Technical reference for execution evidence infrastructure — checkpoint architectures, mobile and POS runtime attack catalogues, evidence formats, dispute and audit workflow.https://www.yinkoshield.com/enFri, 08 May 2026 00:00:00 GMThttps://www.yinkoshield.com/knowledge-center/audit-and-evidence-formats/cross-language-test-vectors/https://www.yinkoshield.com/knowledge-center/audit-and-evidence-formats/cross-language-test-vectors/Four reference verifiers across four runtimes share one corpus and produce identical verdicts. Cross-language conformance is the property; the corpus is gated.Fri, 08 May 2026 00:00:00 GMTAudit, dispute, and evidence formatshttps://www.yinkoshield.com/knowledge-center/audit-and-evidence-formats/regulator-readable-format/https://www.yinkoshield.com/knowledge-center/audit-and-evidence-formats/regulator-readable-format/Public artefacts are sufficient for architectural pre-qualification. Full audit and dispute replay require the normative spec body and operator-held evidence.Mon, 04 May 2026 00:00:00 GMTAudit, dispute, and evidence formatshttps://www.yinkoshield.com/knowledge-center/audit-and-evidence-formats/dispute-evidence-workflow/https://www.yinkoshield.com/knowledge-center/audit-and-evidence-formats/dispute-evidence-workflow/Dispute opens, operator queries the corpus by tctx, replays the signed sequence, presents three audience-scoped views — investigator, cardholder, regulator.Tue, 28 Apr 2026 00:00:00 GMTAudit, dispute, and evidence formatshttps://www.yinkoshield.com/knowledge-center/audit-and-evidence-formats/verification-pseudocode/https://www.yinkoshield.com/knowledge-center/audit-and-evidence-formats/verification-pseudocode/Eight stages, in order: parse, header, key, signature, chain, freshness, policy, emit. Contract is public; pseudocode bodies and failure enum sit in the spec.Wed, 22 Apr 2026 00:00:00 GMTAudit, dispute, and evidence formatshttps://www.yinkoshield.com/knowledge-center/audit-and-evidence-formats/evidence-token-format/https://www.yinkoshield.com/knowledge-center/audit-and-evidence-formats/evidence-token-format/JWS-compact ES256 wire shape with two profiles — Minimal for chain verification, Standard adds the signal payload. Field schema sits in the YEI-001 spec.Wed, 15 Apr 2026 00:00:00 GMTAudit, dispute, and evidence formatshttps://www.yinkoshield.com/knowledge-center/evidence-architecture/signal-vs-verdict-separation/https://www.yinkoshield.com/knowledge-center/evidence-architecture/signal-vs-verdict-separation/The substrate signs signals. The operator decides verdicts. One signal stream feeds many policy regimes — re-policed and re-played without re-signing.Fri, 03 Apr 2026 00:00:00 GMTEvidence architecturehttps://www.yinkoshield.com/knowledge-center/evidence-architecture/host-side-correlation/https://www.yinkoshield.com/knowledge-center/evidence-architecture/host-side-correlation/EEI does not replace auth, fraud, AML, or dispute pipelines. It gives each of them a signed device-side column they did not have before.Mon, 30 Mar 2026 00:00:00 GMTEvidence architecturehttps://www.yinkoshield.com/knowledge-center/evidence-architecture/local-key-custody/https://www.yinkoshield.com/knowledge-center/evidence-architecture/local-key-custody/The private key never leaves the device. The operator holds the public-key registry and verifier. YinkoShield holds none of it — by design, not promise.Wed, 25 Mar 2026 00:00:00 GMTEvidence architecturehttps://www.yinkoshield.com/knowledge-center/evidence-architecture/self-signing-devices/https://www.yinkoshield.com/knowledge-center/evidence-architecture/self-signing-devices/ES256 keypair per device, hardware-backed where available. Non-exportable; signing makes records portable across operator and regulator without any vendor.Fri, 20 Mar 2026 00:00:00 GMTEvidence architecturehttps://www.yinkoshield.com/knowledge-center/evidence-architecture/forward-chaining/https://www.yinkoshield.com/knowledge-center/evidence-architecture/forward-chaining/Three independent invariants — prev_hash, monotonic seq, single