Can android sign a http/https call, to identify uniquely the app doing the request?












0















Say, CORS for apps. Well, not the same thing, but...



Supposse I have uploaded an app to play store, and now I want my server to accept only connections from this app.



How can I do it?



What I would expect of the OS is is some process such as adding to my http request a couple of headers specifying the id of the app in the market, and signing the whole request with a signature in the android chain -or in the corresponding market CA certificate chain-. Then my server could verify that the request comes from the right app.



Plus, the OS could add some certified hardware info so if the app is run in an emulator I could deny service too.



Another way could be to include a "secret" in the app, of course, but it could always be reverse-engineered by decompilation, couldn't it? Or is there some keystore associated to the play store that could be used to provide this secret during https requests to the server?



A third way could be to use the azp field of an OAuth login, but again it could be compromised by decompilation, and moreover it forces the user to log in.










share|improve this question





























    0















    Say, CORS for apps. Well, not the same thing, but...



    Supposse I have uploaded an app to play store, and now I want my server to accept only connections from this app.



    How can I do it?



    What I would expect of the OS is is some process such as adding to my http request a couple of headers specifying the id of the app in the market, and signing the whole request with a signature in the android chain -or in the corresponding market CA certificate chain-. Then my server could verify that the request comes from the right app.



    Plus, the OS could add some certified hardware info so if the app is run in an emulator I could deny service too.



    Another way could be to include a "secret" in the app, of course, but it could always be reverse-engineered by decompilation, couldn't it? Or is there some keystore associated to the play store that could be used to provide this secret during https requests to the server?



    A third way could be to use the azp field of an OAuth login, but again it could be compromised by decompilation, and moreover it forces the user to log in.










    share|improve this question



























      0












      0








      0








      Say, CORS for apps. Well, not the same thing, but...



      Supposse I have uploaded an app to play store, and now I want my server to accept only connections from this app.



      How can I do it?



      What I would expect of the OS is is some process such as adding to my http request a couple of headers specifying the id of the app in the market, and signing the whole request with a signature in the android chain -or in the corresponding market CA certificate chain-. Then my server could verify that the request comes from the right app.



      Plus, the OS could add some certified hardware info so if the app is run in an emulator I could deny service too.



      Another way could be to include a "secret" in the app, of course, but it could always be reverse-engineered by decompilation, couldn't it? Or is there some keystore associated to the play store that could be used to provide this secret during https requests to the server?



      A third way could be to use the azp field of an OAuth login, but again it could be compromised by decompilation, and moreover it forces the user to log in.










      share|improve this question
















      Say, CORS for apps. Well, not the same thing, but...



      Supposse I have uploaded an app to play store, and now I want my server to accept only connections from this app.



      How can I do it?



      What I would expect of the OS is is some process such as adding to my http request a couple of headers specifying the id of the app in the market, and signing the whole request with a signature in the android chain -or in the corresponding market CA certificate chain-. Then my server could verify that the request comes from the right app.



      Plus, the OS could add some certified hardware info so if the app is run in an emulator I could deny service too.



      Another way could be to include a "secret" in the app, of course, but it could always be reverse-engineered by decompilation, couldn't it? Or is there some keystore associated to the play store that could be used to provide this secret during https requests to the server?



      A third way could be to use the azp field of an OAuth login, but again it could be compromised by decompilation, and moreover it forces the user to log in.







      android security authentication ssl-client-authentication






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 27 '18 at 19:00







      arivero

















      asked Nov 27 '18 at 1:51









      ariveroarivero

      3361417




      3361417
























          3 Answers
          3






          active

          oldest

          votes


















          1














          I think one of the ways to secure your Backend is to attach a token from the app in the header (or something that is unique from your app) so no one can call the api if he is not attaching the token in the header.
          But you need to check that in the backend to make sure that the header contains the needed valid token.






          share|improve this answer
























          • but someone could decompile the apk and find the token. It could be better if it were a token not stored in the apk itself but provided by google play when installing the app, or saved away in a keystore.

            – arivero
            Nov 27 '18 at 1:57











          • you can make obfuscation for your code. Do you know what is obfuscation?

            – Khalid Taha
            Nov 27 '18 at 1:58






          • 1





            @arivero there are more than one way to get the token, one of them by getting the token from firebase auth, which is dynamic, another way is to pass the token as a parameter for the release build using gradle. If you don't know how, I will tell you.

