scottyab / safetynethelper

SafetyNet Helper wraps the Google Play Services SafetyNet.API and verifies Safety Net API response with the Android Device Verification API.
334 stars 80 forks source link

Remove apkDigestSha256 check as per Google's suggestion #35

Closed robsmall closed 2 years ago

robsmall commented 6 years ago

Email from SafetyNet group:

Hi,

Starting in March 2018, Google Play will be adding a small amount of metadata to all apps, as discussed in this blog post. If you’re using the SafetyNet Attestation API for validation, there is a possibility that your app could stop working for some users. Please read our recommended course of action below.

What’s changing
The apkDigestSha256 value in the SafetyNet Attestation API response will be different from the original hash value of the APK that you previously uploaded to Google Play. This value will now be a hash of the APK that includes the new metadata.

Action recommended
If you are using the apkDigestSha256 field for validation, we recommend that you change your logic to use the apkCertificateDigestSha256 and apkPackageName instead. The certificate digest will become the most reliable way to verify your app’s APK based on the signing key. If you continue to use apkDigestSha256, your app might stop working for some users.

If you are unable to implement the above changes before March 2018 please complete this form.

Regards,
SafetyNet API Clients Team

This should take effect on March 1, 2018

scottyab commented 6 years ago

Thanks for flagging this @robsmall , in progress

scottyab commented 2 years ago

This has been removed.