Checklist for a SafetyNet Attestation API integration

This page presents a checklist to ensure that you've completed each of the steps needed to integrate the SafetyNet Attestation API into your app.

Before submitting a quota increase request, make sure you've addressed each of the steps listed on this page.

Checklist Version: June 2018

App name: __________________________________________ Version: _________________________
Checked by: _________________________________________ Date: ____________________________
Checklist Questions
1. Did you apply for an API key, and is the key used in your app?
2. Does the app use SafetyNetClient, instead of the deprecated SafetyNetApi?
3. Does the app verify that the latest version of Google Play services is installed?
4. Are you creating and using large (16 bytes or longer) random nonces on your server with a cryptographically secure random generator?
5. Are you verifying the results of the API on a server that you control?
6. Did you implement a JWS signature validator in your own server, such as the one in the code samples we offer?
7. Did you make sure you are not using the Android Device Verification API to validate response messages, as it is meant for test purposes only?
8. Does your server verify the nonce, timestamp, APK name, and APK signing certificate hash included in the attestation response?
9. Do you understand the difference between ctsProfileMatch and basicIntegrity?
10. Does your server use other signals in addition to SafetyNet to detect abuse?
11. Does your app work even if SafetyNet doesn't work because of connection, quota, or other transient errors?
12. Does your app handle transient errors by retrying the request with an increasing amount of time between retries (exponential backoff)?
13. Do you have a system in place that monitors your quota usage and lets you know if you are close to exceeding it?
14. Do you know the process of getting a quota increase?