boot_id — surface drop, edit, reorder, and replay locally; no clock, no coordination.Mon, 16 Mar 2026 00:00:00 GMTEvidence architecturehttps://www.yinkoshield.com/knowledge-center/evidence-architecture/append-only-ledger-structure/https://www.yinkoshield.com/knowledge-center/evidence-architecture/append-only-ledger-structure/Append-only and hash-linked is a structural property. A local mutation of any record breaks an invariant the verifier checks without trusting the device.Thu, 12 Mar 2026 00:00:00 GMTEvidence architecturehttps://www.yinkoshield.com/knowledge-center/pos-runtime-threats/attestation-drift-distributed-fleets/https://www.yinkoshield.com/knowledge-center/pos-runtime-threats/attestation-drift-distributed-fleets/Per-device attestation answers per-device. At fleet scale, the question is about the distribution. Signed evidence makes the shape legible.Fri, 06 Mar 2026 00:00:00 GMTPOS, mPOS, and SST runtime threatshttps://www.yinkoshield.com/knowledge-center/pos-runtime-threats/sst-kiosk-escape/https://www.yinkoshield.com/knowledge-center/pos-runtime-threats/sst-kiosk-escape/A Linux SST runs the certified app inside a kiosk shell. Escape vectors are everything that crosses the enclosure — keyboard, USB, file dialog, recovery.Mon, 02 Mar 2026 00:00:00 GMTPOS, mPOS, and SST runtime threatshttps://www.yinkoshield.com/knowledge-center/pos-runtime-threats/os-downgrade-attacks/https://www.yinkoshield.com/knowledge-center/pos-runtime-threats/os-downgrade-attacks/Rollback prevention is a counter compared against a fuse floor at boot. Downgrade attacks live where the floor check has bypass conditions in shipped fleets.Wed, 25 Feb 2026 00:00:00 GMTPOS, mPOS, and SST runtime threatshttps://www.yinkoshield.com/knowledge-center/pos-runtime-threats/mpos-side-loaded-apps/https://www.yinkoshield.com/knowledge-center/pos-runtime-threats/mpos-side-loaded-apps/An Android mPOS hosts the PCI MPoC payment app alongside everything else. Side-loaded APKs can attempt the full mobile-runtime attack catalogue.Fri, 20 Feb 2026 00:00:00 GMTPOS, mPOS, and SST runtime threatshttps://www.yinkoshield.com/knowledge-center/pos-runtime-threats/pos-tampering/https://www.yinkoshield.com/knowledge-center/pos-runtime-threats/pos-tampering/PCI PTS draws an envelope around the terminal's secure cryptographic processor. Two attack surfaces test it: physical penetration and firmware-flash.Mon, 16 Feb 2026 00:00:00 GMTPOS, mPOS, and SST runtime threatshttps://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/runtime-memory-manipulation/https://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/runtime-memory-manipulation/Two paths rewrite a process's .text segment: /proc/[pid]/mem direct write, or mprotect-then-memcpy. The signal is in-memory hash drift.Thu, 12 Feb 2026 00:00:00 GMTMobile runtime attackshttps://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/magisk-zygisk-modules/https://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/magisk-zygisk-modules/Zygisk modules load inside the zygote before fork. The target app's first line of code runs with the modules already mapped into its address space.Sun, 08 Feb 2026 00:00:00 GMTMobile runtime attackshttps://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/debugger-attachment/https://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/debugger-attachment/On Android, /proc/[pid]/status's TracerPid reveals an attached debugger. On iOS, kp_proc.p_flag's P_TRACED is the equivalent.Wed, 04 Feb 2026 00:00:00 GMTMobile runtime attackshttps://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/hook-detection-bypass/https://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/hook-detection-bypass/Each detection rung — maps scan, syscall scan, prologue-hash, remote attestation — has documented counter-techniques. The substrate signs what was observed.Sun, 01 Feb 2026 00:00:00 GMTMobile runtime attackshttps://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/root-cloaking/https://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/root-cloaking/Magisk