A step-by-step guide on securing Android mobile application using SafetyNet
How amazing is the fact that in the year 2020 overall there were more than 200 billion Android app downloads? With a high percentage increase in Enterprise Mobile App Development & Android app downloads, high-risk vulnerabilities also peaked up to 40 percent in Android apps, resulting in information breaches, threats, and malware attacks.
Threats encountered from Android Developers’ perspective
The Android development platform is a service that offers an open-source ecosystem and isn’t under our monitoring and provisioning. The threats and malware attacks are unpredictable, and they can damage the device, also making our applications work slower or maybe not work at all.
Users can do a lot of things with their devices that decrease their levels of security. They can, for example, root devices or install custom ROMs. These examples are based on the same conceivable problem.
When you route an Android device, the full security of the device is in the hands of the user. This is also applicable to custom ROMs (firmware created by the community based on Android’s AOSP), most of which require root. With root privileges, it is also possible to access the application’s internal data which would not be accessible without the root.
What is Safety Net Attestation API?
The SafetyNet Attestation API developed by Google, is an enemy of misuse APIs that permits application designers to evaluate the Android gadget their application is running on.
Generally, the custom mobile application development companies, utilize the APIs as a piece of your maltreatment discovery framework to help decide if your workers are communicating with your real application running on a veritable Android gadget.
The SafetyNet Attestation API gives a cryptographically marked validation, surveying the gadget’s respectability. To make the confirmation, the API inspects the gadget’s product and equipment climate, searching for trustworthiness issues, and contrasting it with the reference information for affirmed Android gadgets.
The created authentication is bound to the nonce that the guest application gives. The confirmation likewise contains an age timestamp and metadata about the mentioned application.
Purpose of SafetyNet Attestation API:
Suppose you have an Android mobile application and while connecting any API to the server from the Android device, sometimes the logs of that API can be breached with sensitive information transits from the postman or any other API platform.
To secure such information and data breaching, Google has implemented a new API that checks if the API request has come from the actual device or any other API calling platforms. If the API call is not coming from the actual Android device, it will return the call to the host without responding to the API call.
To secure apps against security threats, including device tampering bad URLs harmful apps and fake users android supports SafetyNet Attestation API.
Use Case Scenario
The main use case scenario for this process is to validate the end-user identity, if the user is real and the call is from an actual Android device then only the server will allow the user to register or login. The API has its integration on the Android device as well as on the server side.
Overall Process
The overall process started with verifying the call by the server on an Android device on the client side. The client does an API call from their Google service, then the Google service do an API call in their server and returns the SafetyNet attestation API which is received by the client, the client has now received the JWS token, and this JWS token now goes to the backend server. The backend server will verify the token and provide the respective response to the client.
The API uses the following workflow:
- The SafetyNet Attestation API gets a call from your application. This call incorporates a nonce.
- The SafetyNet Attestation administration assesses the runtime climate and solicits a marked confirmation of the appraisal results from Google’s servers.
- Google’s servers send the marked verification to the SafetyNet Attestation administration on the gadget.
- The SafetyNet Attestation administration restores this marked validation of your application.
- Your application advances the marked confirmation of your server.
- This server approves the reaction and utilizes it against misuse choices. Your worker conveys its discoveries to your application.
Steps to use SafetyNet Attestation API with Android Device and Server
Obtain an API key:
To call the strategies for the SafetyNet Attestation API, you should utilize an API key. To make a key and install this key, complete the following steps:
- Navigate to the Library section in the Google APIs Console.
- Search for Android Device Verification API and select it. It opens the dashboard screen.
- If the API isn’t already enabled, then enable it.
- Click on Generate an API key if Create Credentials display or click on All API credentials from the drop-down list and then select the API key that’s linked with the project that has enabled the Device Verification API.
- From the sidebar on the left, click Credentials. Copy the API key that appears.
- Utilize the copied key when you call the attest() in the SafetyNetClient class.
