Implementing Threat-Memory™ in iOS Apps

Last updated June 21, 2026 by Appdome

Overview

Threat-Memory™ allows the iOS application to retrieve security detection data on demand. Using in-app API calls, the application can access the current threat state, including which threats have been detected, when they occurred, and their current status.

All data is returned as an NSDictionary and can be queried at any point during runtime.

Beyond on-demand access to threat data, Threat-Memory™ keeps the application continuously informed as the threat posture evolves. Protected applications can track both threat-state changes and newly detected threats in real time, without the complexity of managing separate listeners for each event.

For a detailed explanation of what Threat-Memory™ is and how it fits into the threat intelligence management framework, see [Threat-Memory™ Overview].

Prerequisites

Configure each defense to use Threat-Memory™ mode within In-App Control on the Appdome platform.
When a defense is configured in Threat-Memory™ mode, any detected threats are stored locally on the device without any enforcement actions.
Defenses configured with other intelligence modes (such as In-App Detection, In-App Defense, Failsafe, etc.) are not tracked by Threat-Memory™.
The application must be built through the Appdome platform. Threat-Memory™ data is only available at runtime in a protected build.

Integration

Threat-Memory™ offers two ways to access threat-state information in your iOS application:

State getter APIs: Allow the application to retrieve the current or historical security state on demand, including session-level, installation-level, and threat-specific data.

Threat-state callbacks: Threat-Memory™ callbacks that keep the application informed of threat activity. One callback notifies the application when the state of a Threat-Memory™-enabled threat changes, while the other notifies the application when a new threat is detected.

Together, these capabilities enable the application to respond to threat-state changes in real time and to query the device risk level whenever additional context is needed.

Follow these steps to integrate and use Threat-Memory™ in the iOS application.

Step 1: Add the Threat-Memory™ Callback Class File

Add the AppdomeThreatCallbacks file to the app project.

The onThreatStateChange(threatName) callback is invoked when the state of a Threat-Memory™-enabled threat changes during the app session. The callback receives the name of the threat whose state changed.

The onThreatDetected(threatName) callback is invoked each time a threat is recorded for a Threat-Memory™-enabled defense during the app session. Unlike onThreatStateChange, which is triggered only when the threat risk state transitions, such as from safe to compromised or from compromised to safe, onThreatDetected is triggered for every detection occurrence, including repeated detections of the same threat. The callback receives the name of the detected threat.

Update the onThreatStateChange(threatName) and onThreatDetected(threatName) implementations with the app’s business logic for handling threat-state changes and individual detection events. For example, the app may query the updated threat state, log detections for telemetry, trigger an immediate in-app response, or send threat data to the backend.

Swift Projects

In Xcode:

Right-click your project in the Project Navigator.
Select New File.
Choose Empty File.
Name the file AppdomeThreatCallbacks.swift.

Paste the following code into the new file:

import Foundation

@objc(AppdomeThreatCallbacks)
class AppdomeThreatCallbacks: NSObject {

	@objc class func onThreatStateChange(_ threatName: NSString) {
		// Handle threat state changes here
        // Use the threatName to query updated state using AppdomeThreatApi.
        // let sessionState: NSDictionary = AppdomeThreatApi.getSessionState()
        // print("Session state: \(sessionState)")
	}

    @objc class func onThreatDetected(_ threatName: NSString) {
      // Called every time a new threat detection occurs for a ThreatMemory-enabled defense.
      // Use the threatName to query the updated threat state using AppdomeThreatApi.
      // let threatState: NSDictionary = AppdomeThreatApi.getThreatSessionState(threatName: threatName)
      // print("Threat detected: \(threatName)")
      // print("Updated threat state: \(threatState)")
    }
}

Update the onThreatStateChange(_ threatName: NSString) implementation with the app’s business logic to handle threat-state changes.

Objective-C Projects

In Xcode:

Right-click your project in the Project Navigator.
Select New File.
Choose Empty File.
Name the file AppdomeThreatCallbacks.h.

Paste the following code into the new file:

#import <Foundation/Foundation.h>

@interface AppdomeThreatCallbacks : NSObject

+ (void)onThreatStateChange:(NSString *)threatName;
+ (void)onThreatDetected:(NSString *)threatName;

@end

@implementation AppdomeThreatCallbacks

+ (void)onThreatStateChange:(NSString *)threatName {
    // Handle threat state changes here.
    // Use the threatName to query updated state using AppdomeThreatApi.