DenyList defeats heuristic probes. It does not defeat hardware-backed attestation, which reads the chip's RootOfTrust directly.Wed, 28 Jan 2026 00:00:00 GMTMobile runtime attackshttps://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/library-injection-frida-xposed/https://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/library-injection-frida-xposed/Frida and Xposed inject agent libraries into the target process — visible in /proc/[pid]/maps as an unexpected .so mapped from a non-app path.Sun, 25 Jan 2026 00:00:00 GMTMobile runtime attackshttps://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/screen-capture-attacks/https://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/screen-capture-attacks/Once the user grants a MediaProjection session, the token persists. Capture can run across foreground transitions until the host calls stop().Wed, 21 Jan 2026 00:00:00 GMTMobile runtime attackshttps://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/run-as-exploit/https://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/run-as-exploit/Android's run-as is scoped to debuggable targets and trusted callers. The trust model, the defect class (CVE-2024-0044 et al.), and what the substrate observes.Sat, 17 Jan 2026 00:00:00 GMTMobile runtime attackshttps://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/snapshot-timing-exploits/https://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/snapshot-timing-exploits/The platform takes a snapshot of the activity for the recents thumbnail at the background transition. Without FLAG_SECURE, sensitive frames are captured.Tue, 13 Jan 2026 00:00:00 GMTMobile runtime attackshttps://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/malicious-ime/https://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/malicious-ime/Every keystroke flows through the active IME. A compromised IME has read access to every character and write access to the host app's input field.Fri, 09 Jan 2026 00:00:00 GMTMobile runtime attackshttps://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/accessibility-service-abuse/https://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/accessibility-service-abuse/BIND_ACCESSIBILITY_SERVICE grants reads of every running app's UI tree and writes via synthesised gestures. A single user toggle, no per-use prompt.Mon, 05 Jan 2026 00:00:00 GMTMobile runtime attackshttps://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/transaction-parameter-tampering/https://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/transaction-parameter-tampering/The user confirms one set of values; an attacker process rewrites the payload between confirm and submit; the backend receives different values.Mon, 22 Dec 2025 00:00:00 GMTMobile runtime attackshttps://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/overlay-injection/https://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/overlay-injection/A malicious window registers as TYPE_APPLICATION_OVERLAY above the legitimate activity. User input goes to the overlay; the host app receives nothing.Mon, 15 Dec 2025 00:00:00 GMTMobile runtime attackshttps://www.yinkoshield.com/knowledge-center/checkpoint-architectures/hardware-attestation/https://www.yinkoshield.com/knowledge-center/checkpoint-architectures/hardware-attestation/Hardware attestation is an X.509 chain rooted in a vendor CA. It proves where a key was generated — not what the runtime did with it.Mon, 08 Dec 2025 00:00:00 GMTCheckpoint architectureshttps://www.yinkoshield.com/knowledge-center/checkpoint-architectures/behavioural-biometrics/https://www.yinkoshield.com/knowledge-center/checkpoint-architectures/behavioural-biometrics/A four-stage pipeline producing a session-scoped score against a per-user baseline. NIST and EBA treat it as a continuous risk signal, not an authenticator.Mon, 01 Dec 2025 00:00:00 GMTCheckpoint architectureshttps://www.yinkoshield.com/knowledge-center/checkpoint-architectures/safetynet-legacy/https://www.yinkoshield.com/knowledge-center/checkpoint-architectures/safetynet-legacy/SafetyNet