invalid ctsProfileMatch in payload

[brainfoolong]

Hi!

I tried your library today. Unfortunately i can't add a new registration for my device (Android 11, Xiaomi Mi 9, Chrome newest) with android safetynet (Using devices lock screen mechanism).

On my installation, and even on your demo page, after clicking "new registration", enable the desired option, the error "invalid ctsProfileMatch in payload" pop up, which comes from server side. I found this error message in your WebAuthn code, when ctsProfileMatch is false.

I can't find any further info about this, as i am no expert of how your internal things work.

If you need more info, please let me know.

[brainfoolong]

However, i tried further by removing the check at https://github.com/lbuchs/WebAuthn/blob/e5d9434a7eaa185ef4975109e16b90f6d9a0b684/src/Attestation/Format/AndroidSafetyNet.php#L103 then everything work fine and i can get the process of creation and authentication and later using it for login to work.

I don't know if removing this check has any security flaws.

[lbuchs]

ctsProfileMatch: A stricter verdict of device integrity. If the value of ctsProfileMatch is true, then the profile of the device running your app matches the profile of a device that has passed Android compatibility testing and has been approved as a Google-certified Android device.

basicIntegrity: A more lenient verdict of device integrity. If only the value of basicIntegrity is true, then the device running your app likely wasn't tampered with. However, the device hasn't necessarily passed Android compatibility testing.

-- https://developer.android.com/training/safetynet/attestation#compat-check-response

So Trump made that problem 😉 Xiaomi devices are not Google-certified Android devices. Could also switch to basicIntegrity

[brainfoolong]

Ok, i am not quite sure what that means. Is it possible to set a setting in your library to make this work then or have i add other settings on client side?

[My1]

I would heavily support having an option there or even a way to not require either of them but report them so the admin can choose how to deal with the device (notably give a user information when blocking it or even allowing it with a warning)