    //NSDictionary *sessionState = [AppdomeThreatApi getSessionState];
    //NSDictionary *threatSessionState = [AppdomeThreatApi getThreatSessionState:threatName];

    //NSLog(@"Threat state changed: %@", threatName);
    //NSLog(@"Session state: %@", sessionState);
    //NSLog(@"Threat session state: %@", threatSessionState);
    // Add the app's business logic here.
}

+ (void)onThreatDetected:(NSString *)threatName {
    // Called every time a new threat detection occurs for a ThreatMemory-enabled defense.
    // Use the threatName to query the updated threat state using AppdomeThreatApi.
    //NSDictionary *threatState = [AppdomeThreatApi getThreatSessionState:threatName];
    //NSLog(@"Threat detected: %@", threatName);
    //NSLog(@"Updated threat state: %@", threatState);
    // Add the app's business logic here.
}

@end

Update the onThreatStateChange:(NSString *)threatName implementation with the app’s business logic to handle threat state changes.

Step 2: Add the Threat-Memory™ API Placeholder Class

Add the AppdomeThreatApi class file to the app project.
This file contains placeholder implementations of the Threat-Memory™ API methods.
The implementations in the placeholder class allow the unprotected app to be tested using developer-controlled responses prior to protecting the app on Appdome.
The AppdomeThreatApi methods are replaced in the protected app to return responses from Threat-Memory™ at runtime.

Swift Projects

In Xcode:

Right-click your project in the Project Navigator.
Select New File.
Choose Empty File.
Name the file AppdomeThreatApi.swift.

Paste the following code into the new file:

import Foundation

@objc(AppdomeThreatApi)
class AppdomeThreatApi: NSObject {

	@objc dynamic class func getThreatSessionState(threatName: NSString) -> NSDictionary {
		return placeholderResponse("getThreatSessionState")
	}

	@objc dynamic class func getThreatSessionState(threatName: NSString, sessionID: NSString) -> NSDictionary {
		return placeholderResponse("getThreatSessionState")
	}

	@objc dynamic class func getThreatInstallationState(threatName: NSString) -> NSDictionary {
		return placeholderResponse("getThreatInstallationState")
	}

	@objc dynamic class func getSessionState() -> NSDictionary {
		return placeholderResponse("getSessionState")
	}

	@objc dynamic class func getSessionState(sessionID: NSString) -> NSDictionary {
		return placeholderResponse("getSessionState")
	}

	@objc dynamic class func getInstallationState() -> NSDictionary {
		return placeholderResponse("getInstallationState")
	}

	private class func placeholderResponse(_ method: String) -> NSDictionary {
		return [
			"status": "not_available",
			"message": "Return stub response",
			"method": method
		]
	}
}

Objective-C Projects

In Xcode:

Right-click your project in the Project Navigator.
Select New File.
Choose Empty File.
Name the file AppdomeThreatApi.h.

Paste the following code into the new file:

#import <Foundation/Foundation.h>

@interface AppdomeThreatApi : NSObject

+ (NSDictionary *)getThreatSessionState:(NSString *)threatName;
+ (NSDictionary *)getThreatSessionState:(NSString *)threatName sessionID:(NSString *)sessionID;
+ (NSDictionary *)getThreatInstallationState:(NSString *)threatName;
+ (NSDictionary *)getSessionState;
+ (NSDictionary *)getSessionState:(NSString *)sessionID;
+ (NSDictionary *)getInstallationState;

@end

@implementation AppdomeThreatApi

+ (NSDictionary *)getThreatSessionState:(NSString *)threatName {
	return [self placeholderResponse:@"getThreatSessionState"];
}

+ (NSDictionary *)getThreatSessionState:(NSString *)threatName sessionID:(NSString *)sessionID {
	return [self placeholderResponse:@"getThreatSessionState"];
}

+ (NSDictionary *)getThreatInstallationState:(NSString *)threatName {
	return [self placeholderResponse:@"getThreatInstallationState"];
}

+ (NSDictionary *)getSessionState {
	return [self placeholderResponse:@"getSessionState"];
}

