Attestation¶
The Attestation API provided by Google allows app developers to assess the Android device their app is running on. The API should be used as a part of your misuse detection system to help determine whether your servers are interacting with your genuine app running on a genuine Android device.
Google once provided SafetyNet
API for attestation purpose, which is now deprecated and replaced by the Play Integrity API: migration guide.
The SAP BTP SDK for Android has integrated the Attestation API to assess device integrity. In order to create the attestation, the API examines the device's software and hardware environment looking for integrity issues, and comparing it with the reference data for approved Android devices. The generated attestation token is bound to the nonce that the mobile services provides, and the token has expiration time set by admin.
The mobile services cockpit provides a chart to show the attestation status of OKHttp
requests. Developers can review the chart to determine whether the app and device are treated as genuine by the mobile services. If the Android attestation is configured in Enforced
mode, failing to get the attestation token will cause OKHttp
requests to back-end connections to be rejected.
Google sets the default quota allotment (per project) for calling the Attestation API across all app users. If the attestation requests exceed the quota, the mobile services cockpit will display a warning message. The developer will then need to reduce the frequency of attestation requests or apply for additional quota from Google.
SafetyNet
API (Deprecated)¶
After Android SafetyNet
attestation is enabled and correctly configured in the mobile services cockpit, the developer can add the AttestationService
instance to the SDKInitializer.start
method.
This will then handle the entire attestation process, including sending attestation requests and adding the attestation token in the OKHttp
request header.
AttestationService
takes one optional argument in the constructor to set the duration between two attestation requests. If the duration is larger than attestation token lifetime or is not set, then the SAP BTP SDK for Android will run attestation when the attestation token is missing or its lifetime expires.
val services = mutableListOf<MobileService>()
services.add(AttestationService(Duration.ofDays(1)))
SDKInitializer.start(this, * services.toTypedArray())
Play Integrity API¶
After Android Play Integrity attestation is enabled and correctly configured in the mobile services cockpit, the developer can add the IntegrityService
instance to the SDKInitializer.start
method.
This will then handle the entire attestation process, including sending attestation requests and adding the attestation token in the OKHttp
request header.
val services = mutableListOf<MobileService>()
services.add(IntegrityService())
SDKInitializer.start(this, * services.toTypedArray())