This sample demonstrates how to verify the response received from the SafetyNet service.
It shows how to extract the compatibility check response from the JWS message, validate its SSL certificate chain, hostname and signature.
This check can be done completely offline (See OfflineVerify.java
) or by using the Android Verification API to verify the content and signature of the response (see OnlineVerify
). This REST API requires you to register at the Google Developers console and register for an API key. Detailed steps are available [in the documentation] under Validating the response with Google APIs.
Note that this sample only provides a basic overview over the verification process and does not cover all possibilities. For example,it is reccomended to always verify the nonce in the request as well. This sample also does not show the app-to-server communication.
For more details, see the guide at https://developer.android.com/training/safetynet/index.html#verify-compat-check .
This sample only demonstrates verification of the server response. The next step is to verify that the attestation response matches the request by verifying their contents, including the package name, digest, timestamp and nonce.
This step is crucial. If you do not verify the response and request, you may be vulnerable to a replay attack, in which an attacker can replay an old attestation response from a different device or app.
- up-to-date Java JDK The following dependencies are included in the
- Google HTTP Client Library for Java (with Jackson 2 extension) for online verification (module
google-http-client-jackson2
) - up-to-date Apache HttpClient Library for certificate verification
This sample uses the Gradle build system, but can also be easily build with any IDE or with any build tool.
To build this project using the provided gradle scripts, use the "gradlew build" command and then run these special run tasks where you can specify the signed statement as a paramter:
- OfflineVerify:
gradlew runOfflineVerify -PsignedStatement=...
- OnlineVerify:
gradlew runOnlineVerify -PsignedStatement=...
Online verification requires an API key for the Android Verification API. Follow the steps in the documentation under "Validating the response with Google APIs" and add the API key into the API_KEY
field at the top of OnlineVerify.java
.
If you are not using Gradle, you can also build this sample with any other build system and run it directly from the commandline, adding the signed stament as a paramter. Just be aware that the OnlineVerify.java
requires the Google HTTP Client Library for Java.
- Build and run the Android component of this sample.
- Retrieve a signed statement from the Android app and copy it to your machine. (You can use the "Share Result" option.)
- Build this server component and provide the signed statement as input.
If you've found an error in this sample, please file an issue: https://github.com/googlesamples/android-SafetyNetSample
Patches are encouraged, and may be submitted by forking this project and submitting a pull request through GitHub. Please see CONTRIBUTING.md for more details.
Copyright 2016 Google Inc.
Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.