+ (NSDictionary *)getSessionState:(NSString *)sessionID {
	return [self placeholderResponse:@"getSessionState"];
}

+ (NSDictionary *)getInstallationState {
	return [self placeholderResponse:@"getInstallationState"];
}

+ (NSDictionary *)placeholderResponse:(NSString *)method {
	return @{
		@"status": @"not_available",
		@"message": @"Return stub response",
		@"method": method
	};
}

@end

Step 3: Call the Threat-Memory™ API

After adding the AppdomeThreatApi placeholder API file, the Threat-Memory™ getter APIs can be called from any Swift or Objective-C file in the application.

Swift

let sessionState: NSDictionary = AppdomeThreatApi.getSessionState()
print("Session state: \(sessionState)")

Objective-C

NSDictionary *sessionState = [AppdomeThreatApi getSessionState];
NSLog(@"Session state: %@", sessionState);

All methods are exposed as static methods on AppdomeThreatApi
Each method returns a NSDictionary
Calls are synchronous, rely on on-device storage, and return immediately without waiting for network requests.

Step 4: Test and Validate the Integration

1. Build the Application and Test Without Appdome

At this stage, Threat-Memory™ is not present in the application because the application is not protected by Appdome.

All calls to AppdomeThreatApi return placeholder responses. These responses can be modified during development to invoke and validate different threat scenarios in the application. This expedites testing of the unprotected version prior to protecting the application. For example, you can test an end-to-end flow that collects data in-app using Threat-Memory™ and sends threat telemetry to the backend.

2. Protect the Application with Appdome

Build the protected application on the Appdome platform with Threat-Memory™ enabled for the selected defenses in the defense policy.

Once the application is protected:

The placeholder implementations are replaced automatically at runtime.
All AppdomeThreatApi methods return threat data collected on the device from defenses monitored by Threat-Memory™.
No code changes are required between testing and production builds. The integration implementation also does not require changes when the defense policy changes (for example, when adding a new Threat-Memory™-enabled defense to the defense policy).

API Reference

Glossary

Session
A session represents a single app launch until it is closed by the user or the operating system (OS), identified by a sessionID.

Installation
An installation represents the lifetime of a given app version on the device across sessions, identified by an installationID.

Threat State
Threat State represents the current risk status of a specific threat or the overall security posture of an application session or installation.

Session State
Session State represents the security status of a single application process lifetime, from launch to termination. It is identified by a unique sessionID and includes an overall status of either safe (no active critical threats), compromised (at least one active threat), or evaluating (the defense has not completed the verification logic required to detect the threat).

Installation-Level Data
Installation-level data resets on application upgrades or reinstalls.

Class: AppdomeThreatApi

AppdomeThreatApi exposes class methods for querying Threat-Memory™ data at runtime.

All methods:

Return an NSDictionary
Execute synchronously using on-device data
Do not require delegates, callbacks, or network requests

Session-Level Methods

getSessionState()

Method signature

Swift

class func getSessionState() -> NSDictionary

Objective-C

+ (NSDictionary *)getSessionState;

Description

Returns the full Threat-Memory™ state for the current application session.

Parameters

None.

Returns

An NSDictionary containing the full threat state for the current session. See the Returned Data section for the expected fields and example response.

Usage Example

Swift

let sessionState: NSDictionary = AppdomeThreatApi.getSessionState()

// Print the entire dictionary
print("Full session state: \(sessionState)")

// Access a specific field 
if let threats = sessionState["threats"] as? NSDictionary {
    print("Threats: \(threats)")
}

Objective-C

NSDictionary *sessionState = [AppdomeThreatApi getSessionState];

// Print the entire dictionary
NSLog(@"Full session state: %@", sessionState);

// Access a specific field
NSDictionary *threats = sessionState[@"threats"]; 
if (threats) {
  NSLog(@"Threats: %@", threats); 
}

getSessionState(sessionID:)

Method signature

Swift

class func getSessionState(sessionID: NSString) -> NSDictionary

Objective-C

+ (NSDictionary *)getSessionState:(NSString *)sessionID;

Description

Returns the full Threat-Memory™ state for a specific session.

Use this method with a session identifier returned from a previous Threat-Memory™ API call. For example, the current session ID can be retrieved from the sessionID field returned by getSessionState().