            – Khalid Taha
            Nov 27 '18 at 2:00













          • yep, I could obfuscate, you are right, but then I also could just obfuscate inside my code a client certificate private key and do standard SSL client authentication. But still the secret is hidden waiting for someone to reverse it. It would be preferable a solution from Android OS.

            – arivero
            Nov 27 '18 at 2:12











          • As I told you in the previous comment, you can make a dynamic variable that can be passed from outside the code during the build time that will contain your needed token that will be passed in the header. I think this is a good solution for your issue.

            – Khalid Taha
            Nov 27 '18 at 2:14



















          1















          Supposse I have uploaded an app to play store, and now I want my server to accept only connections from this app.



          How can I do it?




          To achieve the best level of security between your App and the API server you should use a Mobile App Attestation service alongside the SafetyNet solution, plus an OAUTH2 service and finally certificate pinning to secure the communication channel between the API server and the Mobile App, as covered in this series of articles about Mobile API Techniques.



          The role of a Mobile App Attestation service is to guarantee at run-time that your App was not tampered or is not running in a rooted device by using an SDK integrated in your App and a service running in the cloud.



          On successful attestation of the App Integrity a JWT token is issued and signed with a secret that only the API server of your App and the Mobile App Attestation service in the cloud are aware.



          In the case of failure on the App Attestation the JWT is signed with a secret that the API server does not know.



          Now the App must sent with every API call the JWT token in the headers of the request. This will allow the API server to only serve requests when it can verify the signature in the JWT token and refuse them when it fails the verification.



          Once the secret used by the Mobile App Attestation service is not known by the App, is not possible to reverse engineer it at run-time even when the App is tampered, running in a rooted device or communicating over a connection that is being the target of a Man in the Middle Attack. This is where this type of service shines
          in relation to the SafetyNet solution.



          As a side note if your App talks directly with third parts services, then I suggest that you delegate that responsibility to the API server, that will prevent
          unauthorized use of your third part services in your behalf, once it only serves
          now authentic requests from the Mobile App's that passed the Integrity challenges.



          So why not use only SafetyNet? Despite being a good security feature added to Android it was not designed to be used as the sole security defence of your app, as per Google own words:




          The goal of this API is to provide you with confidence about the integrity of a device running your app. You can then obtain additional signals using the standard Android APIs. You should use the SafetyNet Attestation API as an additional in-depth defense signal as part of an anti-abuse system, not as the sole anti-abuse signal for your app.




          Before I go I would like to call the attention for the following in the SafetyNet solution:




          • It is part of Google Mobile Services (GMS) so only runs on devices that have this. In some markets, such as the far east, there are a significant number of devices that do not have this available.


          • There are a limited number of attestation calls that can be made with a standard free API key, so to use at scale a (presumably) paid level would be required.


          • It is primarily designed to check if the OS image that a particular Android device is running is considered to be secure and compatible or not. As such it can be considered to be quite advanced root check that is able to check for file system changes indicative of rooted devices.


          • Since the SafetyNet is doing a full analysis of the hashes of the OS image it can actually be quite slow (sometimes a few seconds). This means that it cannot be doing continuously and some care is needed in its use to hide this latency from the user, but without creating an opening for an attacker to exploit.


          • SafetyNet does not specifically analyse the memory map of running apps to detect instrumentation frameworks (it relies on the fact that they can only run on rooted devices), like XPosed and Frida.


          • SafetyNet does provide an attestation of the running app via the apkDigestSha256 feature. However, this can only be relied upon if full integrity is reported. This means that the integrity of the app is unknown if it is running on any kind of unusual or rooted devices. Some users root their devices only for customizations purposes and if the mobile app has a significant percentage of them then SafetyNet will exclude them from being able to use the app. In this scenarios we want to know specifically about the integrity of the running app rather then the system as a whole. SafetyNet is not able to do that, but a mobile app attestation service can.


          • In order to perform the attestation check in a way that cannot be spoofed then app cannot do its own check (as obviously this code could be tampered with itself). Thus there is a need to implement a server side to use the feature reliably.







          share|improve this answer































            0














            Use the Safety Net Attestation flow to request a secret token to the server.



            After reading related questions, I think the trick is to use the Safety Net flow:




            • using the SafetyNet Attestation API the app gets a signed json from android services.

