2

According to Google SafetyNet documentation

The default quota allotment (per project) for calling the SafetyNet Attestation API is 10,000 requests per day across your user base.

Does it also count towards our daily limit when bad players create DDoS attacks of our app, where the users device does not result in a succesful SafetyNet response (ie. from rooted device or emulator) ?

What if it is a succesful request, like a real phone where attackers playback a recording of clicks which repeatebly resets app-data and navigates app to point where it contacts safetyNet?

We are trying to prevent abuse of our Phone number validation service, where it appears attackers have automated app-reset and click to phone-validation. I'm wondering if adding SafetyNet just gives another layer which becomes succeptible to DDoS attacks. We would prefer to avoid an annoying Captcha, if possible. If its a real device it has a unique hardware id, which we can use to prevent spam.

arberg
  • 4,148
  • 4
  • 31
  • 39
  • I am also experiencing similar attacks where the quota is easily limited and there are huge spikes of usage suddenly. @arberg, did you reach any solution for this? – Ravers Oct 14 '21 at 18:55
  • No, I have not found the answer. We haven't been DDoS abused, so I also have not experienced what happens with quota limit. But if you experienced quota limiting, I guess that just means that yes, a DDoS attack will block safetyNet. – arberg Oct 18 '21 at 10:00
  • 1
    From what I understand, the attacker needs to clear the app cache and open it again to request a new token. A script with this behavior can easily be created. I have noticed spikes from 30k requests to 500k in a matter of minutes or hours, making my app unusable in some cases. – Ravers Oct 18 '21 at 10:15

0 Answers0