1

In the reference of safetynet docs it is mentioned that "The default request quota for a SafetyNet Attestation API key is 10,000 requests per day. If you require additional capacity, send a request to the SafetyNet API quota team".

I am not using any kind of key as mentioned in the docs for making compatibility check request.Based on above information i have following queries:

  1. is the above quota limit is for online verification of safetynet response? as mention here
  2. do we require any kind of API_KEY by creating project on developer console etc for getting safetynet response ? I believe API_KEY is require for online verification of safetynet response but for getting safetynet response we don't require anything, we just need to use safetynet APIs and this is how I am doing currently and it is giving me success compatibility check response for valid android devices.
  3. so how safetynet compatibility check APIs(not verification API) do client identification? Is it android application specific or user's google account specific?
  4. if the safetynet compatibility check API is application specific,then is there any kind of quota ? e.g. if there are 100000 android devices which have my application installed in it and the application uses safetynet compatibility check APIs with per day 1000000 requests for compatibility check, will it work or not? Do I need something else ?
  5. if safetynet compatibility check APIs are user's google account(gmail) specific then is there any kind of quota ?
  6. what if the user of my application which is using safetynet APIs dont have google account(gmail id)? will it works on his android phone or not?
Baqir
  • 717
  • 1
  • 7
  • 20

1 Answers1

2

is the above quota limit is for online verification of safetynet response?

Yes. This quota is separate from the quota for the online validation service

do we require any kind of API_KEY by creating project on developer console etc for getting safetynet response?

Generally yes. It may possible to use attestation without an API key, but there are no guarantees about quotas, and it may stop working at any time without notice. Also, if you hit a quota and you don't use an API key, there is no way to get the quota increased. There is no reason not to get an API key, so please get one if you want to use attestation.

Note that from Google Play Services 11.0. the attestation API call changed, and now you have to provide a key when using the API.

so how safetynet compatibility check APIs(not verification API) do client identification? Is it android application specific or user's google account specific?

It's API key specific. Please make sure you set up your key to work with only the apps you specify (you can set this in the developer console). This way, if a user finds out your API key, they can't reuse it for a different app.

if the safetynet compatibility check API is application specific,then is there any kind of quota ? e.g. if there are 100000 android devices which have my application installed in it and the application uses safetynet compatibility check APIs with per day 1000000 requests for compatibility check, will it work or not? Do I need something else ?

if safetynet compatibility check APIs are user's google account(gmail) specific then is there any kind of quota ?

what if the user of my application which is using safetynet APIs dont have google account(gmail id)? will it works on his android phone or not?

The quota is 10000 calls per day per key. In this case you will hit the quota and you will need to have the quota raised.

Finally, keep in mind that while the attestation quota can be raised if needed, the online validation service is meant for test and debug purposes only, and the quota will most likely not be raised. Please don't use the online validation service for non-debug purposes. Use offline validation instead.

Oscar
  • 346
  • 2
  • 11
  • I am using following code: SafetyNet.SafetyNetApi.attest(mGoogleApiClient, nonce) .setResultCallback(new ResultCallback() { @Override public void onResult(SafetyNetApi.AttestationResult result) { Status status = result.getStatus(); if (status.isSuccess()) { } else { } } }); given on https://developer.android.com/training/safetynet/attestation.html#add-api-key as you said from play-services 11.0 attestation api has been changed.Do i need to change my code or it is automatically handled? – Baqir Jul 11 '17 at 09:14
  • I just saw the latest sample code available on github https://github.com/googlesamples/android-play-safetynet/tree/master/client/java/SafetyNetSample/Application/src/main/java/com/example/android/safetynetsample if I continue with the deprecated code and also if I include the API_KEY in the manifest as mentioned in the docs then will it resolve my problem regarding quota? means it will auto increase my quota limit in case i touch the limit without using play-services 11.0. Currently I am using play-services 9.8.0 – Baqir Jul 11 '17 at 12:59
  • If you are using an old play services, then the manifest key will be used. If you are using the new API, you need to update your code, and put the key in the API call. If you reach your quota, it won't auto-increase, so you need to use the method described on the [SafetyNet page](https://developer.android.com/training/safetynet/attestation.html#add-api-key) and request for a quota increase. – Oscar Jul 12 '17 at 03:58
  • Yes Oscar , I submitted a request to safety net quoat team, and I am using play-services 9.8.0, now what happen if I reach the quota(10,000 request a day per API_KEY) , will it increase the quota automatically now ? Will it increase the quota after safety net team accept the request? How much quota will the safety net team increase? Will the safety net team set the limit specified by me in the quota increment form? Is there any kind of charges? – Baqir Jul 12 '17 at 06:49
  • I wouldn't expect for the quota to be increased automatically. I would wait for a response on their side. – Oscar Jul 12 '17 at 08:01
  • Is this quota of 10K for SafetyNetClient's attest() method or for online verification using this URL "https://www.googleapis.com/androidcheck/v1/attestations/verify?key="? – Sanjay Sharma Feb 12 '20 at 11:19
  • What is it used for, anyway? Just to check if the device is rooted and passed compatibilty check? Can it also help detecting if the current app seems to be modified yet have the same signature? – android developer Nov 26 '20 at 21:21