Note that calling getSessionState(currentSessionID) with the current sessionID is equivalent to calling getSessionState().

Parameters

Name	Type	Description
`sessionID`	`NSString *`	The session identifier to query. You can obtain this value from the `sessionID` field returned by `getSessionState()`.

Returns

NSDictionary containing the full threat state for the specified session. See Returned Data for the expected fields and example response.

Usage Example

Swift

// Query ThreatMemory for a specific session using a known sessionID.
// You can store sessionIDs from previous ThreatMemory responses and use them later.
let sessionState: NSDictionary = AppdomeThreatApi.getSessionState(sessionID: "")

// Print the entire dictionary
print("Full session state: \(sessionState)")

// Access a specific field
if let threats = sessionState["threats"] as? NSDictionary {
    print("Threats: \(threats)")
}

Objective-C

// Query ThreatMemory for a specific session using a known sessionID.
// You can store sessionIDs from previous ThreatMemory responses and use them later.
NSDictionary *sessionState = [AppdomeThreatApi getSessionState:@""];

// Print the entire dictionary
NSLog(@"Full session state: %@", sessionState);

// Access a specific field
NSDictionary *threats = sessionState[@"threats"];
if (threats) {
    NSLog(@"Threats: %@", threats);
}

getThreatSessionState(threatName:)

Method signature

Swift

class func getThreatSessionState(threatName: NSString) -> NSDictionary

Objective-C

+ (NSDictionary *)getThreatSessionState:(NSString *)threatName;

Description

Returns the Threat-Memory™ state for a single threat in the current session.

Use threatName to specify the Threat-Event identifier for the defense being queried. Refer to the Appdome Threat Knowledge Base to find the correct threat name for the specific protection you enabled.

Parameters

Name	Type	Description
`threatName`	`NSString *`	The identifier of the threat to query. Use the same value returned in the “threatName” field from ThreatMemory responses (for example, “JailbrokenDevice”).

Returns

An NSDictionary containing the state of the specified threat for the current session. See Returned Data for the expected fields and example response.

Usage Example

Swift

// Query ThreatMemory for a specific threat in the current session
let threatState: NSDictionary = AppdomeThreatApi.getThreatSessionState(threatName: "JailbrokenDevice")

// Print the entire dictionary
print("Full threat state: \(threatState)")

// Access a specific field
if let state = threatState["state"] as? String {
    print("Threat state: \(state)")
}

Objective-C

// Query ThreatMemory for a specific threat in the current session
NSDictionary *threatState = [AppdomeThreatApi getThreatSessionState:@"JailbrokenDevice"];

// Print the entire dictionary
NSLog(@"Full threat state: %@", threatState);

// Access a specific field
NSString *state = threatState[@"state"];
if (state) {
    NSLog(@"Threat state: %@", state);
}

getThreatSessionState(threatName:sessionID:)

Method signature

Swift

class func getThreatSessionState(threatName: NSString, sessionID: NSString) -> NSDictionary

Objective-C

+ (NSDictionary *)getThreatSessionState:(NSString *)threatName sessionID:(NSString *)sessionID;

Description

Returns the Threat-Memory™ state for a single threat in a specific session.

Use threatName to specify the identifier of the threat you want to query. This value should match the threatName field returned in Threat-Memory™ responses. Refer to the Appdome Threat Knowledge Base to find the correct threat name for the specific protection you enabled.

Use sessionID to specify the session to query. You can obtain this value from the sessionID field returned by getSessionState() and store it if you want to inspect a specific session later.

Note that calling getThreatSessionState(threatName, currentSessionID) with the current sessionID is equivalent to calling getThreatSessionState(threatName).

Parameters

Name	Type	Description
`threatName`	`NSString *`	The threat identifier to query.
`sessionID`	`NSString *`	The session identifier to query.

Returns

NSDictionary containing the state of the specified threat for the specified session. See Returned Data for the expected fields and example response.

