line-fido2-server icon indicating copy to clipboard operation
line-fido2-server copied to clipboard

Published 20 hours ago verified publisher icon line

FIX Timeout for ANDROID_SAFETYNET_ATTESTATION

Open nic opened this issue 1 year ago • 1 comments

What is this PR for?

This pull request is intended to fix a critical issue in the timestamp validation logic used in the SafetyNet attestation process for Android devices. The adjustment ensures the validity period check is accurate and compliant with security standards.

Overview or reasons

The existing code used to validate the timestamp in SafetyNet attestation had an error in the multiplication factor, resulting in a shorter threshold than intended. Specifically, the condition mistakenly used 60 * 100 milliseconds (6 seconds), whereas it should be 60 * 1000 milliseconds (60 seconds or 1 minute). This discrepancy could lead to premature rejection of valid attestations.

Tasks

Code Correction: Modified the multiplier in the timestamp validation from 100 to 1000, correcting the threshold from 6000 milliseconds to 60000 milliseconds.

Result

The correction to the timestamp validation logic now ensures that the threshold is set correctly at 60000 milliseconds (1 minute). This fix aligns the implementation with the intended security specifications and prevents the erroneous rejection of valid SafetyNet attestations.

nic avatar May 13 '24 14:05 nic

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar May 13 '24 14:05 CLAassistant

@nic Thank you very much for your help. However, there is a conflict, so please check this part.

kj84park avatar Nov 01 '24 02:11 kj84park

@kj84park solved!

nic avatar Nov 01 '24 13:11 nic