0

I was looking at this for verifying the authenticity of an android device as show here. Now there're 2 ways to do this. One is offline verify and the other online verify. While online verify calls a google attestation check api, to which I also have to send in my API_KEY along with my attestation response.

Can someone suggest choose which way to verify my device - whether offline or online, to use in my server?

megamind79
  • 69
  • 3
  • 11
  • 1
    Please give a reason before downvoting, so that I can improve the way I ask my questions, instead of just downvoting. – megamind79 Mar 18 '19 at 19:24

2 Answers2

1

According to the documentation, online verification should only be used in the early development stage. Relevant passage:

During initial testing and development (but not in production), you can call an online API for verifying the signature of the JWS statement. This process has also been shown in the android-play-safetynet sample API usage made available on GitHub. Note that online verification API is solely for early-stage testing, and you have a fixed quota of 10,000 requests per day.

Instead one should use offline verification, based off of the template you found, as the JWS can be verified without the need of Google.

Jayrassic
  • 127
  • 11
0

Add the following dependencies to your pubspec.yaml file:

dependencies:
  google_sign_in: ^5.2.1
  googleapis: ^6.0.0
  flutter_secure_storage: ^4.2.1
Jeremy Caney
  • 7,102
  • 69
  • 48
  • 77
Ajit m Kapadiya
  • 1
  • 1
    As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 29 '23 at 00:46