This post was originally published at SafetyNet attestation, a building block for anti-abuse

Posted by Arindam Basu, Borbala Benko, Alan Butler, Edward Cunningham, William Luh

Building innovative security features for Android app developers and their users
continues to be a priority. As part of this effort, we provide SafetyNet
, an API for developers to remotely evaluate whether they are
talking to a genuine Android device.

SafetyNet examines software and hardware information on the device to assess its
integrity. The result is a cryptographically signed statement, attesting basic
properties of the device — such as overall integrity and compatibility with
Android (CTS) — as
well as metadata about your app, such as its package name and signature. The
following JSON snippet shows an example of how the API reports this information:

  "nonce": "R2Rra24fVm5xa2Mg",
  "timestampMs": 9860437986543,
  "apkPackageName": "",
  "apkCertificateDigestSha256": ["base64 encoded, SHA-256 hash of the
                                  certificate used to sign requesting app"],
  "apkDigestSha256": "base64 encoded, SHA-256 hash of the app's APK",
  "ctsProfileMatch": true,
  "basicIntegrity": true,

The contents of an example attestation response, providing information about
the calling app and the integrity and compatibility of the device.

The SafetyNet attestation API can help your server distinguish traffic coming
from genuine, compatible Android devices from traffic coming from less-trusted
sources, including non-Android devices. This classification helps you better
understand the risks associated with each device so that you can fine-tune
preventive or mitigative actions in case of abuse or misbehavior.

We encourage developers to use SafetyNet attestations to augment their
anti-abuse strategy. Combine SafetyNet attestation with other signals, such as
your existing device-side signals and behavioral signals about what the user is
trying to do, in order to build robust, multi-tier protection systems.

For further information, check the recently
updated documentation
and see the SafetyNet API
on GitHub.

image image


This post was originally published at SafetyNet attestation, a building block for anti-abuse