Can android sign a http/https call, to identify uniquely the app doing the request?
Say, CORS for apps. Well, not the same thing, but...
Supposse I have uploaded an app to play store, and now I want my server to accept only connections from this app.
How can I do it?
What I would expect of the OS is is some process such as adding to my http request a couple of headers specifying the id of the app in the market, and signing the whole request with a signature in the android chain -or in the corresponding market CA certificate chain-. Then my server could verify that the request comes from the right app.
Plus, the OS could add some certified hardware info so if the app is run in an emulator I could deny service too.
Another way could be to include a "secret" in the app, of course, but it could always be reverse-engineered by decompilation, couldn't it? Or is there some keystore associated to the play store that could be used to provide this secret during https requests to the server?
A third way could be to use the azp field of an OAuth login, but again it could be compromised by decompilation, and moreover it forces the user to log in.
android security authentication ssl-client-authentication asked Nov 27 '18 at 1:51
ariveroarivero
3361417
add a comment |
Say, CORS for apps. Well, not the same thing, but...
Supposse I have uploaded an app to play store, and now I want my server to accept only connections from this app.
How can I do it?
What I would expect of the OS is is some process such as adding to my http request a couple of headers specifying the id of the app in the market, and signing the whole request with a signature in the android chain -or in the corresponding market CA certificate chain-. Then my server could verify that the request comes from the right app.
Plus, the OS could add some certified hardware info so if the app is run in an emulator I could deny service too.
Another way could be to include a "secret" in the app, of course, but it could always be reverse-engineered by decompilation, couldn't it? Or is there some keystore associated to the play store that could be used to provide this secret during https requests to the server?
A third way could be to use the azp field of an OAuth login, but again it could be compromised by decompilation, and moreover it forces the user to log in.
android security authentication ssl-client-authentication asked Nov 27 '18 at 1:51
ariveroarivero
3361417
add a comment |
Say, CORS for apps. Well, not the same thing, but...
Supposse I have uploaded an app to play store, and now I want my server to accept only connections from this app.
How can I do it?
What I would expect of the OS is is some process such as adding to my http request a couple of headers specifying the id of the app in the market, and signing the whole request with a signature in the android chain -or in the corresponding market CA certificate chain-. Then my server could verify that the request comes from the right app.
Plus, the OS could add some certified hardware info so if the app is run in an emulator I could deny service too.
Another way could be to include a "secret" in the app, of course, but it could always be reverse-engineered by decompilation, couldn't it? Or is there some keystore associated to the play store that could be used to provide this secret during https requests to the server?
A third way could be to use the azp field of an OAuth login, but again it could be compromised by decompilation, and moreover it forces the user to log in.
android security authentication ssl-client-authentication asked Nov 27 '18 at 1:51
ariveroarivero
3361417
Say, CORS for apps. Well, not the same thing, but...
Supposse I have uploaded an app to play store, and now I want my server to accept only connections from this app.
How can I do it?
What I would expect of the OS is is some process such as adding to my http request a couple of headers specifying the id of the app in the market, and signing the whole request with a signature in the android chain -or in the corresponding market CA certificate chain-. Then my server could verify that the request comes from the right app.
Plus, the OS could add some certified hardware info so if the app is run in an emulator I could deny service too.
Another way could be to include a "secret" in the app, of course, but it could always be reverse-engineered by decompilation, couldn't it? Or is there some keystore associated to the play store that could be used to provide this secret during https requests to the server?
A third way could be to use the azp field of an OAuth login, but again it could be compromised by decompilation, and moreover it forces the user to log in.
android security authentication ssl-client-authentication android security authentication ssl-client-authentication asked Nov 27 '18 at 1:51
ariveroarivero
3361417
asked Nov 27 '18 at 1:51
ariveroarivero
3361417
edited Nov 27 '18 at 19:00
arivero
asked Nov 27 '18 at 1:51
ariveroarivero
3361417
asked Nov 27 '18 at 1:51
ariveroarivero
3361417
asked Nov 27 '18 at 1:51
ariveroarivero
3361417
3361417
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
I think one of the ways to secure your Backend is to attach a token from the app in the header (or something that is unique from your app) so no one can call the api if he is not attaching the token in the header.
