Platform Android Studio Google Play Android Jetpack Docs News
Save the date! Android Dev Summit is coming to Sunnyvale, CA on Oct 23-24, 2019.

Checklist for a SafetyNet Attestation API integration

This page presents a checklist to ensure that you've completed each of the steps needed to integrate the SafetyNet Attestation API into your app.

Before submitting a quota increase request, make sure you've addressed each of the steps listed on this page.

Checklist items

Last updated in March 2019.

  • Your service uses other signals, in addition to the SafetyNet Attestation API, to detect abuse.

  • You've applied for an API key, requested quota for your project, and used the correct associated API key(s) in your app.

  • Your app uses the SafetyNetClient, and not the deprecated SafetyNetApi.

  • Your app verifies that the latest version of Google Play services is installed.

  • Your app creates and uses large nonces—16 bytes or longer—that are either generated on your server or better yet, a part of your nonce is derived from the data you're sending to your server.

  • Your app handles transient errors by retrying the request with an increasing amount of time between retries (exponential backoff).

  • You're verifying the results of the API on a server that you control.

  • You've implemented a JWS signature validator in your own server, such as the one in the code samples that we offer.

  • At a minimum, your server verifies the timestamp, nonce, APK name, and APK signing certificate hash(es) included in the attestation response.

  • You aren't using the Android Device Verification API to validate response messages, as it is meant for test purposes only.

  • You have a system in place to monitor your quota usage, informing you when it's close to being exceeded. That way, you can request a quota increase based on demand.

  • You're evaluating the difference between interpreting ctsProfileMatch and basicIntegrity fields from the response.

  • You have a dynamic whitelist in place for certain devices or users so that you can choose to ignore unfavorable SafetyNet Attestation API results.

  • You can configure your app to function normally when the SafetyNet Attestation API experiences a large-scale outage.

  • You've signed up for the API's mailing list for clients, which is used to communicate important announcements about the service, such as upcoming changes and new features.