Tactical-edge exercise platform
Multiplayer iOS, Android, and web clients with real-time WebSocket coordination. Hono.js API on AWS Lambda. Admin, event, and game-management console with player and exercise metrics and session replays.
by 
Compliance-floor delivery capability · .mil mobile
Ship compliant.
Ship authorized.
Clavark is SigilArk's compliance-floor delivery capability for DoD mobile. OIDC, attestation, CUI discipline, STIG controls, and an ATO-aligned audit pipeline — ready on day one across iOS, Android, web console, and API. This is how SigilArk delivers.
Engage SigilArk →Proven in production
Medical-readiness system
Provider-facing iOS and Android apps backed by a Hono.js REST API on AWS Lambda. Command-level console for mission editing and readiness dashboards, serving military, international, and disaster-relief engagements.
Both deployments meet the full 22 + 8 mobile STIG + compensating-control matrix out of the box.
Control matrix
22 full-parity · 8 platform-asymmetric
Clavark ships 30 mobile-application controls mapped to the authoritative DoD and NIST publications below. The native-mobile control set — proven in prior .mil deployments — is extended with a web column (BFF, strict CSP, Trusted Types) and an API column (attestation verification, version-header enforcement, audit ingest) so mobile controls become load-bearing end-to-end.
Some program-level vocabularies call the platform-asymmetric group “compensating” — several entries (iOS copy/cut, iOS clipboard, web screenshot prevention) are in fact compensating on those targets where the platform API surface does not permit the ideal control.
Reference standards
- DISA STIG DISA Security Technical Implementation Guide library
- DISA Mobile SRG DISA Mobile Application Security Requirements Guide
- NIST SP 800-53 Rev 5 NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems and Organizations
- NIST SP 1800-22 NIST SP 1800-22 — Mobile Device Security: Bring Your Own Device
- NIST SP 800-63B NIST SP 800-63B — Digital Identity Guidelines: Authentication and Lifecycle Management
- FIPS 140-3 FIPS 140-3 — Security Requirements for Cryptographic Modules
- CUI Registry National Archives — Controlled Unclassified Information Registry
- Section 508 Section 508 of the Rehabilitation Act — 29 U.S.C. § 794d
- EO 14028 Executive Order 14028 — Improving the Nation's Cybersecurity
- DoDI 8500.01 DoD Instruction 8500.01 — Cybersecurity (DoD issuances catalog)
- DoD 5015.02 DoD 5015.02 — Electronic Records Management Software Applications Design Criteria Standard
- OpenID Connect Core OpenID Connect Core 1.0 specification
- RFC 7636 (PKCE) RFC 7636 — Proof Key for Code Exchange by OAuth Public Clients
- RFC 7009 RFC 7009 — OAuth 2.0 Token Revocation
- RFC 7807 RFC 7807 — Problem Details for HTTP APIs
- OWASP ASVS OWASP Application Security Verification Standard
- Play Integrity API Google Play Integrity API — hardware-backed Android device attestation
- Apple App Attest Apple App Attest — hardware-backed iOS app attestation
Full-parity controls · 22
Controls that ship with matching implementations across native mobile clients, the web console, and the API reference.
Root / jailbreak detection
Reject launch on devices with signs of root or jailbreak. Platform-specific heuristics on native clients.
Android iOS
Debugger detection
Detect attached debuggers at launch and prevent debugger attachment on release builds.
Android iOS
Device attestation
Hardware-backed attestation via Play Integrity (Android) and App Attest (iOS); server verifies the token before trusting the client.
Android iOS API
Attestation header injection
Every authenticated mobile request carries X-Attestation-Token; omitted from web requests by design under the BFF model.
Android iOS API
CUI // OPSEC banner
Classification banner visible on every authenticated view; text configurable to the marking required by the adopter program.
Android iOS Web API
CUI banner regression test
Static source-walk in CI asserts every screen renders the banner. Prevents silent drift on new routes.
Android iOS Web API
Keyboard caching disabled
Autocorrect, predictive text, personalized-learning, and autofill suppressed on fields handling CUI.
