Organiza tus páginas con colecciones
Guarda y categoriza el contenido según tus preferencias.
Para ayudarte a confirmar las intenciones de los usuarios cuando inician una transacción sensible, como realizar un pago, los dispositivos compatibles que ejecutan Android 9 (nivel de API 28) o versiones posteriores te permiten usar la Confirmación de protección de Android. Cuando se usa este flujo de trabajo, tu app muestra un mensaje al usuario en el que se le solicita que apruebe una breve declaración que reafirme su intención de completar la transacción sensible.
Si el usuario acepta la declaración, tu app podrá usar la clave de Android Keystore para firmar el mensaje que se mostró en el diálogo. La firma indica, con un alto grado de confianza, que el usuario vio la declaración y la aceptó.
Precaución: La Confirmación de protección de Android no proporciona un canal de información seguro para el usuario. Tu app no puede asumir garantías de confidencialidad más allá de las que ofrece la plataforma de Android. En especial, no uses este flujo de trabajo para mostrar información sensible que no mostrarías normalmente en el dispositivo del usuario.
Una vez que el usuario confirma el mensaje, se garantiza la integridad del mensaje, pero tu app debe seguir usando la encriptación de datos en tránsito para proteger la confidencialidad del mensaje firmado.
Para admitir la confirmación de usuarios altamente confiables en tu app, completa estos pasos:
Inscribe la nueva clave generada y la certificación de tu clave con el usuario de confianza adecuado.
Envía los detalles de la transacción a tu servidor y haz que genere y muestre un objeto binario grande (BLOB) de datos adicionales. Estos datos pueden incluir información que aún se debe confirmar o sugerencias de análisis, como la configuración regional de la string de solicitud.
Para una implementación más segura, el BLOB debe contener un nonce criptográfico para tener protección contra ataques de reproducción y desambiguar transacciones.
Configura el objeto ConfirmationCallback que informa a tu app una vez que el usuario acepte la solicitud mostrada en un diálogo de confirmación.
Kotlin
classMyConfirmationCallback:ConfirmationCallback(){overridefunonConfirmed(dataThatWasConfirmed:ByteArray?){super.onConfirmed(dataThatWasConfirmed)// Sign dataThatWasConfirmed using your generated signing key.// By completing this process, you generate a signed statement.}overridefunonDismissed(){super.onDismissed()// Handle case where user declined the prompt in the// confirmation dialog.}overridefunonCanceled(){super.onCanceled()// Handle case where your app closed the dialog before the user// responded to the prompt.}overridefunonError(e:Exception?){super.onError(e)// Handle the exception that the callback captured.}}
Java
publicclassMyConfirmationCallbackextendsConfirmationCallback{@OverridepublicvoidonConfirmed(@NonNullbyte[]dataThatWasConfirmed){super.onConfirmed(dataThatWasConfirmed);// Sign dataThatWasConfirmed using your generated signing key.// By completing this process, you generate a signed statement.}@OverridepublicvoidonDismissed(){super.onDismissed();// Handle case where user declined the prompt in the// confirmation dialog.}@OverridepublicvoidonCanceled(){super.onCanceled();// Handle case where your app closed the dialog before the user// responded to the prompt.}@OverridepublicvoidonError(Throwablee){super.onError(e);// Handle the exception that the callback captured.}}
Si el usuario acepta el diálogo, se llama a la devolución de llamada onConfirmed(). El BLOB dataThatWasConfirmed es una estructura de datos CBOR que contiene, entre otros detalles, el texto del mensaje que el usuario vio, así como los datos adicionales que pasó al compilador ConfirmationPrompt. Usa la clave creada anteriormente para firmar el BLOB dataThatWasConfirmed y, luego, pásalo al usuario de confianza junto con los detalles de la firma y la transacción.
Para aprovechar por completo la garantía de seguridad que ofrece la Confirmación de protección de Android, el usuario de confianza debe llevar a cabo los siguientes pasos cuando reciba un mensaje firmado:
Controla la firma en el mensaje, así como la cadena del certificado de certificación de la clave de firma.