Usage Example

Swift

let threatState: NSDictionary = AppdomeThreatApi.getThreatSessionState(
    threatName: "JailbrokenDevice",
    sessionID: ""
)

// Print the entire dictionary
print("Full threat state: \(threatState)")

// Access a specific field
if let state = threatState["state"] as? String {
    print("Threat state: \(state)")
}

Objective-C

NSDictionary *threatState =
    [AppdomeThreatApi getThreatSessionState:@"JailbrokenDevice"
                            sessionID:@""];

// Print the entire dictionary
NSLog(@"Full threat state: %@", threatState);

// Access a specific field
NSString *state = threatState[@"state"];
if (state) {
    NSLog(@"Threat state: %@", state);
}

Session-Level Methods

getInstallationState()

Method signature

Swift

class func getInstallationState() -> NSDictionary

Objective-C

+ (NSDictionary *)getInstallationState;

Description

Returns the full Threat-Memory™ state for the current application installation.

Parameters

None.

Returns

An NSDictionary containing the aggregated threat state across all sessions in the current installation. See Returned Data for the expected fields and example response.

Usage Example

Swift

let installationState: NSDictionary = AppdomeThreatApi.getInstallationState()

// Print the entire dictionary
print("Full installation state: \(installationState)")

// Access a specific field
if let threats = installationState["threats"] as? NSDictionary {
    print("Threats: \(threats)")
}

Objective-C

NSDictionary *installationState = [AppdomeThreatApi getInstallationState];

// Print the entire dictionary
NSLog(@"Full installation state: %@", installationState);

// Access a specific field
NSDictionary *threats = installationState[@"threats"];
if (threats) {
    NSLog(@"Threats: %@", threats);
}

getThreatInstallationState(threatName:)

Method signature

Swift

class func getThreatInstallationState(threatName: NSString) -> NSDictionary

Objective-C

+ (NSDictionary *)getThreatInstallationState:(NSString *)threatName;

Description

Returns the aggregated Threat-Memory™ state for a single threat across all sessions in the current installation.

Parameters

Name	Type	Description
`threatName`	`NSString *`	The threat identifier to query.

Returns

An NSDictionary containing the installation-level state of the specified threat. See Returned Data for the expected fields and example response.

Usage Example

Swift

let threatState: NSDictionary = AppdomeThreatApi.getThreatInstallationState(threatName: "JailbrokenDevice")

// Print the entire dictionary
print("Full installation-level threat state: \(threatState)")

// Access a specific field
if let state = threatState["state"] as? String {
    print("Threat state: \(state)")
}

Objective-C

NSDictionary *threatState = [AppdomeThreatApi getThreatInstallationState:@"JailbrokenDevice"];

// Print the entire dictionary
NSLog(@"Full installation-level threat state: %@", threatState);

// Access a specific field
NSString *state = threatState[@"state"];
if (state) {
    NSLog(@"Threat state: %@", state);
}

Returned Data

All Threat-Memory™ API methods return an NSDictionary containing Threat-Memory™ data.

Note

All timestamp fields are formatted as:

YYYY-MM-DD HH:MM:SS.mmm

Example: 2026-04-12 14:32:07.412

Session State Response

Returned by:

getSessionState() getSessionState(sessionID:)

Field	Type	Description	Expected Values
`sessionID`	`NSString *`	Unique identifier for the session	UUID string
`buildID`	`NSString *`	Unique protected app identifier	Build token string
`sessionState`	`NSString *`	Overall security state of the session	`evaluating, safe`, `compromised`
`registeredThreatCount`	Number	Total number of defenses tracked by ThreatMemory	Integer ≥ 0
`detectedThreatCount`	Number	Total number of detected threats, where each distinct threat is counted once.	Integer ≥ 0
`deviceMetadata`	NSDictionary	Device attributes and environment metadata captured at session start. Each field is an array containing a single value.	See Device Metadata Object.
`threats`	NSDictionary	Mapping of threat names to their threat state objects	Object of threat state objects

Device Metadata Object

Returned inside session and installation responses under the deviceMetadata key.

Every field is an array of strings. In a session response, each array contains exactly one value (the value at session start). In an installation response, hardware-constant fields still contain one value, while environment fields that can change between sessions (for example, after an iOS update) contain all distinct values observed across sessions, ordered from most recent to oldest.

