportable; signing makes records portable across operator and regulator without any vendor.

    READ →
  10. 2026·03 Evidence architecture

    Forward chaining — three independent invariants for drop, edit, replay

    Three independent invariants — prev_hash, monotonic seq, single boot_id — surface drop, edit, reorder, and replay locally; no clock, no coordination.

    READ →
  11. 2026·03 Evidence architecture

    Append-only hash-linked ledgers — structure and storage semantics

    Append-only and hash-linked is a structural property. A local mutation of any record breaks an invariant the verifier checks without trusting the device.

    READ →
  12. 2026·03 POS, mPOS, and SST runtime threats

    Attestation drift across distributed terminal fleets

    Per-device attestation answers per-device. At fleet scale, the question is about the distribution. Signed evidence makes the shape legible.

    READ →
  13. 2026·03 POS, mPOS, and SST runtime threats

    Kiosk-shell escape on Linux self-service terminals

    A Linux SST runs the certified app inside a kiosk shell. Escape vectors are everything that crosses the enclosure — keyboard, USB, file dialog, recovery.

    READ →
  14. 2026·02 POS, mPOS, and SST runtime threats

    OS downgrade attacks on payment terminals

    Rollback prevention is a counter compared against a fuse floor at boot. Downgrade attacks live where the floor check has bypass conditions in shipped fleets.

    READ →
  15. 2026·02 POS, mPOS, and SST runtime threats

    Side-loaded applications on Android-based mPOS

    An Android mPOS hosts the PCI MPoC payment app alongside everything else. Side-loaded APKs can attempt the full mobile-runtime attack catalogue.

    READ →
  16. 2026·02 POS, mPOS, and SST runtime threats

    POS terminal tampering — physical and firmware attack surface

    PCI PTS draws an envelope around the terminal's secure cryptographic processor. Two attack surfaces test it: physical penetration and firmware-flash.

    READ →
  17. 2026·02 Mobile runtime attacks

    Runtime memory manipulation — process-memory rewriting

    Two paths rewrite a process's .text segment: /proc/[pid]/mem direct write, or mprotect-then-memcpy. The signal is in-memory hash drift.

    READ →
  18. 2026·02 Mobile runtime attacks

    Magisk and Zygisk — rootkit-class module abuse

    Zygisk modules load inside the zygote before fork. The target app's first line of code runs with the modules already mapped into its address space.

    READ →
  19. 2026·02 Mobile runtime attacks

    Debugger attachment and runtime introspection

    On Android, /proc/[pid]/status's TracerPid reveals an attached debugger. On iOS, kp_proc.p_flag's P_TRACED is the equivalent.

    READ →
  20. 2026·02 Mobile runtime attacks

    Hook-detection bypass and counter-detection

    Each detection rung — maps scan, syscall scan, prologue-hash, remote attestation — has documented counter-techniques. The substrate signs what was observed.

    READ →
  21. 2026·01 Mobile runtime attacks

    Root cloaking — hiding root state from in-app checks

    Magisk DenyList defeats heuristic probes. It does not defeat hardware-backed attestation, which reads the chip's RootOfTrust directly.

    READ →
  22. 2026·01 Mobile runtime attacks

    Library injection via Frida and Xposed

    Frida and Xposed inject agent libraries into the target process — visible in /proc/[pid]/maps as an unexpected .so mapped from a non-app path.

    READ →
  23. 2026·01 Mobile runtime attacks

    Screen-capture attacks — MediaProjection abuse

    Once the user grants a MediaProjection session, the token persists. Capture can run across foreground transitions until the host calls stop().

    READ →
  24. 2026·01 Mobile runtime attacks

    Run-as trust model — debuggable targets, SELinux scope, and the run-as defect class

    Android's run-as is scoped to debuggable targets and trusted callers. The trust model, the defect class (CVE-2024-0044 et al.), and what the substrate observes.

    READ →
  25. 2026·01 Mobile runtime attacks

    Snapshot timing — exploiting visible state during background transition

    The platform takes a snapshot of the activity for the recents thumbnail at the background transition. Without FLAG_SECURE, sensitive frames are captured.

    READ →
  26. 2026·01 Mobile runtime attacks

    Malicious input-method editor (IME) compromise

    Every keystroke flows through the active IME. A compromised IME has read access to every character and write access to the host app's input field.

    READ →
  27. 2026·01 Mobile runtime attacks

    Accessibility service abuse — automated UI scraping and input synthesis

    BIND_ACCESSIBILITY_SERVICE grants reads of every running app's UI tree and writes via synthesised gestures. A single user toggle, no per-use prompt.

