Some banks require device attestation with SafetyNet

[evgenybf]

Hello,

Some banks, such as Sparekassen Kronjylland (9335), started requiring device attestation via SafetyNet Attestation API (https://developer.android.com/training/safetynet/attestation). The logon/selectagreement call returns "207 Multi-Status" with X-SDC-ACTION-CODE= "DEVICE_TOKEN_NEEDED" or "DEVICE_TOKEN_RENEWAL_NEEDED" (if the device has been already approved before). Without passing a valid attestation token (signed by SafetyNet) in devices/pin, all further requests fail with Error "401 Unauthorized".

Maybe someone has any idea how to bypass it? Thank you! :)

[ttyridal]

:( not really.. email them and ask if they've heard about PSD2? ;)

[evgenybf]

PSD2 (and Open banking API I guess) doesn't cover some investment infromation, alas... There is still need for the private bank APIs.