But you need to check that in the backend to make sure that the header contains the needed valid token.
answered Nov 27 '18 at 1:55
Khalid TahaKhalid Taha
1,89411531
but someone could decompile the apk and find the token. It could be better if it were a token not stored in the apk itself but provided by google play when installing the app, or saved away in a keystore.
– arivero
Nov 27 '18 at 1:57
you can make obfuscation for your code. Do you know what is obfuscation?
– Khalid Taha
Nov 27 '18 at 1:58
1
@arivero there are more than one way to get the token, one of them by getting the token from firebase auth, which is dynamic, another way is to pass the token as a parameter for the release build using gradle. If you don't know how, I will tell you.
– Khalid Taha
Nov 27 '18 at 2:00
yep, I could obfuscate, you are right, but then I also could just obfuscate inside my code a client certificate private key and do standard SSL client authentication. But still the secret is hidden waiting for someone to reverse it. It would be preferable a solution from Android OS.
– arivero
Nov 27 '18 at 2:12
As I told you in the previous comment, you can make a dynamic variable that can be passed from outside the code during the build time that will contain your needed token that will be passed in the header. I think this is a good solution for your issue.
– Khalid Taha
Nov 27 '18 at 2:14
|
show 3 more comments
Supposse I have uploaded an app to play store, and now I want my server to accept only connections from this app.
How can I do it?
To achieve the best level of security between your App and the API server you should use a Mobile App Attestation service alongside the SafetyNet solution, plus an OAUTH2 service and finally certificate pinning to secure the communication channel between the API server and the Mobile App, as covered in this series of articles about Mobile API Techniques.
The role of a Mobile App Attestation service is to guarantee at run-time that your App was not tampered or is not running in a rooted device by using an SDK integrated in your App and a service running in the cloud.
On successful attestation of the App Integrity a JWT token is issued and signed with a secret that only the API server of your App and the Mobile App Attestation service in the cloud are aware.
In the case of failure on the App Attestation the JWT is signed with a secret that the API server does not know.
Now the App must sent with every API call the JWT token in the headers of the request. This will allow the API server to only serve requests when it can verify the signature in the JWT token and refuse them when it fails the verification.
Once the secret used by the Mobile App Attestation service is not known by the App, is not possible to reverse engineer it at run-time even when the App is tampered, running in a rooted device or communicating over a connection that is being the target of a Man in the Middle Attack. This is where this type of service shines
in relation to the SafetyNet solution.
As a side note if your App talks directly with third parts services, then I suggest that you delegate that responsibility to the API server, that will prevent
unauthorized use of your third part services in your behalf, once it only serves
now authentic requests from the Mobile App's that passed the Integrity challenges.
So why not use only SafetyNet? Despite being a good security feature added to Android it was not designed to be used as the sole security defence of your app, as per Google own words:
The goal of this API is to provide you with confidence about the integrity of a device running your app. You can then obtain additional signals using the standard Android APIs. You should use the SafetyNet Attestation API as an additional in-depth defense signal as part of an anti-abuse system, not as the sole anti-abuse signal for your app.
Before I go I would like to call the attention for the following in the SafetyNet solution:
It is part of Google Mobile Services (GMS) so only runs on devices that have this. In some markets, such as the far east, there are a significant number of devices that do not have this available.
There are a limited number of attestation calls that can be made with a standard free API key, so to use at scale a (presumably) paid level would be required.
It is primarily designed to check if the OS image that a particular Android device is running is considered to be secure and compatible or not. As such it can be considered to be quite advanced root check that is able to check for file system changes indicative of rooted devices.
Since the SafetyNet is doing a full analysis of the hashes of the OS image it can actually be quite slow (sometimes a few seconds). This means that it cannot be doing continuously and some care is needed in its use to hide this latency from the user, but without creating an opening for an attacker to exploit.
SafetyNet does not specifically analyse the memory map of running apps to detect instrumentation frameworks (it relies on the fact that they can only run on rooted devices), like XPosed and Frida.
SafetyNet does provide an attestation of the running app via the apkDigestSha256 feature. However, this can only be relied upon if full integrity is reported. This means that the integrity of the app is unknown if it is running on any kind of unusual or rooted devices. Some users root their devices only for customizations purposes and if the mobile app has a significant percentage of them then SafetyNet will exclude them from being able to use the app. In this scenarios we want to know specifically about the integrity of the running app rather then the system as a whole. SafetyNet is not able to do that, but a mobile app attestation service can.