Controla que el certificado de atestación tenga configurado el indicador TRUSTED_CONFIRMATION_REQUIRED, que indique que la clave de firma requiere la confirmación de un usuario de confianza. Si la clave de firma es una clave RSA, comprueba que no tenga la propiedad PURPOSE_ENCRYPT o PURPOSE_DECRYPT.
Controla extraData para asegurarte de que este mensaje de confirmación pertenezca a una solicitud nueva y que no se haya procesado aún. Este paso protege contra ataques de reproducción.
Analiza promptText con el objetivo de obtener información sobre la acción o solicitud confirmada. Recuerda que promptText es la única parte del mensaje que el usuario realmente confirmó. El usuario de confianza jamás debe suponer que los datos por confirmar que se incluyen en extraData corresponden a promptText.
Agrega una lógica similar a la que se muestra en el siguiente fragmento de código para mostrar el diálogo mismo:
Kotlin
// This data structure varies by app type. This is an example.dataclassConfirmationPromptData(valsender:String,valreceiver:String,valamount:String)valmyExtraData:ByteArray=byteArrayOf()valmyDialogData=ConfirmationPromptData("Ashlyn","Jordan","$500")valthreadReceivingCallback=Executor{runnable->runnable.run()}valcallback=MyConfirmationCallback()valdialog=ConfirmationPrompt.Builder(context).setPromptText("${myDialogData.sender}, send${myDialogData.amount} to${myDialogData.receiver}?").setExtraData(myExtraData).build()dialog.presentPrompt(threadReceivingCallback,callback)
Java
// This data structure varies by app type. This is an example.classConfirmationPromptData{Stringsender,receiver,amount;ConfirmationPromptData(Stringsender,Stringreceiver,Stringamount){this.sender=sender;this.receiver=receiver;this.amount=amount;}};finalintMY_EXTRA_DATA_LENGTH=100;byte[]myExtraData=newbyte[MY_EXTRA_DATA_LENGTH];ConfirmationPromptDatamyDialogData=newConfirmationPromptData("Ashlyn","Jordan","$500");ExecutorthreadReceivingCallback=Runnable::run;MyConfirmationCallbackcallback=newMyConfirmationCallback();ConfirmationPromptdialog=(newConfirmationPrompt.Builder(getApplicationContext())).setPromptText("${myDialogData.sender}, send ${myDialogData.amount} to ${myDialogData.receiver}?").setExtraData(myExtraData).build();dialog.presentPrompt(threadReceivingCallback,callback);
Recursos adicionales
Para obtener más información sobre la Confirmación de protección de Android, consulta los siguientes recursos.
El contenido y las muestras de código que aparecen en esta página están sujetas a las licencias que se describen en la Licencia de Contenido. Java y OpenJDK son marcas registradas de Oracle o sus afiliados.