            • the app generates some id from android_id, random uuid or both.

            • Both Id and json are sent to the server which can then verify that the request comes from the real app, save the id and config data, and agree a token for further communications.

            • using the keychain api, the app saves the id and token in the keystore for future usage


            This is an speculative answer (I am the OP), please upvote it only if you are sure it is correct and a better alternative is not listed.



            Attestation Flow, from Android documentation






            share|improve this answer

























              Your Answer






              StackExchange.ifUsing("editor", function () {
              StackExchange.using("externalEditor", function () {
              StackExchange.using("snippets", function () {
              StackExchange.snippets.init();
              });
              });
              }, "code-snippets");

              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "1"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53491630%2fcan-android-sign-a-http-https-call-to-identify-uniquely-the-app-doing-the-reque%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              3 Answers
              3






              active

              oldest

              votes








              3 Answers
              3






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              1














              I think one of the ways to secure your Backend is to attach a token from the app in the header (or something that is unique from your app) so no one can call the api if he is not attaching the token in the header.
              But you need to check that in the backend to make sure that the header contains the needed valid token.






              share|improve this answer
























              • but someone could decompile the apk and find the token. It could be better if it were a token not stored in the apk itself but provided by google play when installing the app, or saved away in a keystore.

                – arivero
                Nov 27 '18 at 1:57











              • you can make obfuscation for your code. Do you know what is obfuscation?

                – Khalid Taha
                Nov 27 '18 at 1:58






              • 1





                @arivero there are more than one way to get the token, one of them by getting the token from firebase auth, which is dynamic, another way is to pass the token as a parameter for the release build using gradle. If you don't know how, I will tell you.

                – Khalid Taha
                Nov 27 '18 at 2:00













              • yep, I could obfuscate, you are right, but then I also could just obfuscate inside my code a client certificate private key and do standard SSL client authentication. But still the secret is hidden waiting for someone to reverse it. It would be preferable a solution from Android OS.

                – arivero
                Nov 27 '18 at 2:12











              • As I told you in the previous comment, you can make a dynamic variable that can be passed from outside the code during the build time that will contain your needed token that will be passed in the header. I think this is a good solution for your issue.

                – Khalid Taha
                Nov 27 '18 at 2:14
















              1














              I think one of the ways to secure your Backend is to attach a token from the app in the header (or something that is unique from your app) so no one can call the api if he is not attaching the token in the header.
              But you need to check that in the backend to make sure that the header contains the needed valid token.






              share|improve this answer
























              • but someone could decompile the apk and find the token. It could be better if it were a token not stored in the apk itself but provided by google play when installing the app, or saved away in a keystore.

                – arivero
                Nov 27 '18 at 1:57











              • you can make obfuscation for your code. Do you know what is obfuscation?

                – Khalid Taha
                Nov 27 '18 at 1:58






              • 1





                @arivero there are more than one way to get the token, one of them by getting the token from firebase auth, which is dynamic, another way is to pass the token as a parameter for the release build using gradle. If you don't know how, I will tell you.

                – Khalid Taha
                Nov 27 '18 at 2:00













              • yep, I could obfuscate, you are right, but then I also could just obfuscate inside my code a client certificate private key and do standard SSL client authentication. But still the secret is hidden waiting for someone to reverse it. It would be preferable a solution from Android OS.

                – arivero
                Nov 27 '18 at 2:12











              • As I told you in the previous comment, you can make a dynamic variable that can be passed from outside the code during the build time that will contain your needed token that will be passed in the header. I think this is a good solution for your issue.

                – Khalid Taha
                Nov 27 '18 at 2:14














              1












              1








              1







              I think one of the ways to secure your Backend is to attach a token from the app in the header (or something that is unique from your app) so no one can call the api if he is not attaching the token in the header.
              But you need to check that in the backend to make sure that the header contains the needed valid token.






              share|improve this answer













              I think one of the ways to secure your Backend is to attach a token from the app in the header (or something that is unique from your app) so no one can call the api if he is not attaching the token in the header.
              But you need to check that in the backend to make sure that the header contains the needed valid token.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Nov 27 '18 at 1:55









              Khalid TahaKhalid Taha

              1,89411531




              1,89411531













              • but someone could decompile the apk and find the token. It could be better if it were a token not stored in the apk itself but provided by google play when installing the app, or saved away in a keystore.

