WebAuthn : Android Safetynet Integrity verdict (ctsProfileMatch, basicIntegrity)

eclipse-vertx / vertx-auth

Apache License 2.0

166 stars 156 forks source link

WebAuthn : Android Safetynet Integrity verdict (ctsProfileMatch, basicIntegrity) #620

Closed tcompiegne closed 1 year ago

tcompiegne commented 1 year ago

Describe the feature

Currently Vert.x only check the ctsProfileMatch flag to determine if the attestation should be valid or not :

// 5. Check that “ctsProfileMatch” is set to true. If its not set to true, that means that device has been rooted
      // and so can not be trusted to provide trustworthy attestation.
      if (!token.getJsonObject("payload").getBoolean("ctsProfileMatch")) {
        throw new AttestationException("JWS ctsProfileMatch is false!");
      }

According to Google documentation : https://developer.android.com/training/safetynet/attestation#potential-integrity-verdicts

It might interesting to look after the basicIntegrity flag as well to make decision regarding the integrity of the user device and the context of a specific customer.

Would it makes sense for Vert.x to add options (WebAuthnOptions maybe ?) to be more granular regarding this topic ?

Thanks

pmlopes commented 1 year ago

Hi @tcompiegne the ctsProfileMatch is required to be true to be a valid webauthn implementation, when that flag is true then basicIntegrity can only be true either (from the table you shared).

What you're asking is to be able to relax that validation, right?

A configuration option like: safetyNetIntegrityVeridictRelaxed : boolean where it defaults to false.

And in the code we check:

if (!token.getJsonObject("payload")
  .getBoolean(
    safetyNetIntegrityVeridictRelaxed ? "basicIntegrity" : "ctsProfileMatch", // <-- here it depends on the config
    false)) {
...

tcompiegne commented 1 year ago

Hey @pmlopes,

Yes that could be a good option.

Regards