Última actualización: 2023-12-21 (UTC)
[[["Fácil de comprender","easyToUnderstand","thumb-up"],["Resolvió mi problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Falta la información que necesito","missingTheInformationINeed","thumb-down"],["Muy complicado o demasiados pasos","tooComplicatedTooManySteps","thumb-down"],["Desactualizado","outOfDate","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Problema con las muestras o los códigos","samplesCodeIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2023-12-21 (UTC)"],[],[],null,["# Android Protected Confirmation\n\nTo help you confirm users' intentions when they initiate a sensitive\ntransaction, such as making a payment, supported devices that run Android 9 (API\nlevel 28) or higher let you use Android Protected Confirmation. When using this\nworkflow, your app displays a prompt to the user, asking them to approve a short\nstatement that reaffirms their intent to complete the sensitive transaction.\n\nIf the user accepts the statement, your app can use a key from Android Keystore\nto sign the message shown in the dialog. The signature indicates, with very high\nconfidence, that the user has seen the statement and has agreed to it. \n**Caution:**Android Protected Confirmation doesn't provide a\nsecure information channel for the user. Your app can't assume any\nconfidentiality guarantees beyond those that the Android platform offers. In\nparticular, don't use this workflow to display sensitive information that you\nwouldn't ordinarily show on the user's device.\n\nAfter the user confirms the message, the message's integrity is assured,\nbut your app must still use data-in-transit encryption to protect the\nconfidentiality of the signed message.\n\nTo provide support for high-assurance user confirmation in your app, complete\nthe following steps:\n\n1. [Generate an asymmetric signing key](/training/articles/keystore#GeneratingANewPrivateKey)\n using the\n [`KeyGenParameterSpec.Builder`](/reference/android/security/keystore/KeyGenParameterSpec.Builder)\n class. When creating the key, pass `true` into\n [`setUserConfirmationRequired()`](/reference/android/security/keystore/KeyGenParameterSpec.Builder#setUserConfirmationRequired(boolean)).\n Also, call [`setAttestationChallenge()`](/reference/android/security/keystore/KeyGenParameterSpec.Builder#setAttestationChallenge(byte%5B%5D)),\n passing a suitable challenge value provided by the relying party.\n\n2. Enroll the newly generated key and your key's attestation certificate with\n the appropriate relying party.\n\n3. Send transaction details to your server and have it generate and return a\n binary large object (BLOB) of *extra data*. Extra data might include the\n to-be-confirmed data or parsing hints, such as the locale of the prompt string.\n\n For a more secure implementation, the BLOB must contain a cryptographic\n nonce for protection against\n [replay attacks](https://www.pcmag.com/encyclopedia/term/50439/replay-attack)\n and to disambiguate transactions.\n | **Caution:** If the extra data field includes to-be-confirmed data, the relying party must verify the equivalent data that's sent with the prompt string. Android Protected Confirmation doesn't render the extra data, so your app can't assume that the user confirmed this data.\n4. Set up the\n [`ConfirmationCallback`](/reference/android/security/ConfirmationCallback)\n object that informs your app when the user has accepted the prompt shown in a\n confirmation dialog:\n\n ### Kotlin\n\n ```kotlin\n class MyConfirmationCallback : ConfirmationCallback() {\n\n override fun onConfirmed(dataThatWasConfirmed: ByteArray?) {\n super.onConfirmed(dataThatWasConfirmed)\n // Sign dataThatWasConfirmed using your generated signing key.\n // By completing this process, you generate a signed statement.\n }\n\n override fun onDismissed() {\n super.onDismissed()\n // Handle case where user declined the prompt in the\n // confirmation dialog.\n }\n\n override fun onCanceled() {\n super.onCanceled()\n // Handle case where your app closed the dialog before the user\n // responded to the prompt.\n }\n\n override fun onError(e: Exception?) {\n super.onError(e)\n // Handle the exception that the callback captured.\n }\n }\n ```\n\n ### Java\n\n ```java\n public class MyConfirmationCallback extends ConfirmationCallback {\n\n @Override\n public void onConfirmed(@NonNull byte[] dataThatWasConfirmed) {\n super.onConfirmed(dataThatWasConfirmed);\n // Sign dataThatWasConfirmed using your generated signing key.\n // By completing this process, you generate a signed statement.