Field	Type	Description	Expected Values
deviceManufacturer	`NSArray<NSString *>`	Device hardware manufacturer	[“Apple”]
deviceModel	`NSArray<NSString *>`	Device model identifier	Array of strings
osVersion	`NSArray<NSString *>`	iOS version	Array of strings
kernelInfo	`NSArray<NSString *>`	Darwin kernel version	Array of strings

Device Metadata Object

Represents the state of a single threat.

Returned by:

threats object in Session State Response

getThreatSessionState(...)

getThreatInstallationState(...)

Field	Type	Description	Expected Values
`threatName`	`NSString *`	Unique threat identifier	Example: `ActiveADBDetected`
`transitionType`	`NSString *`	Defines whether the threat persists or returns to a safe state.	`resolvable`, `persistentThreat`
`buildID`	`NSString *`	Unique protected app identifier	Build token String
`threatState`	`NSString *`	Threat lifecycle state	`active`, `detectedInSession`, `detectedInPreviousSession`, `notDetected`, `evaluating`
`state`	`NSString *`	Current threat risk state. `compromised` – active threat. `evaluating` – threat evaluation hasn’t completed. `safe`– threat is not detected.	`evaluating, safe`, `compromised`
`detectionCount`	Number	Number of recorded threat occurrences	Integer ≥ 0
`lastStateChangeTime`	`NSString *`	Last time the threat state changed. Empty string indicates that the threat was not detected.	Timestamp or Empty string
`firstDetectionTimestamp`	`NSString *`	Time of first detection. Empty string indicates that the threat was not detected.	Timestamp or Empty string
`lastDetectionTimestamp`	`NSString *`	Time of most recent detection. Empty string indicates that the threat was not detected.	Timestamp or Empty string
`detectionData`	NSArray	Detection data for each unique detection event. Includes fields such as reason code, reason data, and additional parameters.	Array of objects or empty array if no threats where detected

Detection Data Object

Represents detailed information about a specific detection event.

Field	Type	Description	Expected Values
`reasonCode`	`NSString *`	Code representing the detection type	String
`threatCode`	`NSString *`	Appdome-specific threat identifier	String
`reasonData`	`NSString *`	Description of the detection	String – Free text
occurrenceCount	Integer	Count how many this specific detection has been detected	Integer >=0
`detectionReference`	`NSString *`	Reference code to provide to the Appdome Support agent for remediation or inquiries about this detection.	String
params	NSDictionary	Additional detection data, which may include more metadata regarding the detection.

Detection data params may include additional fields depending on the specific threat and detection context.

Detection Data Example

When a threat is detected:

[
  {
    "reasonCode": "9999",
    "threatCode": "AAAAA",
    "reasonData": "X was detected by Y...",
    "occurrenceCount": 1,
    "detectionReference": "9999:1234:AAAAA",
    "params" : {...}
  }
]

When a threat is not detected:

[]

Installation State Response

Returned by:

getInstallationState()

Field	Type	Description	Expected Values
`installationID`	`NSString *`	Unique identifier for the app installation	UUID string
`registeredThreatCount`	Number	Total number of threats registered as ThreatMemory features	Integer ≥ 0
`detectedThreatCount`	Number	Total number of detected threats, where each distinct threat is counted once.	Integer ≥ 0
`installationState`	`NSString *`	Aggregated threat state across all sessions	`evaluating, safe`, `compromised`
`sessionList`	NSArray	List of session IDs for this installation, ordered from most recent to oldest.	Array of session IDs
`deviceMetadata`	NSDictionary	Device attributes and environment metadata. Each field is an array. Hardware-constant fields contain a single value. Environment fields that can change between sessions contain all distinct values observed across sessions, ordered from most recent to oldest.	See Device Metadata Object.
`threats`	NSDictionary	Mapping of threat names to aggregated threat state objects	Object of threat state objects

Example output

getSessionState() and getSessionState(sessionID)

