SafetyNet Helper an Android open source wrapper for the Google Safety Net API

Reposted after previous company and it’s blog disappeared.

TL;DR

SafetyNet Helper is an Android open source helper library for the Google Safety Net API. It’s main aim is to make it allot easier for developers to integrate and use. Safety Net a is a great service provided by Google to add extra layer of validation of the software and hardware your app is running on.

If you want to jump straight to the code on GitHub https://github.com/scottyab/safetynethelper/

I’ve also released the Sample app on the Google Play store so you can test on device. https://play.google.com/id?com.scottyab.safetynet.sample

What is the Google Safety Net API?

The Safety Net API is part of the Google Play services released in version 7.0, here’s the official description … Check if your app is running on a device that matches a device model that has passed Android compatibility testing. This analysis can help you determine if your app will work as expected on the device where it is installed. The service evaluates both software and hardware characteristics of the device, and may use hardware roots of trust, when available.

I see this as an extra layer of validation of the device to indicate if the device can/cannot be trusted. This is particularly useful for secure sensitive apps (i.e banking) but also it could feed into analytics to help support and maintenance decision making.

Here’s some example results from the Safety Net CTS test:

  • Rooted devices(all the ones I tested) = fail
  • Emulators = fail
  • Non CTS devices (i.e $99 Android tablets) = fail

Why build a helper?

Safety Net is one of those API’s that in my mind doesn’t get the love it deserves. For example all of the Android developers I mentioned the helper library to had never heard of SafetyNet. Maybe because there’s no flashy logo? Or maybe it’s the fact it’s not a drop in API?

The Android training from Google is very informative however additional development effort is needed. As an example of it’s learning curve the Safety Net response uses JSON Web Token (JWT). I’d not deal with that previously but after some reading I realised that actually all you need to know is that it’s 3 Base64 strings concatenated together, but I still think it’s a barrier to usage.

Additionally given this is security API it’s likely an attacker would want to fake the response from the SafetyNet test API and fake a pass result on a compromised device. Google recommends validating the JWT with their Device verification API. It’s great they provided this however there is no code samples. Also also the SafetyNet documentation mentions it there’s nothing on how to validate the payload. Neither is there mention of how to harden the HTTPS post request to the Device verification API to ensure this also isn’t compromised.

So that’s why built the SafetyNet helper library, to fill in the gaps from the documentation, to include code samples and SSL pinning validation.

Features

This section covers at a high level the features the library offers. If you want jump to start using it head to the Github repo.

Simplified call the SafetyNet API

So the main feature the simplification of the call to SafetyNet test. SafetyNetHelper.java handles creating and connecting to the Google Client API and kicking off the SafetyNet test.

final SafetyNetHelper safetyNetHelper = new SafetyNetHelper(API_KEY);
safetyNetHelper.requestTest(context, callback);

Decoding of the JSON Web Token (JWT) into simple POJO

The response from the SafetyNet API is in JWT format. The helper decodes this into a simple Java object that you can access via `safetyNetHelper.getLastResponse()`.

Validation of the payload matches the request

The decoded response is validated to check is matched the request.

  • A random 32byte nonce which is sent with the request is validated to ensures it is identical in the response payload.
  • Timestamp is validated and verified that response is less that 2mins old to guard against replay attacks (although it’s conceivable the device system time could be compromised).
  • App package name this in queried at runtime, and it’s checked against the value in the response.

Two additional fields of the response are not currently implemented, as I was unable to recreate digests used by Google.

  • Validate APK checksum
  • Validate Signing certification

Integration with the Device verification API to verify the JWT message.

The Safetynet docs covers verification and here I implemented the verification HTTP post request and parsed the response. See AndroidDeviceVerifier.java for the connection and validation call.

SSL pinning on the Device verification API connection

This additional SSL validation helps mitigate potential MITM attackes and ensures that only the official googleapis.com can be called/respond. GoogleApisTrustManager.java shows the implementation of SSL pinning. I’ve written about SSL pinning in the Android Security Cookbook and this gave me a chance to apply these same techniques.

Summary

That’s a brief introduction to SafetyNet Helper, its high level features and some of the rational behind why I created it. If you want to find out how to use and integrate then check out the readme and the Github repo. Please do raise an issue if you have suggestions/issues or even better submit PR! If you use it in your app I’d love to hear about it.

Stay safe!


Originally published at intohand.com.