1

My Android app makes some REST calls to my backend. I wish that only and only my app is authorized to call the endpoints.

I intend to use Google's SafetyNet to archive this.

1) My app ask my server fora random nonce
2) My app ask for an .attest()
3) My app receive the JWT
4) My app call one of my endpoint by providing the JWT
5) My server calls Google server to verify the JWT is correct
6) If yes, the call is processed, rejected otherwise..

My question is: is there a rate limit on the .attest() ? My app will be making several POST request every 2 or 3 seconds seconds

Is the above logic going to work at this scale? Is there any other way I can assure that the data posted to my endpoint is coming from my app and only my app?

pixel
  • 24,905
  • 36
  • 149
  • 251
Johny19
  • 5,364
  • 14
  • 61
  • 99

1 Answers1

4

Yes, you will be throttled if you call attest() that frequently. Rate-limiting aside, you would not want to call it as often as every few seconds as you may begin to notice an adverse performance impact (the API call is computationally expensive, and not fast).

The logic you describe is good, but I'd recommend thinking carefully about what specific endpoint actions you need to protect. Typically it is appropriate to use SafetyNet Attestation alongside specific high value actions such as a login or payment transaction, for example. Doing so for every POST request you make may have little incremental benefit.

Depending on your use-case, the documentation makes an additional suggestion about how the API result should be used:

Ideally, you should use the SafetyNet Attestation API as an additional in-depth defense signal as part of an anti-abuse system, rather than the sole anti-abuse signal for your app.

Edward Cunningham
  • 211
  • 1
  • 5
  • This what I thought yes. The 'issue' with my use case i that my API has only 1 endpoint (post) and the data posted by all my user will be shared on a common map. So without something like safetyNet it trivially easy for someone to start posting fake data. Guess my other alternative is to not call that POST endpoint every second but every minutes or so and android side I just aggregate the data and send it in bulk. – Johny19 Dec 16 '16 at 23:14
  • @Johny19 Is there a sign-in step required before your app will start posting data for the map? Even if not, you could maybe issue a token in response to an initial 'start' request (the first time the app is opened, which is protected with SafetyNet Attestation) which you'd hold in memory and include in subsequent data posts. I'd caution you that SafetyNet Attestation alone isn't a magical anti-abuse API, and so this alone may not solve all the problems you are envisaging. – Edward Cunningham Dec 17 '16 at 03:27