{
  "sessionID": "",
  "buildID": "",
  "sessionState": "compromised",
  "registeredThreatCount": 2,
  "detectedThreatCount": 1,
  "deviceMetadata": {
    "deviceManufacturer": ["Apple"],
    "deviceModel": ["iPhone15,2"],
    "osVersion": ["17.4"],
    "kernelInfo": ["..."]
  },
  "threats": {
    "JailbrokenDevice": {
      "threatName": "JailbrokenDevice",
      "transitionType": "persistentThreat",
      "buildID": ""
      "threatState": "active",
      "state": "compromised",
      "detectionCount": 1,
      "lastStateChangeTime": "2026-04-12 14:32:05.100",
      "firstDetectionTimestamp": "2026-04-12 14:32:01.230",
      "lastDetectionTimestamp": "2026-04-12 14:32:05.100",
      "detectionData": [
        {
          "reasonCode": "9999",
          "threatCode": "AAAAA",
          "reasonData": "...info..",
          "occurrenceCount": 1,
          "detectionReference": "9999:1234:AAAAA"
          "params" : {...}
        }
      ]
    },
    "FridaDetected": {
      "threatName": "FridaDetected",
      "transitionType": "resolvable",
      "buildID": ""
      "threatState": "notDetected",
      "state": "safe",
      "detectionCount": 0,
      "lastStateChangeTime": "",
      "firstDetectionTimestamp": "",
      "lastDetectionTimestamp": "",
      "detectionData": []
    }
  }
}

getThreatSessionState(threatName) and getThreatSessionState(threatName, sessionId)
Returns the state of a single threat within the current session.

{
  "threatName": "JailbrokenDevice",
  "transitionType": "persistentThreat",
  "buildID": "",
  "threatState": "active",
  "state": "compromised",
  "detectionCount": 2,
  "lastStateChangeTime": "2026-04-12 14:32:05.100",
  "firstDetectionTimestamp": "2026-04-12 14:32:01.230",
  "lastDetectionTimestamp": "2026-04-12 14:32:05.100",
  "detectionData": [
    {
      "reasonCode": "AAAA",
      "threatCode": "5ABCDE",
      "reasonData": "...info..",
      "occurrenceCount": 1,
      "detectionReference": "AAAA:1234:5ABCDE"
      "params" : { ... }
    }
  ]
}

getInstallationState()
Returns the aggregated threat state across all sessions for the current app installation.

{
  "installationID": "",
  "registeredThreatCount": 2,
  "detectedThreatCount": 2,
  "installationState": "compromised",
  "sessionList": [
    "",
    ""
  ],
  "deviceMetadata": {
    "deviceManufacturer": ["Apple"],
    "deviceModel": ["iPhone15,2"],
    "osVersion": ["17.4", "17.3"],
    "kernelInfo": ["...", "..."]
  },
  "threats": {
    "JailbrokenDevice": {
      "threatName": "JailbrokenDevice",
      "transitionType": "persistentThreat",
      "buildID": "",
      "threatState": "active",
      "state": "compromised",
      "detectionCount": 5,
      "lastStateChangeTime": "2026-04-12 14:32:05.100",
      "firstDetectionTimestamp": "2026-04-10 09:15:22.800",
      "lastDetectionTimestamp": "2026-04-12 14:32:05.100",
      "detectionData": [
        {
          "reasonCode": "AAAA",
          "threatCode": "5ABCDE",
          "reasonData": "...info...",
          "occurrenceCount": 5,
          "detectionReference": "AAAA:1234:5ABCDE"
          "params" : {...}
        }
      ],
      "detectedSessions": {
        "": 2,
        "": 3
      }
    },
    "FridaDetected": {
      "threatName": "FridaDetected",
      "transitionType": "resolvable",
      "buildID": "",
      "threatState": "notDetected",
      "state": "safe",
      "detectionCount": 0,
      "lastStateChangeTime": "",
      "firstDetectionTimestamp": "",
      "lastDetectionTimestamp": "",
      "detectionData": []
    }
}

getThreatInstallationState(threatName)
Returns the aggregated state of a single threat across all sessions.

{
  "threatName": "JailbrokenDevice",
  "transitionType": "persistentThreat",
  "buildID": "",
  "threatState": "active",
  "state": "compromised",
  "detectionCount": 5,
  "lastStateChangeTime": "2026-04-12 14:32:05.100",
  "firstDetectionTimestamp": "2026-04-10 09:15:22.800",
  "lastDetectionTimestamp": "2026-04-12 14:32:05.100",
  "detectionData": [
    {
      "reasonCode": "AAAA",
      "threatCode": "BBBBBB",
      "reasonData": "...",
      "occurrenceCount": 5,
      "detectionReference": "AAAA:1234:BBBBBB"
      "params" : {...}
    }
  ],
  "detectedSessions": {
    "": 2,
    "": 3
  }
}

Retention Policy

Threat-Memory™ stores threat detection data locally on the device to enable both real-time and historical analysis.