In order to perform the attestation check in a way that cannot be spoofed then app cannot do its own check (as obviously this code could be tampered with itself). Thus there is a need to implement a server side to use the feature reliably.
answered Dec 11 '18 at 16:36
Exadra37Exadra37
76748
add a comment |
Use the Safety Net Attestation flow to request a secret token to the server.
After reading related questions, I think the trick is to use the Safety Net flow:
- using the SafetyNet Attestation API the app gets a signed json from android services.
- the app generates some id from android_id, random uuid or both.
- Both Id and json are sent to the server which can then verify that the request comes from the real app, save the id and config data, and agree a token for further communications.
- using the keychain api, the app saves the id and token in the keystore for future usage
This is an speculative answer (I am the OP), please upvote it only if you are sure it is correct and a better alternative is not listed.
answered Nov 27 '18 at 13:47
ariveroarivero
3361417
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53491630%2fcan-android-sign-a-http-https-call-to-identify-uniquely-the-app-doing-the-reque%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
I think one of the ways to secure your Backend is to attach a token from the app in the header (or something that is unique from your app) so no one can call the api if he is not attaching the token in the header.
But you need to check that in the backend to make sure that the header contains the needed valid token.
answered Nov 27 '18 at 1:55
Khalid TahaKhalid Taha
1,89411531
but someone could decompile the apk and find the token. It could be better if it were a token not stored in the apk itself but provided by google play when installing the app, or saved away in a keystore.
– arivero
Nov 27 '18 at 1:57
you can make obfuscation for your code. Do you know what is obfuscation?
– Khalid Taha
Nov 27 '18 at 1:58
1
@arivero there are more than one way to get the token, one of them by getting the token from firebase auth, which is dynamic, another way is to pass the token as a parameter for the release build using gradle. If you don't know how, I will tell you.
– Khalid Taha
Nov 27 '18 at 2:00
yep, I could obfuscate, you are right, but then I also could just obfuscate inside my code a client certificate private key and do standard SSL client authentication. But still the secret is hidden waiting for someone to reverse it. It would be preferable a solution from Android OS.
– arivero
Nov 27 '18 at 2:12
As I told you in the previous comment, you can make a dynamic variable that can be passed from outside the code during the build time that will contain your needed token that will be passed in the header. I think this is a good solution for your issue.
– Khalid Taha
Nov 27 '18 at 2:14
|
show 3 more comments
I think one of the ways to secure your Backend is to attach a token from the app in the header (or something that is unique from your app) so no one can call the api if he is not attaching the token in the header.
But you need to check that in the backend to make sure that the header contains the needed valid token.
answered Nov 27 '18 at 1:55
Khalid TahaKhalid Taha
1,89411531
but someone could decompile the apk and find the token. It could be better if it were a token not stored in the apk itself but provided by google play when installing the app, or saved away in a keystore.
– arivero
Nov 27 '18 at 1:57
you can make obfuscation for your code. Do you know what is obfuscation?
– Khalid Taha
Nov 27 '18 at 1:58
1
@arivero there are more than one way to get the token, one of them by getting the token from firebase auth, which is dynamic, another way is to pass the token as a parameter for the release build using gradle. If you don't know how, I will tell you.
– Khalid Taha
Nov 27 '18 at 2:00
yep, I could obfuscate, you are right, but then I also could just obfuscate inside my code a client certificate private key and do standard SSL client authentication. But still the secret is hidden waiting for someone to reverse it. It would be preferable a solution from Android OS.
– arivero
Nov 27 '18 at 2:12
As I told you in the previous comment, you can make a dynamic variable that can be passed from outside the code during the build time that will contain your needed token that will be passed in the header. I think this is a good solution for your issue.
– Khalid Taha
Nov 27 '18 at 2:14
|
show 3 more comments
I think one of the ways to secure your Backend is to attach a token from the app in the header (or something that is unique from your app) so no one can call the api if he is not attaching the token in the header.
But you need to check that in the backend to make sure that the header contains the needed valid token.
answered Nov 27 '18 at 1:55
Khalid TahaKhalid Taha
1,89411531
I think one of the ways to secure your Backend is to attach a token from the app in the header (or something that is unique from your app) so no one can call the api if he is not attaching the token in the header.