                – arivero
                Nov 27 '18 at 1:57











              • you can make obfuscation for your code. Do you know what is obfuscation?

                – Khalid Taha
                Nov 27 '18 at 1:58






              • 1





                @arivero there are more than one way to get the token, one of them by getting the token from firebase auth, which is dynamic, another way is to pass the token as a parameter for the release build using gradle. If you don't know how, I will tell you.

                – Khalid Taha
                Nov 27 '18 at 2:00













              • yep, I could obfuscate, you are right, but then I also could just obfuscate inside my code a client certificate private key and do standard SSL client authentication. But still the secret is hidden waiting for someone to reverse it. It would be preferable a solution from Android OS.

                – arivero
                Nov 27 '18 at 2:12











              • As I told you in the previous comment, you can make a dynamic variable that can be passed from outside the code during the build time that will contain your needed token that will be passed in the header. I think this is a good solution for your issue.

                – Khalid Taha
                Nov 27 '18 at 2:14



















              • but someone could decompile the apk and find the token. It could be better if it were a token not stored in the apk itself but provided by google play when installing the app, or saved away in a keystore.

                – arivero
                Nov 27 '18 at 1:57











              • you can make obfuscation for your code. Do you know what is obfuscation?

                – Khalid Taha
                Nov 27 '18 at 1:58






              • 1





                @arivero there are more than one way to get the token, one of them by getting the token from firebase auth, which is dynamic, another way is to pass the token as a parameter for the release build using gradle. If you don't know how, I will tell you.

                – Khalid Taha
                Nov 27 '18 at 2:00













              • yep, I could obfuscate, you are right, but then I also could just obfuscate inside my code a client certificate private key and do standard SSL client authentication. But still the secret is hidden waiting for someone to reverse it. It would be preferable a solution from Android OS.

                – arivero
                Nov 27 '18 at 2:12











              • As I told you in the previous comment, you can make a dynamic variable that can be passed from outside the code during the build time that will contain your needed token that will be passed in the header. I think this is a good solution for your issue.

                – Khalid Taha
                Nov 27 '18 at 2:14

















              but someone could decompile the apk and find the token. It could be better if it were a token not stored in the apk itself but provided by google play when installing the app, or saved away in a keystore.

              – arivero
              Nov 27 '18 at 1:57





              but someone could decompile the apk and find the token. It could be better if it were a token not stored in the apk itself but provided by google play when installing the app, or saved away in a keystore.

              – arivero
              Nov 27 '18 at 1:57













              you can make obfuscation for your code. Do you know what is obfuscation?

              – Khalid Taha
              Nov 27 '18 at 1:58





              you can make obfuscation for your code. Do you know what is obfuscation?

              – Khalid Taha
              Nov 27 '18 at 1:58




              1




              1





              @arivero there are more than one way to get the token, one of them by getting the token from firebase auth, which is dynamic, another way is to pass the token as a parameter for the release build using gradle. If you don't know how, I will tell you.

              – Khalid Taha
              Nov 27 '18 at 2:00







              @arivero there are more than one way to get the token, one of them by getting the token from firebase auth, which is dynamic, another way is to pass the token as a parameter for the release build using gradle. If you don't know how, I will tell you.

              – Khalid Taha
              Nov 27 '18 at 2:00















              yep, I could obfuscate, you are right, but then I also could just obfuscate inside my code a client certificate private key and do standard SSL client authentication. But still the secret is hidden waiting for someone to reverse it. It would be preferable a solution from Android OS.

              – arivero
              Nov 27 '18 at 2:12





              yep, I could obfuscate, you are right, but then I also could just obfuscate inside my code a client certificate private key and do standard SSL client authentication. But still the secret is hidden waiting for someone to reverse it. It would be preferable a solution from Android OS.

              – arivero
              Nov 27 '18 at 2:12













              As I told you in the previous comment, you can make a dynamic variable that can be passed from outside the code during the build time that will contain your needed token that will be passed in the header. I think this is a good solution for your issue.

              – Khalid Taha
              Nov 27 '18 at 2:14





              As I told you in the previous comment, you can make a dynamic variable that can be passed from outside the code during the build time that will contain your needed token that will be passed in the header. I think this is a good solution for your issue.