Android iOS Web
CUI acknowledgment gate
First-launch modal reminds users of CUI handling obligations. Versioned so policy changes re-prompt.
Android iOS Web API
Gate chain order
Fixed precedence: jailbreak → CUI ack → auth → upgrade check → attestation → app. Compiled-in; no runtime toggles.
Android iOS Web API
Token lifecycle — 120s background grace
App tokens wiped 120 seconds after backgrounding. Cold start forces OIDC re-authentication.
Android iOS Web API
In-memory-only tokens
Refresh and access tokens never touch disk — no Keychain, no SharedPreferences, no localStorage.
Android iOS Web API
Certificate pinning
Release builds pin the API TLS certificate; backup pin enables rotation overlap; pin failure is a hard error.
Compensating on web — browser CA store + HSTS + CT logs per standard web posture.
Android iOS API
Disk cache disabled
HTTP disk cache off by default; CUI responses additionally tagged Cache-Control: no-store.
Android iOS Web API
30-second request timeouts
Every client and the API gateway enforce a 30-second cap. No unbounded waits on any path.
Android iOS Web API
Version headers
Every authenticated request carries X-App-Version and X-Platform-Version. Server audit-logs both and enforces a minimum-version floor.
Android iOS Web API
Bearer token injection
Authorization: Bearer <jwt> added server-side by the BFF for web, client-side for mobile. Validated at the API on every route.
Android iOS Web API
Session-expired (401) handler
Client intercepts 401 + RFC 7807 code=session_expired, surfaces an explicit re-auth flow — never a silent retry loop.
Upgrade-required (426) handler
Server returns 426 when X-App-Version is below floor. Client shows a non-dismissable update prompt.
Android iOS Web API
Attestation-failed (403) handler
Client intercepts 403 + RFC 7807 code=attestation_failed, triggers a re-attestation flow rather than crashing.
Android iOS API
Disk-write regression test
CI fails if any code path writes to disk outside an explicit allowlist. Catches persistence regressions before they ship.
Android iOS Web API
Interceptor registration regression test
CI verifies all required middleware and client interceptors are registered in the correct order.
Android iOS Web API
OIDC provider abstraction
Single provider-agnostic codepath with quirk flags isolating Login.gov, myAccess, Okta, Azure AD, Cognito, Keycloak differences.
Android iOS Web API
Platform-asymmetric controls · 8
Controls where the ideal implementation differs per target, or where one platform's API surface forces a compensating posture.
Screenshot prevention or detection
Android prevents capture with FLAG_SECURE. iOS and web detect the event and audit it — platform APIs do not permit prevention.
Compensating on iOS (detect-only) and web (detect-only via visibilitychange).
Android iOS Web API
App-switcher / task-preview privacy
Thumbnail obscured when the app is backgrounded. FLAG_SECURE on Android, material blur overlay on iOS.
Android iOS
Copy / cut disabled on CUI fields
Android suppresses the text-toolbar copy/cut items. Web blocks copy and cut events on CUI inputs. iOS is best-effort with no public API.
Compensating on iOS — no public SwiftUI API to suppress text-toolbar items.
Android iOS Web
Clipboard clearing on sign-out / background
Android calls ClipboardManager.clearPrimaryClip() on sign-out and background transitions.
Compensating on iOS — no public API to clear the system clipboard from an app.
Android iOS Web
Build-time log stripping
Release builds strip debug logs: R8 -assumenosideeffects on Android, os.Logger scoping on iOS, Vite in web production, Pino log-level pinned on API.
Android iOS Web API
CUI logging regression test
Per-platform lint rules (detekt-no-cui-in-log, swiftlint-no-cui-in-log, eslint-no-cui-in-log) plus source-walk tests catch CUI leaking into logs.
Android iOS Web API
Play Integrity (Android)
Hardware-backed attestation via Google Play Integrity API. Server verifies verdict, nonce, and device-integrity fields on every attested request.
Android API
App Attest (iOS)
Hardware-backed attestation via Apple App Attest. Server verifies assertion against the registered key store.
iOS API