But you need to check that in the backend to make sure that the header contains the needed valid token.
answered Nov 27 '18 at 1:55
Khalid TahaKhalid Taha
1,89411531
answered Nov 27 '18 at 1:55
Khalid TahaKhalid Taha
1,89411531
answered Nov 27 '18 at 1:55
Khalid TahaKhalid Taha
1,89411531
answered Nov 27 '18 at 1:55
Khalid TahaKhalid Taha
1,89411531
1,89411531
but someone could decompile the apk and find the token. It could be better if it were a token not stored in the apk itself but provided by google play when installing the app, or saved away in a keystore.
– arivero
Nov 27 '18 at 1:57
you can make obfuscation for your code. Do you know what is obfuscation?
– Khalid Taha
Nov 27 '18 at 1:58
1
@arivero there are more than one way to get the token, one of them by getting the token from firebase auth, which is dynamic, another way is to pass the token as a parameter for the release build using gradle. If you don't know how, I will tell you.
– Khalid Taha
Nov 27 '18 at 2:00
yep, I could obfuscate, you are right, but then I also could just obfuscate inside my code a client certificate private key and do standard SSL client authentication. But still the secret is hidden waiting for someone to reverse it. It would be preferable a solution from Android OS.
– arivero
Nov 27 '18 at 2:12
As I told you in the previous comment, you can make a dynamic variable that can be passed from outside the code during the build time that will contain your needed token that will be passed in the header. I think this is a good solution for your issue.
– Khalid Taha
Nov 27 '18 at 2:14
|
show 3 more comments
but someone could decompile the apk and find the token. It could be better if it were a token not stored in the apk itself but provided by google play when installing the app, or saved away in a keystore.
– arivero
Nov 27 '18 at 1:57
you can make obfuscation for your code. Do you know what is obfuscation?
– Khalid Taha
Nov 27 '18 at 1:58
1
@arivero there are more than one way to get the token, one of them by getting the token from firebase auth, which is dynamic, another way is to pass the token as a parameter for the release build using gradle. If you don't know how, I will tell you.
– Khalid Taha
Nov 27 '18 at 2:00
yep, I could obfuscate, you are right, but then I also could just obfuscate inside my code a client certificate private key and do standard SSL client authentication. But still the secret is hidden waiting for someone to reverse it. It would be preferable a solution from Android OS.
– arivero
Nov 27 '18 at 2:12
As I told you in the previous comment, you can make a dynamic variable that can be passed from outside the code during the build time that will contain your needed token that will be passed in the header. I think this is a good solution for your issue.
– Khalid Taha
Nov 27 '18 at 2:14
but someone could decompile the apk and find the token. It could be better if it were a token not stored in the apk itself but provided by google play when installing the app, or saved away in a keystore.
– arivero
Nov 27 '18 at 1:57
but someone could decompile the apk and find the token. It could be better if it were a token not stored in the apk itself but provided by google play when installing the app, or saved away in a keystore.
– arivero
Nov 27 '18 at 1:57
you can make obfuscation for your code. Do you know what is obfuscation?
– Khalid Taha
Nov 27 '18 at 1:58
you can make obfuscation for your code. Do you know what is obfuscation?
– Khalid Taha
Nov 27 '18 at 1:58
1
1
@arivero there are more than one way to get the token, one of them by getting the token from firebase auth, which is dynamic, another way is to pass the token as a parameter for the release build using gradle. If you don't know how, I will tell you.
– Khalid Taha
Nov 27 '18 at 2:00
@arivero there are more than one way to get the token, one of them by getting the token from firebase auth, which is dynamic, another way is to pass the token as a parameter for the release build using gradle. If you don't know how, I will tell you.
– Khalid Taha
Nov 27 '18 at 2:00
yep, I could obfuscate, you are right, but then I also could just obfuscate inside my code a client certificate private key and do standard SSL client authentication. But still the secret is hidden waiting for someone to reverse it. It would be preferable a solution from Android OS.
– arivero
Nov 27 '18 at 2:12
yep, I could obfuscate, you are right, but then I also could just obfuscate inside my code a client certificate private key and do standard SSL client authentication. But still the secret is hidden waiting for someone to reverse it. It would be preferable a solution from Android OS.
– arivero
Nov 27 '18 at 2:12
As I told you in the previous comment, you can make a dynamic variable that can be passed from outside the code during the build time that will contain your needed token that will be passed in the header. I think this is a good solution for your issue.
