scottyab / safetynethelper

SafetyNet Helper wraps the Google Play Services SafetyNet.API and verifies Safety Net API response with the Android Device Verification API.
334 stars 79 forks source link

Response signature validation: error on version 0.9 #57

Open ale5000-git opened 2 years ago

ale5000-git commented 2 years ago

With the version 0.9 I get:

SafetyNet request: success
Response signature validation: error

Error Msg:
Response signature validation error: https://www.googleapis.com/androidcheck/v1/attestations/verify?key=...

I was passing correctly in the previous version and it still passing in another app called "SafetyNet Test".

username227 commented 2 years ago

Same problem here. The new version doesn't work at all.

ale5000-git commented 2 years ago

Is this no longer developed?

scottyab commented 1 year ago

I think this is more of an issues with the Sample app in the playstore? If so I had to change the way the Google Cloud API was configured to lock in down further as a previous API key was compromised. I think this is the reason this API calls is now failing.

Even if that isn't the case on reviewing the decision to add this validation to the library, I feel it's fairly pointless given this SafetyNet response is validated on device and this could be hooked/tampered with. In #62 and version 0.10.0 this will be removed.

ale5000-git commented 1 year ago

In my opinion it still would be nice to have the validation in the library to be able to test if the SafetyNet API is working correctly.

scottyab commented 1 year ago

@ale5000-git thanks for voicing that. This removal could just be temporary potentially someone could raise a PR with it back in. There's some offline validation we could add as mentioned here. This feels more inline with what this library is, app based safetynet check (with all the cavets that previously mentioned about app based being not the most ideal or secure)

Also just to confirm the library would still call the attest, decode the JWT response and validate the content matches the app. It just wouldn't be doing the API call to validate that the attest response actually came from Google.