Mobile API Anti-abuse Protection: AppiCrypt® Is a New SafetyNet and DeviceCheck Attestation Alternative

Network requests coming from adversary parties like botnets, DDoS, App clones, Tampered apps, Malwares, Emulators, etc.

The basics: API keys, client authentication, and pinning

From the API perspective, all calls must be performed over a secure channel between the client app and the API service. You will primarily utilize HTTPS and TLS in the majority of cases. Static and preferably dynamic certificate pinning (SSL pinning) can be used to provide verification of the backend.

AppiCrypt® App and Device Attestation

AppiCrypt stands for App Integrity Cryptogram
Backend can filter out nonlegitimate API calls.
Hard to make fake calls, simpler to use than Attestation.
Time to API breach is reduced by slowing down the attacker by a higher tampering resistance.

SafetyNet Attestation is not your savior

You’ve most probably heard about Google SafetyNet. Google’s attestation tool got quite popular because it is preinstalled on common devices equipped with Google Mobile Services. Like the AppiCrypt, it helps determine the overall integrity of the device. Make no mistake. SafetyNet, nor AppiCrypt, cannot replace proper Security Development Lifecycle (SDL), and both serve as additional security layers.

Example of SafetyNet result made with YASNAC app. You can trick SafetyNet into giving false results by using the SafetyNet Fix module for Magisk.

Common SafetyNet Disadvantages

  • It works only if Google Play Services and good network connectivity are available.
  • It has a high response time caused by network latency and processing time
  • SafetyNet Attestation fails under many conditions based on network, quota, and other transient problems.
  • You need to implement verification of the SafetyNet’s result on your backend.
  • It doesn’t involve many checks (i.e., tapjacking, accessibility service abuse, screen lock status)
  • Google has no security process to ensure that an OEM ROM is clean. Hence, SafetyNet won’t guarantee you the safety of OEM ROM.

AppiCrypt vs. SafetyNet Pros and Cons

Pros of AppiCrypt

  • Universal across all platforms (Android with or without Google Services, iOS, Flutter)
  • Verification serverless component ready to use (i.e., AWS lambda authorizer)
  • Suited for demanding business (Fin-Tech, Healthcare, Gaming, Government)
  • Fine-grained threat signals
  • Reaction based on device identifiers, GPS emulation status, and screen lock status
  • Attestation even in lousy network connection without quota issues and other transient problems
  • Supports devices with an unlocked bootloader
  • Supports devices with a custom system ROMs
  • Supports devices for which the manufactured didn’t apply for, or pass, Google certification
  • Supports devices with a system image built directly from the Android Open Source Program source files.
  • Low latency
  • Zero dependencies on Google servers middleware means no single point of failure.

Pros of SafetyNet

  • Free quota allotment (per project) for calling the SafetyNet Attestation API is 10,000 requests per day and five requests per minute.
  • Developed and supported by the official Android team
  • Checks verified boot
AppiCrypt works with Android, iOS and Flutter.

AppiCrypt vs. SafetyNet Application Domains

The true strength of AppiCrypt lies in its ability to protect multiple application domains. Be it an iPhone, iPad, Amazon Fire Tablet, EMV POS Terminal, or Kiosk, you can use the same AppiCrypt and its backend component. If you need protection in every possible environment, the AppiCrypt is right for you.

AppiCrypt vs. SafetyNet application domains nad capabilities.

AppiCrypt application domains:

  • Virtually every Android device
  • iOS (iPhone, iPad)
  • Flutter apps
  • Huawei & Honor Devices since Huawei lost Google
  • EMV POS Terminals
  • Performance Critical Apps
  • Amazon Fire Tablets
  • Self-service Tablets
  • Kiosks
  • Gaming Emulators
  • Non-Google Areas (China)
  • Devices with custom ROMs

Enterprise Services

AppiCrypt is courtesy of Talsec. If you are looking for a solution tailored to your specific needs, contact us at https://talsec.app. We provide enhanced RASP protection with malware detection and detailed configurable threat reactions, immediate alerts, and penetration testing of your product to our commercial customers with a self-hosted cloud platform. To get the most advanced protection compliant with PSD2 RT and eIDAS and support from our experts, contact us via https://talsec.app/contact.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store