– Khalid Taha
Nov 27 '18 at 2:14
As I told you in the previous comment, you can make a dynamic variable that can be passed from outside the code during the build time that will contain your needed token that will be passed in the header. I think this is a good solution for your issue.
– Khalid Taha
Nov 27 '18 at 2:14
|
show 3 more comments
Supposse I have uploaded an app to play store, and now I want my server to accept only connections from this app.
How can I do it?
To achieve the best level of security between your App and the API server you should use a Mobile App Attestation service alongside the SafetyNet solution, plus an OAUTH2 service and finally certificate pinning to secure the communication channel between the API server and the Mobile App, as covered in this series of articles about Mobile API Techniques.
The role of a Mobile App Attestation service is to guarantee at run-time that your App was not tampered or is not running in a rooted device by using an SDK integrated in your App and a service running in the cloud.
On successful attestation of the App Integrity a JWT token is issued and signed with a secret that only the API server of your App and the Mobile App Attestation service in the cloud are aware.
In the case of failure on the App Attestation the JWT is signed with a secret that the API server does not know.
Now the App must sent with every API call the JWT token in the headers of the request. This will allow the API server to only serve requests when it can verify the signature in the JWT token and refuse them when it fails the verification.
Once the secret used by the Mobile App Attestation service is not known by the App, is not possible to reverse engineer it at run-time even when the App is tampered, running in a rooted device or communicating over a connection that is being the target of a Man in the Middle Attack. This is where this type of service shines
in relation to the SafetyNet solution.
As a side note if your App talks directly with third parts services, then I suggest that you delegate that responsibility to the API server, that will prevent
unauthorized use of your third part services in your behalf, once it only serves
now authentic requests from the Mobile App's that passed the Integrity challenges.
So why not use only SafetyNet? Despite being a good security feature added to Android it was not designed to be used as the sole security defence of your app, as per Google own words:
The goal of this API is to provide you with confidence about the integrity of a device running your app. You can then obtain additional signals using the standard Android APIs. You should use the SafetyNet Attestation API as an additional in-depth defense signal as part of an anti-abuse system, not as the sole anti-abuse signal for your app.
Before I go I would like to call the attention for the following in the SafetyNet solution:
It is part of Google Mobile Services (GMS) so only runs on devices that have this. In some markets, such as the far east, there are a significant number of devices that do not have this available.
There are a limited number of attestation calls that can be made with a standard free API key, so to use at scale a (presumably) paid level would be required.
It is primarily designed to check if the OS image that a particular Android device is running is considered to be secure and compatible or not. As such it can be considered to be quite advanced root check that is able to check for file system changes indicative of rooted devices.
Since the SafetyNet is doing a full analysis of the hashes of the OS image it can actually be quite slow (sometimes a few seconds). This means that it cannot be doing continuously and some care is needed in its use to hide this latency from the user, but without creating an opening for an attacker to exploit.
SafetyNet does not specifically analyse the memory map of running apps to detect instrumentation frameworks (it relies on the fact that they can only run on rooted devices), like XPosed and Frida.
SafetyNet does provide an attestation of the running app via the apkDigestSha256 feature. However, this can only be relied upon if full integrity is reported. This means that the integrity of the app is unknown if it is running on any kind of unusual or rooted devices. Some users root their devices only for customizations purposes and if the mobile app has a significant percentage of them then SafetyNet will exclude them from being able to use the app. In this scenarios we want to know specifically about the integrity of the running app rather then the system as a whole. SafetyNet is not able to do that, but a mobile app attestation service can.
In order to perform the attestation check in a way that cannot be spoofed then app cannot do its own check (as obviously this code could be tampered with itself). Thus there is a need to implement a server side to use the feature reliably.
answered Dec 11 '18 at 16:36
Exadra37Exadra37
76748
add a comment |
Supposse I have uploaded an app to play store, and now I want my server to accept only connections from this app.
How can I do it?
To achieve the best level of security between your App and the API server you should use a Mobile App Attestation service alongside the SafetyNet solution, plus an OAUTH2 service and finally certificate pinning to secure the communication channel between the API server and the Mobile App, as covered in this series of articles about Mobile API Techniques.
The role of a Mobile App Attestation service is to guarantee at run-time that your App was not tampered or is not running in a rooted device by using an SDK integrated in your App and a service running in the cloud.