              – Khalid Taha
              Nov 27 '18 at 2:14













              1















              Supposse I have uploaded an app to play store, and now I want my server to accept only connections from this app.



              How can I do it?




              To achieve the best level of security between your App and the API server you should use a Mobile App Attestation service alongside the SafetyNet solution, plus an OAUTH2 service and finally certificate pinning to secure the communication channel between the API server and the Mobile App, as covered in this series of articles about Mobile API Techniques.



              The role of a Mobile App Attestation service is to guarantee at run-time that your App was not tampered or is not running in a rooted device by using an SDK integrated in your App and a service running in the cloud.



              On successful attestation of the App Integrity a JWT token is issued and signed with a secret that only the API server of your App and the Mobile App Attestation service in the cloud are aware.



              In the case of failure on the App Attestation the JWT is signed with a secret that the API server does not know.



              Now the App must sent with every API call the JWT token in the headers of the request. This will allow the API server to only serve requests when it can verify the signature in the JWT token and refuse them when it fails the verification.



              Once the secret used by the Mobile App Attestation service is not known by the App, is not possible to reverse engineer it at run-time even when the App is tampered, running in a rooted device or communicating over a connection that is being the target of a Man in the Middle Attack. This is where this type of service shines
              in relation to the SafetyNet solution.



              As a side note if your App talks directly with third parts services, then I suggest that you delegate that responsibility to the API server, that will prevent
              unauthorized use of your third part services in your behalf, once it only serves
              now authentic requests from the Mobile App's that passed the Integrity challenges.



              So why not use only SafetyNet? Despite being a good security feature added to Android it was not designed to be used as the sole security defence of your app, as per Google own words:




              The goal of this API is to provide you with confidence about the integrity of a device running your app. You can then obtain additional signals using the standard Android APIs. You should use the SafetyNet Attestation API as an additional in-depth defense signal as part of an anti-abuse system, not as the sole anti-abuse signal for your app.




              Before I go I would like to call the attention for the following in the SafetyNet solution:




              • It is part of Google Mobile Services (GMS) so only runs on devices that have this. In some markets, such as the far east, there are a significant number of devices that do not have this available.


              • There are a limited number of attestation calls that can be made with a standard free API key, so to use at scale a (presumably) paid level would be required.


              • It is primarily designed to check if the OS image that a particular Android device is running is considered to be secure and compatible or not. As such it can be considered to be quite advanced root check that is able to check for file system changes indicative of rooted devices.


              • Since the SafetyNet is doing a full analysis of the hashes of the OS image it can actually be quite slow (sometimes a few seconds). This means that it cannot be doing continuously and some care is needed in its use to hide this latency from the user, but without creating an opening for an attacker to exploit.


              • SafetyNet does not specifically analyse the memory map of running apps to detect instrumentation frameworks (it relies on the fact that they can only run on rooted devices), like XPosed and Frida.


              • SafetyNet does provide an attestation of the running app via the apkDigestSha256 feature. However, this can only be relied upon if full integrity is reported. This means that the integrity of the app is unknown if it is running on any kind of unusual or rooted devices. Some users root their devices only for customizations purposes and if the mobile app has a significant percentage of them then SafetyNet will exclude them from being able to use the app. In this scenarios we want to know specifically about the integrity of the running app rather then the system as a whole. SafetyNet is not able to do that, but a mobile app attestation service can.


              • In order to perform the attestation check in a way that cannot be spoofed then app cannot do its own check (as obviously this code could be tampered with itself). Thus there is a need to implement a server side to use the feature reliably.







              share|improve this answer




























                1















                Supposse I have uploaded an app to play store, and now I want my server to accept only connections from this app.



                How can I do it?




                To achieve the best level of security between your App and the API server you should use a Mobile App Attestation service alongside the SafetyNet solution, plus an OAUTH2 service and finally certificate pinning to secure the communication channel between the API server and the Mobile App, as covered in this series of articles about Mobile API Techniques.



                The role of a Mobile App Attestation service is to guarantee at run-time that your App was not tampered or is not running in a rooted device by using an SDK integrated in your App and a service running in the cloud.



                On successful attestation of the App Integrity a JWT token is issued and signed with a secret that only the API server of your App and the Mobile App Attestation service in the cloud are aware.



                In the case of failure on the App Attestation the JWT is signed with a secret that the API server does not know.