Session data remains available during app runtime and is cleared when the application closes.

Historical data (cross-session threat data) is preserved in persistent storage on the device.

Installation-level data is reset when the application is updated or reinstalled.

Threat-Memory™ retains threat data using a rolling history of sessions and detections, discarding older entries as new data arrives once the number of sessions containing threat data exceeds the configured window size. Both the rolling session window size and the volume of unique threat data retained are governed by the retention policy defined in the defense policy.

How to Interpret the Response

Threat-Memory™ responses provide an overall risk state as well as detailed per-threat information.

Overall State vs. Per-Threat State

sessionState / installationState
Represents the overall risk status of the session or installation.

Value	Meaning
`safe`	No active threats detected
`evaluating`	No active threats with at least one threat has not yet completed its initial evaluation.
`compromised`	At least one threat is currently active

state per threat
Indicates whether a specific threat is currently active.

Value	Meaning
`evaluating`	The defense hasn’t not yet completed the initial threat evaluation.
`safe`	No threat is currently impacting the app
`compromised`	Active threat is actively impacting the app

Threat Lifecycle: `threatState`

The threatState field describes the lifecycle state of a threat.

Value	Meaning
`active`	Threat is currently active and affecting the app
`detectedInSession`	Threat was detected earlier in the current session, but is not currently active
`detectedInPreviousSession`	Threat was detected in a previous session
`notDetected`	Threat has never been detected
`evaluating`	The defense has not completed the initial threat evaluation.

Persistent vs. Resolvable Threats

The transitionType field indicates how a threat behaves over time.

Value	Meaning
`persistentThreat`	The threat is considered active once detected, such as a rooted or jailbroken device
`resolvable`	The threat can be resolved and return to a safe state, such as vpn or proxy

Detection Count and History

These fields provide insight into threat frequency and timing base on the scope of the query – session vs installation.

Field	Meaning
`detectionCount`	Total number of threat detection occurrences
`firstDetectionTimestamp`	First time the threat was detected
`lastDetectionTimestamp`	Most recent detection
`lastStateChangeTime`	Last time the threat state changed

Detection Data

The detectionData field provides additional context about a detected threat.
When a threat is detected, detectionData is an array of objects with these fields:

reasonCode threatCode reasonData occurrenceCount detectionReference params

When a threat is not detected, detectionData is an empty array.

Session and Installation Scope

A session represents a single app launch.

An installation aggregates threat data across multiple sessions for the current app installation.

Installation-level data:

Is tied to the current app installation.
Does not persist between application reinstalls.

Use installation-level data to evaluate long-term risk patterns, such as fraud or staged attacks carried out across multiple sessions.

Example Interpretation

The following examples show how to check whether the current session is compromised and identify which threats are active.

Swift

import Foundation

let sessionState: NSDictionary = AppdomeThreatApi.getSessionState()

let overallState = sessionState["sessionState"] as? String ?? ""

if overallState == "compromised" {
    print("The session is compromised")

    if let threats = sessionState["threats"] as? NSDictionary {
        for (key, value) in threats {
            if let threatName = key as? String,
               let threat = value as? NSDictionary,
               let state = threat["state"] as? String,
               state == "compromised" {
                
                print("Active threat: \(threatName)")
            }
        }
    }
}

Objective-C

#import <Foundation/Foundation.h>

NSDictionary *sessionState = [AppdomeThreatApi getSessionState];

NSString *overallState = sessionState[@"sessionState"];

if ([overallState isEqualToString:@"compromised"]) {
    NSLog(@"The session is compromised");

    NSDictionary *threats = sessionState[@"threats"];
    if (threats != nil) {
        for (NSString *threatName in threats) {
            NSDictionary *threat = threats[threatName];

            if (threat != nil &&
                [[threat[@"state"] description] isEqualToString:@"compromised"]) {
                
                NSLog(@"Active threat: %@", threatName);
            }
        }
    }
}

This example:

Checks whether the session is compromised.
Iterates over all threats in the threats object.
Identifies which threats are currently active.

How Do I Learn More?

If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.