On successful attestation of the App Integrity a JWT token is issued and signed with a secret that only the API server of your App and the Mobile App Attestation service in the cloud are aware.
In the case of failure on the App Attestation the JWT is signed with a secret that the API server does not know.
Now the App must sent with every API call the JWT token in the headers of the request. This will allow the API server to only serve requests when it can verify the signature in the JWT token and refuse them when it fails the verification.
Once the secret used by the Mobile App Attestation service is not known by the App, is not possible to reverse engineer it at run-time even when the App is tampered, running in a rooted device or communicating over a connection that is being the target of a Man in the Middle Attack. This is where this type of service shines
in relation to the SafetyNet solution.
As a side note if your App talks directly with third parts services, then I suggest that you delegate that responsibility to the API server, that will prevent
unauthorized use of your third part services in your behalf, once it only serves
now authentic requests from the Mobile App's that passed the Integrity challenges.
So why not use only SafetyNet? Despite being a good security feature added to Android it was not designed to be used as the sole security defence of your app, as per Google own words:
The goal of this API is to provide you with confidence about the integrity of a device running your app. You can then obtain additional signals using the standard Android APIs. You should use the SafetyNet Attestation API as an additional in-depth defense signal as part of an anti-abuse system, not as the sole anti-abuse signal for your app.
Before I go I would like to call the attention for the following in the SafetyNet solution:
It is part of Google Mobile Services (GMS) so only runs on devices that have this. In some markets, such as the far east, there are a significant number of devices that do not have this available.
There are a limited number of attestation calls that can be made with a standard free API key, so to use at scale a (presumably) paid level would be required.
It is primarily designed to check if the OS image that a particular Android device is running is considered to be secure and compatible or not. As such it can be considered to be quite advanced root check that is able to check for file system changes indicative of rooted devices.
Since the SafetyNet is doing a full analysis of the hashes of the OS image it can actually be quite slow (sometimes a few seconds). This means that it cannot be doing continuously and some care is needed in its use to hide this latency from the user, but without creating an opening for an attacker to exploit.
SafetyNet does not specifically analyse the memory map of running apps to detect instrumentation frameworks (it relies on the fact that they can only run on rooted devices), like XPosed and Frida.
SafetyNet does provide an attestation of the running app via the apkDigestSha256 feature. However, this can only be relied upon if full integrity is reported. This means that the integrity of the app is unknown if it is running on any kind of unusual or rooted devices. Some users root their devices only for customizations purposes and if the mobile app has a significant percentage of them then SafetyNet will exclude them from being able to use the app. In this scenarios we want to know specifically about the integrity of the running app rather then the system as a whole. SafetyNet is not able to do that, but a mobile app attestation service can.
In order to perform the attestation check in a way that cannot be spoofed then app cannot do its own check (as obviously this code could be tampered with itself). Thus there is a need to implement a server side to use the feature reliably.
answered Dec 11 '18 at 16:36
Exadra37Exadra37
76748
add a comment |
Supposse I have uploaded an app to play store, and now I want my server to accept only connections from this app.
How can I do it?
To achieve the best level of security between your App and the API server you should use a Mobile App Attestation service alongside the SafetyNet solution, plus an OAUTH2 service and finally certificate pinning to secure the communication channel between the API server and the Mobile App, as covered in this series of articles about Mobile API Techniques.
The role of a Mobile App Attestation service is to guarantee at run-time that your App was not tampered or is not running in a rooted device by using an SDK integrated in your App and a service running in the cloud.
On successful attestation of the App Integrity a JWT token is issued and signed with a secret that only the API server of your App and the Mobile App Attestation service in the cloud are aware.
In the case of failure on the App Attestation the JWT is signed with a secret that the API server does not know.
Now the App must sent with every API call the JWT token in the headers of the request. This will allow the API server to only serve requests when it can verify the signature in the JWT token and refuse them when it fails the verification.
Once the secret used by the Mobile App Attestation service is not known by the App, is not possible to reverse engineer it at run-time even when the App is tampered, running in a rooted device or communicating over a connection that is being the target of a Man in the Middle Attack. This is where this type of service shines
in relation to the SafetyNet solution.
As a side note if your App talks directly with third parts services, then I suggest that you delegate that responsibility to the API server, that will prevent
unauthorized use of your third part services in your behalf, once it only serves
now authentic requests from the Mobile App's that passed the Integrity challenges.