                Now the App must sent with every API call the JWT token in the headers of the request. This will allow the API server to only serve requests when it can verify the signature in the JWT token and refuse them when it fails the verification.



                Once the secret used by the Mobile App Attestation service is not known by the App, is not possible to reverse engineer it at run-time even when the App is tampered, running in a rooted device or communicating over a connection that is being the target of a Man in the Middle Attack. This is where this type of service shines
                in relation to the SafetyNet solution.



                As a side note if your App talks directly with third parts services, then I suggest that you delegate that responsibility to the API server, that will prevent
                unauthorized use of your third part services in your behalf, once it only serves
                now authentic requests from the Mobile App's that passed the Integrity challenges.



                So why not use only SafetyNet? Despite being a good security feature added to Android it was not designed to be used as the sole security defence of your app, as per Google own words:




                The goal of this API is to provide you with confidence about the integrity of a device running your app. You can then obtain additional signals using the standard Android APIs. You should use the SafetyNet Attestation API as an additional in-depth defense signal as part of an anti-abuse system, not as the sole anti-abuse signal for your app.




                Before I go I would like to call the attention for the following in the SafetyNet solution:




                • It is part of Google Mobile Services (GMS) so only runs on devices that have this. In some markets, such as the far east, there are a significant number of devices that do not have this available.


                • There are a limited number of attestation calls that can be made with a standard free API key, so to use at scale a (presumably) paid level would be required.


                • It is primarily designed to check if the OS image that a particular Android device is running is considered to be secure and compatible or not. As such it can be considered to be quite advanced root check that is able to check for file system changes indicative of rooted devices.


                • Since the SafetyNet is doing a full analysis of the hashes of the OS image it can actually be quite slow (sometimes a few seconds). This means that it cannot be doing continuously and some care is needed in its use to hide this latency from the user, but without creating an opening for an attacker to exploit.


                • SafetyNet does not specifically analyse the memory map of running apps to detect instrumentation frameworks (it relies on the fact that they can only run on rooted devices), like XPosed and Frida.


                • SafetyNet does provide an attestation of the running app via the apkDigestSha256 feature. However, this can only be relied upon if full integrity is reported. This means that the integrity of the app is unknown if it is running on any kind of unusual or rooted devices. Some users root their devices only for customizations purposes and if the mobile app has a significant percentage of them then SafetyNet will exclude them from being able to use the app. In this scenarios we want to know specifically about the integrity of the running app rather then the system as a whole. SafetyNet is not able to do that, but a mobile app attestation service can.


                • In order to perform the attestation check in a way that cannot be spoofed then app cannot do its own check (as obviously this code could be tampered with itself). Thus there is a need to implement a server side to use the feature reliably.







                share|improve this answer


























                  1












                  1








                  1








                  Supposse I have uploaded an app to play store, and now I want my server to accept only connections from this app.



                  How can I do it?




                  To achieve the best level of security between your App and the API server you should use a Mobile App Attestation service alongside the SafetyNet solution, plus an OAUTH2 service and finally certificate pinning to secure the communication channel between the API server and the Mobile App, as covered in this series of articles about Mobile API Techniques.



                  The role of a Mobile App Attestation service is to guarantee at run-time that your App was not tampered or is not running in a rooted device by using an SDK integrated in your App and a service running in the cloud.



                  On successful attestation of the App Integrity a JWT token is issued and signed with a secret that only the API server of your App and the Mobile App Attestation service in the cloud are aware.



                  In the case of failure on the App Attestation the JWT is signed with a secret that the API server does not know.



                  Now the App must sent with every API call the JWT token in the headers of the request. This will allow the API server to only serve requests when it can verify the signature in the JWT token and refuse them when it fails the verification.



                  Once the secret used by the Mobile App Attestation service is not known by the App, is not possible to reverse engineer it at run-time even when the App is tampered, running in a rooted device or communicating over a connection that is being the target of a Man in the Middle Attack. This is where this type of service shines
                  in relation to the SafetyNet solution.



                  As a side note if your App talks directly with third parts services, then I suggest that you delegate that responsibility to the API server, that will prevent
                  unauthorized use of your third part services in your behalf, once it only serves
                  now authentic requests from the Mobile App's that passed the Integrity challenges.



