Aegis Security Environment is an enterprise-grade, multi-layered security platform designed to protect mobile banking applications from fraud and unauthorized access. It implements advanced cryptographic protocols, device fingerprinting, and policy-based security enforcement to ensure end-to-end protection of financial transactions.
- Architecture Overview
- System Components
- Security Features
- Technology Stack
- Installation & Setup
- API Documentation
- Security Flow
- Development
- Deployment
- Security Considerations
- Contributing
- License
- Support
- Acknowledgments
flowchart TD
subgraph MobileApp[Mobile Application]
SFEClient[SFE Client SDK]
DemoBankApp[Demo Banking App]
end
subgraph BankBackend[Demo Bank Backend]
Auth[User Authentication]
Accounts[Accounts & Transactions]
Integration[Aegis API Integration]
end
subgraph AegisAPI[Aegis Security API]
Controllers[Controllers]
Services[Services]
Repositories[Repositories]
Entities[Entities]
end
subgraph DataLayer[Data Layer]
PostgreSQL[(PostgreSQL/TiDB)]
Redis[(Redis Cache)]
end
subgraph Admin[Admin & Monitoring]
Portal[Admin Portal - React]
Dashboard[Bank Dashboard - React]
end
SFEClient -->|Provision/Sign| AegisAPI
DemoBankApp --> BankBackend --> AegisAPI
AegisAPI --> DataLayer
Portal --> AegisAPI
Dashboard --> BankBackend
The core backend providing cryptographic services and device management.
Key Features:
- Device registration and provisioning
- HMAC-SHA256 signature validation
- Policy-based security enforcement
- Real-time fraud detection
- Device fingerprinting and tracking
- Admin management interface
Architecture Layers:
- Controller Layer
DeviceController,AuthController,AdminController,PolicyController,FraudController - Service Layer
CryptographyService,DeviceRegistrationService,SignatureValidationService,PolicyEnforcementService,DeviceFraudDetectionService,IntegrityValidationService - Repository Layer (Spring Data JPA)
DeviceRepository,UserRepository,PolicyRepository,DeviceFingerprintRepository,PolicyViolationRepository - Entity Layer
Device,DeviceFingerprint,Policy,PolicyRule,PolicyViolation
Simulates a bank backend system integrated with Aegis.
Key Features:
- User authentication and session management
- Account and balance tracking
- Transaction processing with signature validation
- Device rebinding support
- KYC data management
Headless Android library providing cryptographic and security services.
Key Features:
- Secure device provisioning
- HMAC-SHA256 signing
- AES-256 encryption & RSA envelope encryption
- Android Keystore integration
- SecureVaultService for sensitive data
- Device fingerprinting
Core Classes:
AegisSfeClient - Main SDK interface
SecureKeyStorage - Android Keystore wrapper
RequestSigningService - HMAC signing implementation
SecureVaultService - Encrypted storage service
DeviceFingerprintCollector - Device characteristic gathering
UserMetadataCollector - User context collectionDemo Android app showcasing SDK integration.
Features:
- Biometric authentication
- Account dashboard
- Secure transfers & transaction history
- Device provisioning UI
- Jetpack Compose UI
React-based administrative dashboard.
Features:
- Device management
- Policy configuration
- Fraud detection analytics
- Real-time alerts & audit logs
React-based operations monitoring dashboard.
SecureRandom secureRandom = new SecureRandom();
String secretKey = new BigInteger(256, secureRandom).toString(32);String stringToSign = method + "|" + path + "|" + timestamp + "|" + nonce + "|" + body;
Mac mac = Mac.getInstance("HmacSHA256");
SecretKeySpec spec = new SecretKeySpec(secretKey.getBytes(), "HmacSHA256");
mac.init(spec);
String signature = Base64.getEncoder().encodeToString(mac.doFinal(stringToSign.getBytes(StandardCharsets.UTF_8)));- Android Keystore
- AES-256-GCM encryption
- RSA-2048 key wrapping
- Envelope encryption pattern
- Fingerprinting: Hardware, software, network, display parameters
- Policy Enforcement: Real-time rules & violations
- Fraud Detection: Fingerprint changes, geo anomalies, patterns, biometrics
- Backend: Spring Boot 3.5.3 (Java 21), PostgreSQL/TiDB, Redis, JWT, Gradle
- Android: Kotlin, Jetpack Compose, MVVM, Retrofit, Hilt
- Web: React 18, TypeScript, Redux Toolkit, Material-UI, Axios
App → Backend → Aegis API → Device ID + Secret → Keystore
App Signs (HMAC) → Backend Validates via Aegis → Result
Request → Fingerprint → Policy Rules → Risk Score → Allow/Deny
- Java 21
- Android Studio
- Node.js 18+
- PostgreSQL / TiDB
- Redis
git clone https://github.com/gradientgeeks/aegis.git
cd aegis
./gradlew bootRunCREATE DATABASE aegis_security_v3;Run migrations (auto on first boot). Optional demo data:
./gradlew bootRun --args="--spring.profiles.active=demo"POST /api/device/register
Content-Type: application/json
{
"clientId": "UCOBANK_PROD_ANDROID",
"registrationKey": "REG-KEY-123",
"integrityToken": "play-integrity-token",
"deviceFingerprint": { ... }
}POST /api/device/validate-signature
Headers:
X-Device-Id: device-uuid
X-Signature: base64-hmac-signature
X-Timestamp: 1234567890
X-Nonce: unique-nonce
{
"data": "request-body"
}Full docs: /api/swagger-ui.html
./gradlew build
./gradlew test
./gradlew jacocoTestReport./gradlew assembleDebug
./gradlew assembleRelease
./gradlew test
./gradlew connectedAndroidTestdocker build -t aegis-api ./aegis
docker build -t bank-backend ./backend-app
docker-compose up -d./deploy-azure-cloud-build.sh
./monitor-azure.shSPRING_DATASOURCE_URL=jdbc:postgresql://localhost:5432/aegis
SPRING_DATASOURCE_USERNAME=aegis_user
SPRING_DATASOURCE_PASSWORD=secure_password
SPRING_REDIS_HOST=localhost
SPRING_REDIS_PORT=6379
JWT_SECRET=your-secret-key- Enforce HTTPS/TLS
- Rate limiting & audit logging
- Key rotation with HSM storage
- Fraud monitoring & anomaly detection
- OWASP MASVS compliance
MIT License
Version: 1.0.7
Last Updated: September 2025
Maintained by: Gradient Geeks