Attestation: announced June 2022, onboarding cutoff Jan 2023, shut down Jan 2025. Play Integrity is the successor — same shape, refined verdicts.Mon, 24 Nov 2025 00:00:00 GMTCheckpoint architectureshttps://www.yinkoshield.com/knowledge-center/checkpoint-architectures/fido2-and-passkeys/https://www.yinkoshield.com/knowledge-center/checkpoint-architectures/fido2-and-passkeys/WebAuthn signs a server challenge bound to rpId and origin — phishing-resistant by construction. The transaction body is not part of the default assertion.Tue, 18 Nov 2025 00:00:00 GMTCheckpoint architectureshttps://www.yinkoshield.com/knowledge-center/checkpoint-architectures/emv-and-emv-3ds/https://www.yinkoshield.com/knowledge-center/checkpoint-architectures/emv-and-emv-3ds/EMV proves credential authenticity at the rail. EMV 3DS 2.x adds a structured device-environment snapshot at authentication initiation.Wed, 12 Nov 2025 00:00:00 GMTCheckpoint architectureshttps://www.yinkoshield.com/knowledge-center/checkpoint-architectures/app-attest-and-device-check/https://www.yinkoshield.com/knowledge-center/checkpoint-architectures/app-attest-and-device-check/App Attest is a two-step model: attestation binds an app-instance key once; assertions sign each call. DeviceCheck is a separate per-device flag service.Wed, 05 Nov 2025 00:00:00 GMTCheckpoint architectureshttps://www.yinkoshield.com/knowledge-center/checkpoint-architectures/play-integrity/https://www.yinkoshield.com/knowledge-center/checkpoint-architectures/play-integrity/What MEETS_BASIC_INTEGRITY, MEETS_DEVICE_INTEGRITY, and MEETS_STRONG_INTEGRITY mean. Verdict freshness, quota, deprecation history, and operator policy.Thu, 30 Oct 2025 00:00:00 GMTCheckpoint architectureshttps://www.yinkoshield.com/knowledge-center/the-unobserved-interval/the-sca-settlement-gap/https://www.yinkoshield.com/knowledge-center/the-unobserved-interval/the-sca-settlement-gap/PSD2 RTS specifies the authentication code and its dynamic linking. The runtime interval between SCA completion and settlement is operator-defined.Wed, 22 Oct 2025 00:00:00 GMTThe Unobserved Intervalhttps://www.yinkoshield.com/knowledge-center/the-unobserved-interval/the-behavioural-session-gap/https://www.yinkoshield.com/knowledge-center/the-unobserved-interval/the-behavioural-session-gap/Behavioural scores compute over a session window. The transaction event may sit inside or outside it — the score does not bind to the transaction.Tue, 14 Oct 2025 00:00:00 GMTThe Unobserved Intervalhttps://www.yinkoshield.com/knowledge-center/the-unobserved-interval/the-emv-execution-gap/https://www.yinkoshield.com/knowledge-center/the-unobserved-interval/the-emv-execution-gap/EMV signs the credential at the rail. The device-side flow that produced the inputs — PAN entry, amount, consent — sits before the signed boundary.Sun, 05 Oct 2025 00:00:00 GMTThe Unobserved Intervalhttps://www.yinkoshield.com/knowledge-center/the-unobserved-interval/the-fido2-submission-gap/https://www.yinkoshield.com/knowledge-center/the-unobserved-interval/the-fido2-submission-gap/The WebAuthn assertion signs the challenge, not the transaction body. The interval to settlement is where the body is assembled, confirmed, and submitted.Tue, 23 Sep 2025 00:00:00 GMTThe Unobserved Intervalhttps://www.yinkoshield.com/knowledge-center/the-unobserved-interval/the-play-integrity-gap/https://www.yinkoshield.com/knowledge-center/the-unobserved-interval/the-play-integrity-gap/Play Integrity verdicts have a freshness window. Between successive calls, the device's runtime trajectory is unobserved by Play Integrity itself.Fri, 12 Sep 2025 00:00:00 GMTThe Unobserved Intervalhttps://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/malware-asia-africa/https://www.yinkoshield.com/knowledge-center/mobile-runtime-attacks/malware-asia-africa/A 2024–2025 wave of overlay attacks, accessibility-service abuse, GoldFactory tooling, and device-takeover fraud across African mobile banking.Tue, 15 Jul 2025 00:00:00 GMTMobile runtime attacks