                  So why not use only SafetyNet? Despite being a good security feature added to Android it was not designed to be used as the sole security defence of your app, as per Google own words:




                  The goal of this API is to provide you with confidence about the integrity of a device running your app. You can then obtain additional signals using the standard Android APIs. You should use the SafetyNet Attestation API as an additional in-depth defense signal as part of an anti-abuse system, not as the sole anti-abuse signal for your app.




                  Before I go I would like to call the attention for the following in the SafetyNet solution:




                  • It is part of Google Mobile Services (GMS) so only runs on devices that have this. In some markets, such as the far east, there are a significant number of devices that do not have this available.


                  • There are a limited number of attestation calls that can be made with a standard free API key, so to use at scale a (presumably) paid level would be required.


                  • It is primarily designed to check if the OS image that a particular Android device is running is considered to be secure and compatible or not. As such it can be considered to be quite advanced root check that is able to check for file system changes indicative of rooted devices.


                  • Since the SafetyNet is doing a full analysis of the hashes of the OS image it can actually be quite slow (sometimes a few seconds). This means that it cannot be doing continuously and some care is needed in its use to hide this latency from the user, but without creating an opening for an attacker to exploit.


                  • SafetyNet does not specifically analyse the memory map of running apps to detect instrumentation frameworks (it relies on the fact that they can only run on rooted devices), like XPosed and Frida.


                  • SafetyNet does provide an attestation of the running app via the apkDigestSha256 feature. However, this can only be relied upon if full integrity is reported. This means that the integrity of the app is unknown if it is running on any kind of unusual or rooted devices. Some users root their devices only for customizations purposes and if the mobile app has a significant percentage of them then SafetyNet will exclude them from being able to use the app. In this scenarios we want to know specifically about the integrity of the running app rather then the system as a whole. SafetyNet is not able to do that, but a mobile app attestation service can.


                  • In order to perform the attestation check in a way that cannot be spoofed then app cannot do its own check (as obviously this code could be tampered with itself). Thus there is a need to implement a server side to use the feature reliably.







                  share|improve this answer














                  Supposse I have uploaded an app to play store, and now I want my server to accept only connections from this app.



                  How can I do it?




                  To achieve the best level of security between your App and the API server you should use a Mobile App Attestation service alongside the SafetyNet solution, plus an OAUTH2 service and finally certificate pinning to secure the communication channel between the API server and the Mobile App, as covered in this series of articles about Mobile API Techniques.



                  The role of a Mobile App Attestation service is to guarantee at run-time that your App was not tampered or is not running in a rooted device by using an SDK integrated in your App and a service running in the cloud.



                  On successful attestation of the App Integrity a JWT token is issued and signed with a secret that only the API server of your App and the Mobile App Attestation service in the cloud are aware.



                  In the case of failure on the App Attestation the JWT is signed with a secret that the API server does not know.



                  Now the App must sent with every API call the JWT token in the headers of the request. This will allow the API server to only serve requests when it can verify the signature in the JWT token and refuse them when it fails the verification.



                  Once the secret used by the Mobile App Attestation service is not known by the App, is not possible to reverse engineer it at run-time even when the App is tampered, running in a rooted device or communicating over a connection that is being the target of a Man in the Middle Attack. This is where this type of service shines
                  in relation to the SafetyNet solution.



                  As a side note if your App talks directly with third parts services, then I suggest that you delegate that responsibility to the API server, that will prevent
                  unauthorized use of your third part services in your behalf, once it only serves
                  now authentic requests from the Mobile App's that passed the Integrity challenges.



                  So why not use only SafetyNet? Despite being a good security feature added to Android it was not designed to be used as the sole security defence of your app, as per Google own words:




                  The goal of this API is to provide you with confidence about the integrity of a device running your app. You can then obtain additional signals using the standard Android APIs. You should use the SafetyNet Attestation API as an additional in-depth defense signal as part of an anti-abuse system, not as the sole anti-abuse signal for your app.




                  Before I go I would like to call the attention for the following in the SafetyNet solution:




                  • It is part of Google Mobile Services (GMS) so only runs on devices that have this. In some markets, such as the far east, there are a significant number of devices that do not have this available.


                  • There are a limited number of attestation calls that can be made with a standard free API key, so to use at scale a (presumably) paid level would be required.


                  • It is primarily designed to check if the OS image that a particular Android device is running is considered to be secure and compatible or not. As such it can be considered to be quite advanced root check that is able to check for file system changes indicative of rooted devices.