So why not use only SafetyNet? Despite being a good security feature added to Android it was not designed to be used as the sole security defence of your app, as per Google own words:
The goal of this API is to provide you with confidence about the integrity of a device running your app. You can then obtain additional signals using the standard Android APIs. You should use the SafetyNet Attestation API as an additional in-depth defense signal as part of an anti-abuse system, not as the sole anti-abuse signal for your app.
Before I go I would like to call the attention for the following in the SafetyNet solution:
It is part of Google Mobile Services (GMS) so only runs on devices that have this. In some markets, such as the far east, there are a significant number of devices that do not have this available.
There are a limited number of attestation calls that can be made with a standard free API key, so to use at scale a (presumably) paid level would be required.
It is primarily designed to check if the OS image that a particular Android device is running is considered to be secure and compatible or not. As such it can be considered to be quite advanced root check that is able to check for file system changes indicative of rooted devices.
Since the SafetyNet is doing a full analysis of the hashes of the OS image it can actually be quite slow (sometimes a few seconds). This means that it cannot be doing continuously and some care is needed in its use to hide this latency from the user, but without creating an opening for an attacker to exploit.
SafetyNet does not specifically analyse the memory map of running apps to detect instrumentation frameworks (it relies on the fact that they can only run on rooted devices), like XPosed and Frida.
SafetyNet does provide an attestation of the running app via the apkDigestSha256 feature. However, this can only be relied upon if full integrity is reported. This means that the integrity of the app is unknown if it is running on any kind of unusual or rooted devices. Some users root their devices only for customizations purposes and if the mobile app has a significant percentage of them then SafetyNet will exclude them from being able to use the app. In this scenarios we want to know specifically about the integrity of the running app rather then the system as a whole. SafetyNet is not able to do that, but a mobile app attestation service can.
In order to perform the attestation check in a way that cannot be spoofed then app cannot do its own check (as obviously this code could be tampered with itself). Thus there is a need to implement a server side to use the feature reliably.
answered Dec 11 '18 at 16:36
Exadra37Exadra37
76748
Supposse I have uploaded an app to play store, and now I want my server to accept only connections from this app.
How can I do it?
To achieve the best level of security between your App and the API server you should use a Mobile App Attestation service alongside the SafetyNet solution, plus an OAUTH2 service and finally certificate pinning to secure the communication channel between the API server and the Mobile App, as covered in this series of articles about Mobile API Techniques.
The role of a Mobile App Attestation service is to guarantee at run-time that your App was not tampered or is not running in a rooted device by using an SDK integrated in your App and a service running in the cloud.
On successful attestation of the App Integrity a JWT token is issued and signed with a secret that only the API server of your App and the Mobile App Attestation service in the cloud are aware.
In the case of failure on the App Attestation the JWT is signed with a secret that the API server does not know.
Now the App must sent with every API call the JWT token in the headers of the request. This will allow the API server to only serve requests when it can verify the signature in the JWT token and refuse them when it fails the verification.
Once the secret used by the Mobile App Attestation service is not known by the App, is not possible to reverse engineer it at run-time even when the App is tampered, running in a rooted device or communicating over a connection that is being the target of a Man in the Middle Attack. This is where this type of service shines
in relation to the SafetyNet solution.
As a side note if your App talks directly with third parts services, then I suggest that you delegate that responsibility to the API server, that will prevent
unauthorized use of your third part services in your behalf, once it only serves
now authentic requests from the Mobile App's that passed the Integrity challenges.
So why not use only SafetyNet? Despite being a good security feature added to Android it was not designed to be used as the sole security defence of your app, as per Google own words:
The goal of this API is to provide you with confidence about the integrity of a device running your app. You can then obtain additional signals using the standard Android APIs. You should use the SafetyNet Attestation API as an additional in-depth defense signal as part of an anti-abuse system, not as the sole anti-abuse signal for your app.
Before I go I would like to call the attention for the following in the SafetyNet solution:
It is part of Google Mobile Services (GMS) so only runs on devices that have this. In some markets, such as the far east, there are a significant number of devices that do not have this available.
There are a limited number of attestation calls that can be made with a standard free API key, so to use at scale a (presumably) paid level would be required.
It is primarily designed to check if the OS image that a particular Android device is running is considered to be secure and compatible or not. As such it can be considered to be quite advanced root check that is able to check for file system changes indicative of rooted devices.
