5

I am using this library : https://github.com/scottyab/safetynethelper
I have read the documentation on Android Deveoloper site and in the repository. Everything works fine ,but something is not clear to me. It is indicated that it is more secure to obtain the nonce from the server rather then creating it on the app it self.and why is it better to Pass the response from SafetyNet API to the server

pixel
  • 24,905
  • 36
  • 149
  • 251
Maxim Toyberman
  • 1,906
  • 1
  • 20
  • 35

1 Answers1

6

Most commonly the SafetyNet Attestation API is used to decide whether you trust the device and app that is communicating with your server.

As such, you don't really want to be checking the JWS response within your Android app, otherwise an attacker could simply modify your app to remove any verification logic you have put in place. This is why it is better to pass the response to the server, and make any decisions there (you trust your server).

On your server you can verify the response and, if everything looks good, allow whatever action you are trying to protect - maybe permitting a sign-in, or the download of certain data.

Why is a nonce supplied from your server more secure? A nonce that is generated in your app (ie. essentially random and unknown to you) can be changed freely by an attacker. It is better if you control the nonce! This way when you are verifying the JWS response on your server you can check the nonce is correct.

A good approach for generating a nonce on your server may be to hash a session ID, or a combination of the user ID and timestamp.

Edward Cunningham
  • 211
  • 1
  • 5
  • It still doesn't explain why is it more secure? 1) app call server to get nonce 2) app call attest with that nonce 3) app send request to server with jws response what stopps an attacker to call step 1) himself?? – Johny19 Jul 26 '17 at 14:32
  • The server would keep the nonce, so if. the attacker intercepts the nonce fetch request, the server would later detect the mismatch. – Jonne Haß May 24 '18 at 13:47