• Stars
    star
    331
  • Rank 127,323 (Top 3 %)
  • Language
    Java
  • Created over 9 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

SafetyNet Helper wraps the Google Play Services SafetyNet.API and verifies Safety Net API response with the Android Device Verification API.

SafetyNet attest() Helper

SafetyNet Helper wraps the Google Play Services SafetyNet.API and verifies Safety Net API response with the Android Device Verification API. The SafetyNet.API analyses the device your app is running on to test its software/hardware configuration matches that of a device that has passed the Android Compatibility Test Suite (CTS). Note this is a client only validation, it's recommended to include server side validation.

Rooted devices seem to cause ctsProfileMatch=false.

Recommend reading the developers guide to getting started with SafetyNet

Extract from Android SafetyNet API doc

Check if your app is running on a device that matches a device model that has passed Android compatibility testing. This analysis can help you determine if your app will work as expected on the device where it is installed. The service evaluates both software and hardware characteristics of the device, and may use hardware roots of trust, when available.

Since this library release Google has created an Safety Net Sample

Features

  • Calls Google play services Safety Net test
  • Local verification of request
  • Verifies Safety Net API response with the Android Device Verification API (over SSL pinned connection)

Requires / Dependencies

  • Google Play services (specifically the SafetyNet API 'com.google.android.gms:play-services-safetynet:17.0.0')
  • Requires Internet permission
  • Google API key for the Android Device Verification API

Server Validation!!!

This library was built to get app developers up and going with SafetyNet attest API.

With skill and time any device based checks can be bypassed. This is why the validation must be handled by the server. Therefore you should look at implementing more robust and secure validation of the attest response via a server-side component.

  • App requests the nonce / request token from your server
  • Call SafetyNet.getClient(context).attest(requestNonce, apiKey)
  • When the Pass the JwsResult returned as part of the SafetyNet success response to your server for validation i.e
    • Check the nonce/request token matches the expected value
    • verify the SafetyNet response is from Google using the Android Device Verification API
    • verify app package, timestamp, apk and certificate digests
  • Based on the validation result your server can choose whether to trust the app install. The action you take is dependent on your app, you could log the user out by revoking OAUTH tokens or flag any high scores as potential cheating.

How to use

You'll need to get a API key from the Google developer console to allow you to verify with the Android Device Verification API (in the sample project this is set via a BuildConfig field to keep my api key out of GitHub)

    final SafetyNetHelper safetyNetHelper = new SafetyNetHelper(API_KEY);

    safetyNetHelper.requestTest(context, new SafetyNetHelper.SafetyNetWrapperCallback() {
            @Override
            public void error(int errorCode, String msg) {
                //handle and retry depending on errorCode
                Log.e(TAG, msg);
            }

            @Override
            public void success(boolean ctsProfileMatch, boolean basicIntegrity) {
                if (ctsProfileMatch) {
                    //profile of the device running your app matches the profile of a device that has passed Android compatibility testing.
                else if(basicIntegrity){
                    //then the device running your app likely wasn't tampered with, but the device has not necessarily passed Android compatibility testing.
                } else {
                    //handle fail, maybe warn user device is unsupported or in compromised state? (this is up to you!)
                }
            }
        });

Add as dependency

This library is not released in Maven Central, until then you can add as a library module or use JitPack.io

add remote maven url

    repositories {
        maven {
            url "https://jitpack.io"
        }
    }

then add a library dependency

    dependencies {
        compile 'com.github.scottyab:safetynethelper:<latest version>'
    }

Sample App

The sample app illustrates the helper library in practice. Test your own devices today. It's available on the playstore.


Licence

Copyright (c) 2022 Scott Alexander-Bown

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

More Repositories

1

rootbeer

Simple to use root checking Android library and sample app
Java
2,439
star
2

secure-preferences

Android Shared preference wrapper than encrypts the values of Shared Preferences. It's not bullet proof security but rather a quick win for incrementally making your android app more secure.
Java
1,526
star
3

AESCrypt-Android

Simple API to perform AES encryption on Android. This is the Android counterpart to the AESCrypt library Ruby and Obj-C (with the same weak security defaults :( ) created by Gurpartap Singh. https://github.com/Gurpartap/aescrypt
Java
640
star
4

showhidepasswordedittext

Show/Hide Password EditText is a very simple extension of Android's EditText that puts a clickable hide/show icon in the right hand side of the EditText that allows showing of the password.
Java
557
star
5

ssl-pin-generator

Simple jar to generate SSL pins based on a certificate's public key. Pins are base-64 SHA-1 hashes by default.
Java
94
star
6

androidkeystore

This started out as the sample project from Android sdk modified folder structure to for eclipse.
Java
53
star
7

HeartBeatView

Simple custom view of a beating heart using scaling animation.
Java
44
star
8

FuzzyDateAndroid

Create more relax human reabable dates and times just like twitter, stackoverflow.
Java
19
star
9

android-device-stats

Device Stats is a designs for people developing Android apps to quickly and easier see the exact specs of a device. Ideal for test devices where you aren't 100% sure on the resource qualifiers.
Java
12
star
10

android-environment-configuration-sample

Sample app used in blog post to illustrate a way of externallising config strings and adding DexGuard protection
Java
5
star
11

restart-counter-android

Simple app to count the number of restarts
Java
2
star
12

sample-location-based-image-tracker

Interview sample Location based image tracker that uses Flickr
Kotlin
1
star
13

meetup-java-client

Automatically exported from code.google.com/p/meetup-java-client
Java
1
star
14

EmbedExample

Standalone example app and library that used FatAAR plugin. Created to diagnose build issue we are seeing with production project
Kotlin
1
star
15

scottyab

Personal about me page
1
star