This page presents a checklist to ensure that you've completed each of the steps needed to integrate the SafetyNet Attestation API into your app.
Before submitting a quota increase request, make sure you've addressed each of the steps listed on this page.
Last updated in March 2019.
Your service uses other signals, in addition to the SafetyNet Attestation API, to detect abuse.
Your app creates and uses large nonces—16 bytes or longer—that are either generated on your server or better yet, a part of your nonce is derived from the data you're sending to your server.
Your app handles transient errors by retrying the request with an increasing amount of time between retries (exponential backoff).
You're verifying the results of the API on a server that you control.
You've implemented a JWS signature validator in your own server, such as the one in the code samples that we offer.
At a minimum, your server verifies the timestamp, nonce, APK name, and APK signing certificate hash(es) included in the attestation response.
You aren't using the Android Device Verification API to validate response messages, as it is meant for test purposes only.
You're evaluating the difference between interpreting
basicIntegrityfields from the response.
You have a dynamic allowlist in place for certain devices or users so that you can choose to ignore unfavorable SafetyNet Attestation API results.
You can configure your app to function normally when the SafetyNet Attestation API experiences a large-scale outage.
You've signed up for the API's mailing list for clients, which is used to communicate important announcements about the service, such as upcoming changes and new features.