Check the Google Play Services version
Before using the Attestation API, you want to make sure that the right version of Google Play services is installed on the device. If an incorrect version is installed, your app could also be stopped responding after an API call. If an app detects that an incorrect version is installed, you’ve got to ask the user to update the Google Play services app on their Android device.
To check this installed version of Play services is compatible with the version of the Android SDK you’re using, call the isGooglePlayServicesAvailable() method, as shown within the below snippet:
if (GoogleApiAvailability.getInstance().isGooglePlayServicesAvailable(context) == ConnectionResult.SUCCESS) {
// The SafetyNet Attestation API is available.
} else {
// Prompt user to update Google Play services.
}
Request a SafetyNet attestation
After you get a key that is legitimate for the Device Verification API inside the Google Console, your application can utilize the validation report. To do as such, complete the accompanying steps:
- Obtain a nonce.
- Request to SafetyNet attestation.
- Transfer received a response to your server.
- Use that response on your server, alongside your other anti-abuse signals, to regulate your app.
To keep an app responsive, execute the above steps outside of the app’s main execution thread.
Obtain a Nonce
“When calling the Attestation API, you must pass in a nonce. The resulting attestation contains this nonce, allowing you to work out that the attestation belongs to your API call and is not replayed by an attacker”
A nonce used with a SafetyNet request should be a minimum of 16 bytes long. You should introduce variability in your nonce, ensuring that an equivalent nonce isn’t used twice. As a best practice, derive a part of the nonce from the info being sent to your servers.
Request the Attestation
After you’ve established a connection to Google Play services and have created a nonce, you’re able to make a SafetyNet attestation request. The response to your request won’t be immediate, so it’s best to line up a callback listener to handle the response from the service. An example listener appears within the following code snippet:
// The nonce should be a minimum of 16 bytes long.
// You must generate the worth of API_KEY within the Google APIs dashboard.
SafetyNet.getClient(this).attest(nonce, API_KEY)
.addOnSuccessListener(this, new OnSuccessListener<SafetyNetApi.AttestationResponse>() {
@Override
public void onSuccess(SafetyNetApi.AttestationResponse response) {
// Indicates communication with the service was successful.
// Use response.getJwsResult() to get the result data.
}
})
.addOnFailureListener(this, new OnFailureListener() {
@Override
public void onFailure(@NonNull Exception e) {
// error while communicating with the service.
if (e instanceofApiException) {
// issue with the Google Play services API contains some
// additional details.
ApiExceptionapiException = (ApiException) e;
// you'll retrieve the status code using the apiException.getStatusCode() method.
} else {
// unknown type of error occurred.
Log.d(TAG, "Error: " + e.getMessage());
}
}
});
The onSuccess() method indicates that communication with the Google service was successful but it doesn’t indicate whether the device has passed the attestation.
Transfer the SafetyNet attestation response to your server
When your app communicates with SafetyNet, the service provides a response containing the results of the SafetyNet attestation and includes additional information to assist you verify the integrity of the message. the subsequent JWS excerpt shows the format and sample contents of the payload data:
{
"timestampMs": 9860437986543,
"nonce": "R2Rra24fVm5xa2Mg",
"apkPackageName": "com.package.name.of.requesting.app",
"apkCertificateDigestSha256": ["base64 encoded, SHA-256 hash of the certificate used to sign requesting app"],
"ctsProfileMatch": true,
"basicIntegrity": true,
}
Conclusion
In this blog, we discussed how to secure your communication between Android client and server using SafetyNet Attestation API. Securing your Android client and server connection is very critical to every business and industry operation.
Secure communication between clients and servers stabilizes the overall downtime issues and provides highly reliable infrastructure. If you are looking to secure your end-point device communications, and hybrid mobile app development services, get in touch with us today!
DEV Information Technology Ltd. is a technology solution provider delivering digital transformation solutions using cloud automation and data technologies. To succeed digital transformation journey of our enterprise clients, we also help them to develop a mobile application to make their business operations smooth.
So far, we have developed 150+ Android & iOS applications and are recognized as the best mobile application development company, iOS app development company, and Android app development company in India and CANADA.