Since the SafetyNet is doing a full analysis of the hashes of the OS image it can actually be quite slow (sometimes a few seconds). This means that it cannot be doing continuously and some care is needed in its use to hide this latency from the user, but without creating an opening for an attacker to exploit.
SafetyNet does not specifically analyse the memory map of running apps to detect instrumentation frameworks (it relies on the fact that they can only run on rooted devices), like XPosed and Frida.
SafetyNet does provide an attestation of the running app via the apkDigestSha256 feature. However, this can only be relied upon if full integrity is reported. This means that the integrity of the app is unknown if it is running on any kind of unusual or rooted devices. Some users root their devices only for customizations purposes and if the mobile app has a significant percentage of them then SafetyNet will exclude them from being able to use the app. In this scenarios we want to know specifically about the integrity of the running app rather then the system as a whole. SafetyNet is not able to do that, but a mobile app attestation service can.
In order to perform the attestation check in a way that cannot be spoofed then app cannot do its own check (as obviously this code could be tampered with itself). Thus there is a need to implement a server side to use the feature reliably.
answered Dec 11 '18 at 16:36
Exadra37Exadra37
76748
answered Dec 11 '18 at 16:36
Exadra37Exadra37
76748
answered Dec 11 '18 at 16:36
Exadra37Exadra37
76748
answered Dec 11 '18 at 16:36
Exadra37Exadra37
76748
76748
add a comment |
add a comment |
Use the Safety Net Attestation flow to request a secret token to the server.
After reading related questions, I think the trick is to use the Safety Net flow:
- using the SafetyNet Attestation API the app gets a signed json from android services.
- the app generates some id from android_id, random uuid or both.
- Both Id and json are sent to the server which can then verify that the request comes from the real app, save the id and config data, and agree a token for further communications.
- using the keychain api, the app saves the id and token in the keystore for future usage
This is an speculative answer (I am the OP), please upvote it only if you are sure it is correct and a better alternative is not listed.
answered Nov 27 '18 at 13:47
ariveroarivero
3361417
add a comment |
Use the Safety Net Attestation flow to request a secret token to the server.
After reading related questions, I think the trick is to use the Safety Net flow:
- using the SafetyNet Attestation API the app gets a signed json from android services.
- the app generates some id from android_id, random uuid or both.
- Both Id and json are sent to the server which can then verify that the request comes from the real app, save the id and config data, and agree a token for further communications.
- using the keychain api, the app saves the id and token in the keystore for future usage
This is an speculative answer (I am the OP), please upvote it only if you are sure it is correct and a better alternative is not listed.
answered Nov 27 '18 at 13:47
ariveroarivero
3361417
add a comment |
Use the Safety Net Attestation flow to request a secret token to the server.
After reading related questions, I think the trick is to use the Safety Net flow:
- using the SafetyNet Attestation API the app gets a signed json from android services.
- the app generates some id from android_id, random uuid or both.
- Both Id and json are sent to the server which can then verify that the request comes from the real app, save the id and config data, and agree a token for further communications.
- using the keychain api, the app saves the id and token in the keystore for future usage
This is an speculative answer (I am the OP), please upvote it only if you are sure it is correct and a better alternative is not listed.
answered Nov 27 '18 at 13:47
ariveroarivero
3361417
Use the Safety Net Attestation flow to request a secret token to the server.
After reading related questions, I think the trick is to use the Safety Net flow:
- using the SafetyNet Attestation API the app gets a signed json from android services.
- the app generates some id from android_id, random uuid or both.
- Both Id and json are sent to the server which can then verify that the request comes from the real app, save the id and config data, and agree a token for further communications.
- using the keychain api, the app saves the id and token in the keystore for future usage
This is an speculative answer (I am the OP), please upvote it only if you are sure it is correct and a better alternative is not listed.
answered Nov 27 '18 at 13:47
ariveroarivero
3361417
edited Nov 27 '18 at 13:54
answered Nov 27 '18 at 13:47
ariveroarivero
3361417
answered Nov 27 '18 at 13:47
ariveroarivero
3361417
answered Nov 27 '18 at 13:47
ariveroarivero
3361417
3361417
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53491630%2fcan-android-sign-a-http-https-call-to-identify-uniquely-the-app-doing-the-reque%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