                  • Since the SafetyNet is doing a full analysis of the hashes of the OS image it can actually be quite slow (sometimes a few seconds). This means that it cannot be doing continuously and some care is needed in its use to hide this latency from the user, but without creating an opening for an attacker to exploit.


                  • SafetyNet does not specifically analyse the memory map of running apps to detect instrumentation frameworks (it relies on the fact that they can only run on rooted devices), like XPosed and Frida.


                  • SafetyNet does provide an attestation of the running app via the apkDigestSha256 feature. However, this can only be relied upon if full integrity is reported. This means that the integrity of the app is unknown if it is running on any kind of unusual or rooted devices. Some users root their devices only for customizations purposes and if the mobile app has a significant percentage of them then SafetyNet will exclude them from being able to use the app. In this scenarios we want to know specifically about the integrity of the running app rather then the system as a whole. SafetyNet is not able to do that, but a mobile app attestation service can.


                  • In order to perform the attestation check in a way that cannot be spoofed then app cannot do its own check (as obviously this code could be tampered with itself). Thus there is a need to implement a server side to use the feature reliably.








                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Dec 11 '18 at 16:36









                  Exadra37Exadra37

                  76748




                  76748























                      0














                      Use the Safety Net Attestation flow to request a secret token to the server.



                      After reading related questions, I think the trick is to use the Safety Net flow:




                      • using the SafetyNet Attestation API the app gets a signed json from android services.

                      • the app generates some id from android_id, random uuid or both.

                      • Both Id and json are sent to the server which can then verify that the request comes from the real app, save the id and config data, and agree a token for further communications.

                      • using the keychain api, the app saves the id and token in the keystore for future usage


                      This is an speculative answer (I am the OP), please upvote it only if you are sure it is correct and a better alternative is not listed.



                      Attestation Flow, from Android documentation






                      share|improve this answer






























                        0














                        Use the Safety Net Attestation flow to request a secret token to the server.



                        After reading related questions, I think the trick is to use the Safety Net flow:




                        • using the SafetyNet Attestation API the app gets a signed json from android services.

                        • the app generates some id from android_id, random uuid or both.

                        • Both Id and json are sent to the server which can then verify that the request comes from the real app, save the id and config data, and agree a token for further communications.

                        • using the keychain api, the app saves the id and token in the keystore for future usage


                        This is an speculative answer (I am the OP), please upvote it only if you are sure it is correct and a better alternative is not listed.



                        Attestation Flow, from Android documentation






                        share|improve this answer




























                          0












                          0








                          0







                          Use the Safety Net Attestation flow to request a secret token to the server.



                          After reading related questions, I think the trick is to use the Safety Net flow:




                          • using the SafetyNet Attestation API the app gets a signed json from android services.

                          • the app generates some id from android_id, random uuid or both.

                          • Both Id and json are sent to the server which can then verify that the request comes from the real app, save the id and config data, and agree a token for further communications.

                          • using the keychain api, the app saves the id and token in the keystore for future usage


                          This is an speculative answer (I am the OP), please upvote it only if you are sure it is correct and a better alternative is not listed.



                          Attestation Flow, from Android documentation






                          share|improve this answer















                          Use the Safety Net Attestation flow to request a secret token to the server.



                          After reading related questions, I think the trick is to use the Safety Net flow:




                          • using the SafetyNet Attestation API the app gets a signed json from android services.

                          • the app generates some id from android_id, random uuid or both.

                          • Both Id and json are sent to the server which can then verify that the request comes from the real app, save the id and config data, and agree a token for further communications.

                          • using the keychain api, the app saves the id and token in the keystore for future usage


                          This is an speculative answer (I am the OP), please upvote it only if you are sure it is correct and a better alternative is not listed.



                          Attestation Flow, from Android documentation







                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited Nov 27 '18 at 13:54

























                          answered Nov 27 '18 at 13:47









                          ariveroarivero

                          3361417




                          3361417






























                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Stack Overflow!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53491630%2fcan-android-sign-a-http-https-call-to-identify-uniquely-the-app-doing-the-reque%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              A CLEAN and SIMPLE way to add appendices to Table of Contents and bookmarks

                              Calculate evaluation metrics using cross_val_predict sklearn

                              Insert data from modal to MySQL (multiple modal on website)