How to validate Safety Net JWS signature from header data in Android app

Question

I'm using SafetyNet API for checking if device is rooted or not and using the below helpful code but this uses Android verification API to validate the JWT signature: https://github.com/scottyab/safetynethelper And I want to validate on client side only to reduce the overhead of another web service all and besides it has limitation on only 10k request per day. So after decoding the JWS i'm getting the below info Sample JWS message response xxxx.yyy.zzzz Header data {"alg":"RS256","x5c":["",""]} Payload data {"nonce":"", "timestampMs":1472794339527, "apkPackageName":"", "apkDigestSha256":"", "ctsProfileMatch":true, "extension":"", "apkCertificateDigestSha256":[""],"basicIntegrity":true} Signature in this part if perform Base64 decoding it becomes unreadable so below is the Signature string as received in JWS last element Gw09rv1aBbtd4Er7F5ww_3TT1mPRD5YouMkPkwnRXJq8XW_cxlO4428DHTJdD8Tbep-Iv3nrVRWt2t4pH1uSr2kJ9budQJuXqzOUhN93r2Hfk-UAKUYQYhp89_wOWjSCG4ySVHD4jc9S1HrZlngaUosocOmhN4SzLZN5o8BXyBdXkjhWwgArd4bcLhCWJzmxz5iZfkhDiAyeNRq09CeqjRx_plqAy8eR_OaI_2idZBNIGfd2KmLK_CKaeVjDxuC4BzJsIlVRiuLrvP362Wwhz4r1bHh8flmHr88nK99apP2jkQD2l7lPv8y5F3FN3DKhJ15CzHR6ZbiTOw1fUteifg Now as per google "Verify the compatibility check response: Extract the SSL certificate chain from the JWS message. Validate the SSL certificate chain and use SSL hostname matching to verify that the leaf certificate was issued to the hostname attest.android.com. Use the certificate to verify the signature of the JWS message." I do have the cert string and signature how should I go about validating SSL certificate which is string and host name matching on second cert and how to validate signature. I need pointers on this and code snipped would be very helpful. JavaScript questions and answers, JavaScript questions pdf, JavaScript question bank, JavaScript questions and answers pdf, mcq on JavaScript pdf, JavaScript questions and solutions, JavaScript mcq Test , Interview JavaScript questions, JavaScript Questions for Interview, JavaScript MCQ (Multiple Choice Questions)

Answer 1

The way you want to validate JWT signature on the device is not secure. Think about next case: the device is rooted, malware application with root privileges catches your request to Google's SafetyNet and returns self-signed response. When you verify the response with your own server service - you will get that the response you've got wasn't provided by Google. If you do this locally on the device - the same malware app could catch you request to verify JWT signature and respond with true. Anyway, you can do this locally: You need to get API key from Google developers for your application. Use the Android Device Verification API: From Android Developers: Note: The API method to verify response messages has a fixed rate limit of 10,000 requests per day, per project. You should use the verify() method only for testing during the initial development stage. You shouldn't call the method in a production scenario. [...] To use the Android Device Verification API: Create a JSON message containing the entire contents of the JWS message in the following format: { "signedAttestation": "

getJwsResult()>" } Use an HTTP POST request to send the message with a Content-Type of "application/json" to the following URL: https://www.googleapis.com/androidcheck/v1/attestations/verify?key= The service validates the integrity of the message, and if the message is valid, it returns a JSON message with the following contents: { “isValidSignature”: true } So actually (code from SafetyNet Helper): /** * * Validates the result with Android Device Verification API. * * Note: This only validates that the provided JWS (JSON Web Signature) message was received from the actual SafetyNet service. * It does *not* verify that the payload data matches your original compatibility check request. * POST to https://www.googleapis.com/androidcheck/v1/attestations/verify?key= * * More info see {link https://developer.android.com/google/play/safetynet/start.html#verify-compat-check} * * Created by scottab on 27/05/2015. */ public class AndroidDeviceVerifier { private static final String TAG = AndroidDeviceVerifier.class.getSimpleName(); //used to verifiy the safety net response - 10,000 requests/day free private static final String GOOGLE_VERIFICATION_URL = "https://www.googleapis.com/androidcheck/v1/attestations/verify?key="; private final String apiKey; private final String signatureToVerify; private AndroidDeviceVerifierCallback callback; public interface AndroidDeviceVerifierCallback{ void error(String s); void success(boolean isValidSignature); } public AndroidDeviceVerifier(@NonNull String apiKey, @NonNull String signatureToVerify) { this.apiKey = apiKey; this.signatureToVerify = signatureToVerify; } public void verify(AndroidDeviceVerifierCallback androidDeviceVerifierCallback){ callback = androidDeviceVerifierCallback; AndroidDeviceVerifierTask task = new AndroidDeviceVerifierTask(); task.execute(); } /** * Provide the trust managers for the URL connection. By Default this uses the system defaults plus the GoogleApisTrustManager (SSL pinning) * @return array of TrustManager including system defaults plus the GoogleApisTrustManager (SSL pinning) * @throws KeyStoreException * @throws NoSuchAlgorithmException */ protected TrustManager[] getTrustManagers() throws KeyStoreException, NoSuchAlgorithmException { TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); //init with the default system trustmanagers trustManagerFactory.init((KeyStore)null); TrustManager[] defaultTrustManagers = trustManagerFactory.getTrustManagers(); TrustManager[] trustManagers = Arrays.copyOf(defaultTrustManagers, defaultTrustManagers.length + 1); //add our Google APIs pinning TrustManager for extra security trustManagers[defaultTrustManagers.length] = new GoogleApisTrustManager(); return trustManagers; } private class AndroidDeviceVerifierTask extends AsyncTask{ private Exception error; @Override protected Boolean doInBackground(Void... params) { //Log.d(TAG, "signatureToVerify:" + signatureToVerify); try { URL verifyApiUrl = new URL(GOOGLE_VERIFICATION_URL + apiKey); SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, getTrustManagers(), null); HttpsURLConnection urlConnection = (HttpsURLConnection) verifyApiUrl.openConnection(); urlConnection.setSSLSocketFactory(sslContext.getSocketFactory()); urlConnection.setRequestMethod("POST"); urlConnection.setRequestProperty("Content-Type", "application/json"); //build post body { "signedAttestation": "

" } String requestJsonBody = "{ \"signedAttestation\": \""+signatureToVerify+"\"}"; byte[] outputInBytes = requestJsonBody.getBytes("UTF-8"); OutputStream os = urlConnection.getOutputStream(); os.write(outputInBytes); os.close(); urlConnection.connect(); //resp ={ “isValidSignature”: true } InputStream is = urlConnection.getInputStream(); StringBuilder sb = new StringBuilder(); BufferedReader rd = new BufferedReader(new InputStreamReader(is)); String line; while ((line = rd.readLine()) != null) { sb.append(line); } String response = sb.toString(); JSONObject responseRoot = new JSONObject(response); if(responseRoot.has("isValidSignature")){ return responseRoot.getBoolean("isValidSignature"); } }catch (Exception e){ //something went wrong requesting validation of the JWS Message error = e; Log.e(TAG, "problem validating JWS Message :" + e.getMessage(), e); return false; } return false; } @Override protected void onPostExecute(Boolean aBoolean) { if(error!=null){ callback.error(error.getMessage()); }else { callback.success(aBoolean); } } } }