    READ →
  28. 2025·12 Mobile runtime attacks

    Transaction parameter tampering — modifying values between confirm and submit

    The user confirms one set of values; an attacker process rewrites the payload between confirm and submit; the backend receives different values.

    READ →
  29. 2025·12 Mobile runtime attacks

    Overlay injection — system-overlay UI manipulation on Android

    A malicious window registers as TYPE_APPLICATION_OVERLAY above the legitimate activity. User input goes to the overlay; the host app receives nothing.

    READ →
  30. 2025·12 Checkpoint architectures

    Hardware-backed attestation chains — Keystore, Knox, StrongBox, Secure Enclave

    Hardware attestation is an X.509 chain rooted in a vendor CA. It proves where a key was generated — not what the runtime did with it.

    READ →
  31. 2025·12 Checkpoint architectures

    Behavioural biometrics — observation scope and accuracy bounds

    A four-stage pipeline producing a session-scoped score against a per-user baseline. NIST and EBA treat it as a continuous risk signal, not an authenticator.

    READ →
  32. 2025·11 Checkpoint architectures

    SafetyNet's deprecation and the migration to Play Integrity

    SafetyNet Attestation: announced June 2022, onboarding cutoff Jan 2023, shut down Jan 2025. Play Integrity is the successor — same shape, refined verdicts.

    READ →
  33. 2025·11 Checkpoint architectures

    FIDO2 and passkeys — what the assertion does and does not prove

    WebAuthn signs a server challenge bound to rpId and origin — phishing-resistant by construction. The transaction body is not part of the default assertion.

    READ →
  34. 2025·11 Checkpoint architectures

    EMV credential authentication and EMV 3DS device-data scope

    EMV proves credential authenticity at the rail. EMV 3DS 2.x adds a structured device-environment snapshot at authentication initiation.

    READ →
  35. 2025·11 Checkpoint architectures

    Apple App Attest and DeviceCheck — the attestation/assertion split

    App Attest is a two-step model: attestation binds an app-instance key once; assertions sign each call. DeviceCheck is a separate per-device flag service.

    READ →
  36. 2025·10 Checkpoint architectures

    Play Integrity verdict semantics

    What MEETS_BASIC_INTEGRITY, MEETS_DEVICE_INTEGRITY, and MEETS_STRONG_INTEGRITY mean. Verdict freshness, quota, deprecation history, and operator policy.

    READ →
  37. 2025·10 The Unobserved Interval

    PSD2 SCA challenge completion versus settlement message generation

    PSD2 RTS specifies the authentication code and its dynamic linking. The runtime interval between SCA completion and settlement is operator-defined.

    READ →
  38. 2025·10 The Unobserved Interval

    Behavioural-biometrics session windows and transaction boundaries

    Behavioural scores compute over a session window. The transaction event may sit inside or outside it — the score does not bind to the transaction.

    READ →
  39. 2025·10 The Unobserved Interval

    EMV credential generation versus device-side execution

    EMV signs the credential at the rail. The device-side flow that produced the inputs — PAN entry, amount, consent — sits before the signed boundary.

    READ →
  40. 2025·09 The Unobserved Interval

    FIDO2 assertion versus transaction submission

    The WebAuthn assertion signs the challenge, not the transaction body. The interval to settlement is where the body is assembled, confirmed, and submitted.

    READ →
  41. 2025·09 The Unobserved Interval

    Play Integrity verdict freshness and the inter-call gap

    Play Integrity verdicts have a freshness window. Between successive calls, the device's runtime trajectory is unobserved by Play Integrity itself.

    READ →
  42. 2025·07 Mobile runtime attacks

    How advanced malware from Asia is targeting Africa's financial sector

    A 2024–2025 wave of overlay attacks, accessibility-service abuse, GoldFactory tooling, and device-takeover fraud across African mobile banking.

    READ →
  43. 2025·06 engineering

    Network context, DNS, and zero-rating

    In-app DNS racing for African fintech: parallel resolver racing, DNS-over-HTTPS, and zero-rating-compatible network resilience on constrained mobile estates.

    READ →
  44. 2025·03 engineering

    Defensive JNI for low-end Android — patterns and Semgrep rules behind production-scale hardening

    Defensive JNI patterns and the open-sourced Semgrep rules behind them — native security code across thousands of Android hardware configurations.

    READ →
normative specification

Some knowledge lives in the spec, not the open site.

The agentic-payment extension, the formal threat model, and the conformance checklists are maintained in YEI-001. Public linking from this Knowledge Center is being introduced progressively; contact us to request access ahead of publication.

Request access