SafetyNet Helper an Android open source wrapper for the Google Safety Net API

Reposted after previous company and it’s blog disappeared.

TL;DR

SafetyNet Helper is an Android open source helper library for the Google Safety Net API. It’s main aim is to make it allot easier for developers to integrate and use. Safety Net a is a great service provided by Google to add extra layer of validation of the software and hardware your app is running on.

Image for post
Image for post

If you want to jump straight to the code on GitHub https://github.com/scottyab/safetynethelper/

I’ve also released the Sample app on the Google Play store so you can test on device. https://play.google.com/id?com.scottyab.safetynet.sample

What is the Google Safety Net API?

The Safety Net API is part of the Google Play services released in version 7.0, here’s the official description … Check if your app is running on a device that matches a device model that has passed Android compatibility testing. This analysis can help you determine if your app will work as expected on the device where it is installed. The service evaluates both software and hardware characteristics of the device, and may use hardware roots of trust, when available.

I see this as an extra layer of validation of the device to indicate if the device can/cannot be trusted. This is particularly useful for secure sensitive apps (i.e banking) but also it could feed into analytics to help support and maintenance decision making.

Here’s some example results from the Safety Net CTS test:

Why build a helper?

Safety Net is one of those API’s that in my mind doesn’t get the love it deserves. For example all of the Android developers I mentioned the helper library to had never heard of SafetyNet. Maybe because there’s no flashy logo? Or maybe it’s the fact it’s not a drop in API?

The Android training from Google is very informative however additional development effort is needed. As an example of it’s learning curve the Safety Net response uses JSON Web Token (JWT). I’d not deal with that previously but after some reading I realised that actually all you need to know is that it’s 3 Base64 strings concatenated together, but I still think it’s a barrier to usage.

Additionally given this is security API it’s likely an attacker would want to fake the response from the SafetyNet test API and fake a pass result on a compromised device. Google recommends validating the JWT with their Device verification API. It’s great they provided this however there is no code samples. Also also the SafetyNet documentation mentions it there’s nothing on how to validate the payload. Neither is there mention of how to harden the HTTPS post request to the Device verification API to ensure this also isn’t compromised.

So that’s why built the SafetyNet helper library, to fill in the gaps from the documentation, to include code samples and SSL pinning validation.

Features

This section covers at a high level the features the library offers. If you want jump to start using it head to the Github repo.

Simplified call the SafetyNet API

So the main feature the simplification of the call to SafetyNet test. SafetyNetHelper.java handles creating and connecting to the Google Client API and kicking off the SafetyNet test.

final SafetyNetHelper safetyNetHelper = new SafetyNetHelper(API_KEY);

safetyNetHelper.requestTest(context, callback);

Decoding of the JSON Web Token (JWT) into simple POJO

The response from the SafetyNet API is in JWT format. The helper decodes this into a simple Java object that you can access via `safetyNetHelper.getLastResponse()`.

Validation of the payload matches the request

The decoded response is validated to check is matched the request.

Two additional fields of the response are not currently implemented, as I was unable to recreate digests used by Google.

Integration with the Device verification API to verify the JWT message.

The Safetynet docs covers verification and here I implemented the verification HTTP post request and parsed the response. See AndroidDeviceVerifier.java for the connection and validation call.

SSL pinning on the Device verification API connection

This additional SSL validation helps mitigate potential MITM attackes and ensures that only the official googleapis.com can be called/respond. GoogleApisTrustManager.java shows the implementation of SSL pinning. I’ve written about SSL pinning in the Android Security Cookbook and this gave me a chance to apply these same techniques.

Summary

That’s a brief introduction to SafetyNet Helper, its high level features and some of the rational behind why I created it. If you want to find out how to use and integrate then check out the readme and the Github repo. Please do raise an issue if you have suggestions/issues or even better submit PR! If you use it in your app I’d love to hear about it.

Stay safe!


Originally published at intohand.com.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store