SafetyNet attestation, a building block for anti-abuse

Posted by Arindam Basu, Borbala Benko, Alan Butler, Edward Cunningham, William Luh

Building innovative security features for Android app developers and their users continues to be a priority. As part of this effort, we provide SafetyNet attestation, an API for developers to remotely evaluate whether they are talking to a genuine Android device.

SafetyNet examines software and hardware information on the device to assess its integrity. The result is a cryptographically signed statement, attesting basic properties of the device — such as overall integrity and compatibility with Android (CTS) — as well as metadata about your app, such as its package name and signature. The following JSON snippet shows an example of how the API reports this information:

{
  "nonce": "R2Rra24fVm5xa2Mg",
  "timestampMs": 9860437986543,
  "apkPackageName": "com.package.name.of.requesting.app",
  "apkCertificateDigestSha256": ["base64 encoded, SHA-256 hash of the
                                  certificate used to sign requesting app"],
  "apkDigestSha256": "base64 encoded, SHA-256 hash of the app's APK",
  "ctsProfileMatch": true,
  "basicIntegrity": true,
}
The contents of an example attestation response, providing information about the calling app and the integrity and compatibility of the device.

The SafetyNet attestation API can help your server distinguish traffic coming from genuine, compatible Android devices from traffic coming from less-trusted sources, including non-Android devices. This classification helps you better understand the risks associated with each device so that you can fine-tune preventive or mitigative actions in case of abuse or misbehavior.

We encourage developers to use SafetyNet attestations to augment their anti-abuse strategy. Combine SafetyNet attestation with other signals, such as your existing device-side signals and behavioral signals about what the user is trying to do, in order to build robust, multi-tier protection systems.

For further information, check the recently updated documentation and see the SafetyNet API Samples on GitHub.

Android Match

Post a Comment