Appdome Logo Positive
Sign In
How to > Advanced Threat Intelligence > Threat-Events™ UX/UI Control > Understanding Appdome Threat-Memory™

Understanding Appdome Threat-Memory™

Last updated June 7, 2026 by Appdome

What Is Threat-Memory™?

Threat-Memory™ provides stateful, on-device threat intelligence for Appdome-protected Android and iOS apps. It allows applications to retrieve accumulated threat data on demand, giving developers direct access to the threat posture of the device and application at any point during runtime.

When an app is protected by Threat-Memory™, Appdome continuously evaluates the device and application environment against threats configured in the defense policy, including device integrity, fraud, account takeover, malware, geo-spoofing, and social engineering. Threat-Memory™ records each detected threat into a structured, stateful threat profile that is maintained locally on the device and continuously updated as the threat landscape changes.

Each tracked threat records:

  • Its current state: safe or compromised
  • Whether the threat is currently active, was detected earlier in the session, or was detected in a previous session
  • Detection metrics, such as the number of unique detections
  • First and most recent detection times
  • Changes in threat activity over time
  • Mitigation threat metadata, including reason codes, threat codes, and threat-specific data

This threat profile accumulates over time, building both a real-time and historical view of the device’s security posture across sessions.

Threat-Memory™ categorizes threats based on how they behave during a session.

Resolvable Model

The threat’s state can change during the same session as conditions evolve. For example, an active VPN may cause the device to be marked as compromised while it is enabled and return to a safe state once it is turned off. These threats reflect real-time conditions and can transition dynamically.

Persistent Model

The threat’s state cannot be remediated during runtime. For example, if a device is jailbroken or rooted, it remains in a compromised state for the duration of the session until the device is restored to a non-jailbroken or non-rooted state. In these cases, once the threat is detected, the state does not revert and continues to reflect the initial compromise.

Threat-Memory™ provides insights into threat state at two main levels:

Session-Level

All threats detected during a given app launch on the device.

Installation-Level

Aggregates threat data across all sessions on the device, providing a broader view of threat activity over time.

Applications retrieve this data by calling the in-app Threat-Memory™ API. All queries are synchronous and return immediately based on the state stored in local device storage—no network round-trip is required.

Threat-Memory™ does not display notifications, exit the application, or execute enforcement actions. The application owns all decisioning: when to query, what to evaluate, and how to respond.

Threat-Memory™ Benefits & Use Cases

Most stateless fraud solutions are either too sensitive or not sensitive enough when attempting to mitigate fraud. When threats are detected and sent to the application, the application is responsible for deciding whether the threat severity justifies blocking user activity, which could impact the business, or whether it should postpone making a decision until it can construct a threat profile based on all past sessions. However, this approach can result in decisions being made too late.

In a stateless approach, the application is immediately informed about a detected threat without retaining any record of the event. This provides a narrow, moment-in-time view of risk and can miss multi-step or repeated attacks, evolving exploits, and broader patterns of compromise.

Threat-Memory™ separates responding to a threat from maintaining an active threat profile. It continuously tracks and accumulates threats on-device, allowing the application to query and decide when to respond.

Key Benefits

Shift from Chasing Threats to Evaluating Them at Decisive User Actions

Threat intelligence can be evaluated in critical user flows that matter most to the business—before a transaction, during authentication, or at account recovery—rather than only at the moment of detection.

Reduce User Friction Using Device Threat Profiling

Instead of reacting to a single threat signal, the application can evaluate the full threat context before taking action, reducing unnecessary interruption of legitimate users.

Shift to Evaluating Risk Instead of Tracking Individual Threats

Each threat carries a different risk level. Responses can be aligned with user activity and accumulated risk, rather than based solely on individual threats.

Seamless Integration with Existing Fraud Systems

Threat-Memory™’s structured session and installation state, along with its threat profile, can be used to enrich existing fraud engines, SIEMs, or analytics platforms.

Use Cases

Fraud Detection and Prevention

Query Threat-Memory™ before processing high-value transactions to evaluate the accumulated threat profile and detect patterns of compromise.

Risk Scoring

Use per-threat detection states, timestamps, detection counts, and metadata to build weighted risk scores that reflect the cumulative security posture of the device.

Account Takeover (ATO) Prevention

Detect multi-step attack patterns by evaluating accumulated threat signals at critical moments such as login or password reset.

Behavioral Analysis

Query Threat-Memory™ at multiple points during a session to observe how the threat posture evolves over time.

Risk-Based Decisioning

Apply different levels of access or enforcement based on the evaluated risk state of the device and session.

How to Implement Threat-Memory™

Threat-Memory™ is built for quick and seamless integration into any mobile application. Developers interact with it through a lightweight in-app API available on both Android and iOS, with no backend dependencies or infrastructure changes required.

It works seamlessly across application frameworks and architectures, whether the app is built natively (Swift or Objective-C on iOS, Kotlin or Java on Android) or using cross-platform frameworks such as Flutter or React Native. No framework-specific implementation is required.

Threat-Memory™ provides a unified interface for all threat data, eliminating the need for threat-specific logic. The same integration works across all build configurations and protection policies, allowing developers to consume and evaluate threats consistently without modifying the app as the defense policy evolves.

The API is synchronous and can be called at any point during runtime, especially at key risk or decision points. It returns both real-time and historical threat data as a structured response, including per-threat status and metrics such as unique detections, timestamps, and detection metadata. All data is retrieved directly from on-device storage, enabling immediate, context-aware decisions with zero network latency.

Related Articles

How Do I Learn More?

If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.

Appdome

Want a Demo?

Threat-Events™ UX/UI Control

AlanWe're here to help
We'll get back to you in 24 hours to schedule your demo.