\n }\n\n @Override\n public void onDismissed() {\n super.onDismissed();\n // Handle case where user declined the prompt in the\n // confirmation dialog.\n }\n\n @Override\n public void onCanceled() {\n super.onCanceled();\n // Handle case where your app closed the dialog before the user\n // responded to the prompt.\n }\n\n @Override\n public void onError(Throwable e) {\n super.onError(e);\n // Handle the exception that the callback captured.\n }\n }\n ```\n\n If the user approves the dialog, the `onConfirmed()` callback is\n called. The `dataThatWasConfirmed` BLOB is a\n [CBOR data structure](http://cbor.io/) that contains,\n among other details, the prompt text that the user saw as well as the extra\n data that you passed into the\n [`ConfirmationPrompt`](/reference/android/security/ConfirmationPrompt)\n builder. Use the previously created key to sign the\n `dataThatWasConfirmed` BLOB, then pass this BLOB, along with the\n signature and transaction details, back to the relying party.\n | **Note:** Because the key was created using [`setUserConfirmationRequired()`](/reference/android/security/keystore/KeyGenParameterSpec.Builder#setUserConfirmationRequired(boolean)), it can only be used to sign data that's returned in the `dataThatWasConfirmed` parameter. Attempting to sign any other kind of data fails.\n\n To make full use of the security assurance that Android Protected\n Confirmation offers, the relying party must perform the following steps upon\n receiving a signed message:\n 1. Check the signature over the message as well as the attestation certificate chain of the signing key.\n 2. Check that the attestation certificate has the `TRUSTED_CONFIRMATION_REQUIRED` flag set, which indicates that the signing key requires trusted user confirmation. If the signing key is an RSA key, check that it doesn't have the [`PURPOSE_ENCRYPT`](/reference/android/security/keystore/KeyProperties#PURPOSE_ENCRYPT) or [`PURPOSE_DECRYPT`](/reference/android/security/keystore/KeyProperties#PURPOSE_DECRYPT) property.\n 3. Check `extraData` to make sure that this confirmation message belongs to a new request and hasn't been processed yet. This step protects against replay attacks.\n 4. Parse the `promptText` for information about the confirmed action or request. Remember that the `promptText` is the only part of the message that the user actually confirmed. The relying party must never assume that to-be confirmed data included in `extraData` corresponds to the `promptText`.\n5. Add logic similar to that shown in the following code snippet to display the\n dialog itself:\n\n ### Kotlin\n\n ```kotlin\n // This data structure varies by app type. This is an example.\n data class ConfirmationPromptData(val sender: String,\n val receiver: String, val amount: String)\n\n val myExtraData: ByteArray = byteArrayOf()\n val myDialogData = ConfirmationPromptData(\"Ashlyn\", \"Jordan\", \"$500\")\n val threadReceivingCallback = Executor { runnable -\u003e runnable.run() }\n val callback = MyConfirmationCallback()\n\n val dialog = ConfirmationPrompt.Builder(context)\n .setPromptText(\"${myDialogData.sender}, send\n ${myDialogData.amount} to\n ${myDialogData.receiver}?\")\n .setExtraData(myExtraData)\n .build()\n dialog.presentPrompt(threadReceivingCallback, callback)\n ```\n\n ### Java\n\n ```java\n // This data structure varies by app type. This is an example.\n class ConfirmationPromptData {\n String sender, receiver, amount;\n ConfirmationPromptData(String sender, String receiver, String amount) {\n this.sender = sender;\n this.receiver = receiver;\n this.amount = amount;\n }\n };\n final int MY_EXTRA_DATA_LENGTH = 100;\n byte[] myExtraData = new byte[MY_EXTRA_DATA_LENGTH];\n ConfirmationPromptData myDialogData = new ConfirmationPromptData(\"Ashlyn\", \"Jordan\", \"$500\");\n Executor threadReceivingCallback = Runnable::run;\n MyConfirmationCallback callback = new MyConfirmationCallback();\n ConfirmationPrompt dialog = (new ConfirmationPrompt.Builder(getApplicationContext()))\n .setPromptText(\"${myDialogData.sender}, send ${myDialogData.amount} to ${myDialogData.receiver}?\")\n .setExtraData(myExtraData)\n .build();\n dialog.presentPrompt(threadReceivingCallback, callback);\n ```\n | **Note:** The confirmation prompt UI, which consists of a full-screen dialog, isn't customizable. However, the framework takes care of localizing button text for you.\n\nAdditional resources\n--------------------\n\nFor more information about Android Protected Confirmation, consult the following\nresources.\n\n### Blogs\n\n- [Android Protected Confirmation: Taking transaction security to the next\n level](https://android-developers.googleblog.com/2018/10/android-protected-confirmation.html)"]]