Menu
I am using this library :
https://github.com/scottyab/safetynethelper
I have read the documentation on Android Deveoloper site and in the repository.
Everything works fine ,but something is not clear to me.
It is indicated that it is more secure to obtain the nonce from the server rather then creating it on the app it self.and why is it better to Pass the response from SafetyNet API to the server
529
Most commonly the SafetyNet Attestation API is used to decide whether you trust the device and app that is communicating with your server.
As such, you don't really want to be checking the JWS response within your Android app, otherwise an attacker could simply modify your app to remove any verification logic you have put in place. This is why it is better to pass the response to the server, and make any decisions there (you trust your server).
On your server you can verify the response and, if everything looks good, allow whatever action you are trying to protect - maybe permitting a sign-in, or the download of certain data.
Why is a nonce supplied from your server more secure? A nonce that is generated in your app (ie. essentially random and unknown to you) can be changed freely by an attacker. It is better if you control the nonce! This way when you are verifying the JWS response on your server you can check the nonce is correct.
A good approach for generating a nonce on your server may be to hash a session ID, or a combination of the user ID and timestamp.
74
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
