android-play-safetynet icon indicating copy to clipboard operation
android-play-safetynet copied to clipboard

Published 20 hours ago verified publisher icon googlesamples

How to validate apkCertificateDigestSha256 in the parsed JWS response?

Open rajithareddy79 opened this issue 5 years ago • 4 comments

After parsing the JWS token, how do I validate apkCertificateDigestSha256 value? I also 've the keystore.jks file used to sign the apk of my app. So how do I use this to validate apkCertificateDigestSha256?

rajithareddy79 avatar Mar 26 '19 06:03 rajithareddy79

I don't know if you have found the answer for that. However, after reading a little bit more about the Attestation API, I think you can match this value with the value you get from your SHA256 certificate fingerprint.

You can get this value by doing:

keytool -list -v -keystore ~/.android/debug.keystore -alias androiddebugkey -storepass android -keypass android

(this will produce an output for you, containing the SHA256 fingerprint)

The tricky part here is that apkCertificateDigestSha256 is base64 encoded and its value is a hexadecimal one. So, here is an example in nodejs on how you can get its value:

Buffer.from(apkCertificateDigestSha256, 'base64').toString('hex')

Then you can match the values you have with the value you got from the API.

wmartins avatar Oct 15 '19 14:10 wmartins

@rajithareddy79 Did you manage to solve this issue?

Updated:

The correct answer was already given by @wmartins, still I don't know why I could not figured it out that time. I spent quite long time to verify apkCertificateDigestSha256 at my server. I will mention what I did just in case someone else comes on this page and does not understand.

apkCertificateDigestSha256 is the Base64 encoded string of SHA256 fingerprint of the certificate which has been used to sign the build.

To verify programmatically: 1- Get Certificate object from the your_keystore file 2- Compute SHA-256 digest of Certificate 3- computedHash = Encode the SHA-256 digest byte[] with Base64

If computedHash and apkCertificateDigestSha256 matches, it means the app was signed with your_keystore. Hence you prove the integrity of the APK (provided basicIntegrity and ctsProfileMatch is 'true').

Thanks

dipskp avatar Jun 25 '20 12:06 dipskp

Any update on this? I am facing the same issue. https://stackoverflow.com/q/68046717/4450098

sagarnayak avatar Jun 20 '21 01:06 sagarnayak

Check the code here as reference on how to do the validations: https://github.com/Gralls/SafetyNetSample/blob/master/Server/src/main/java/pl/patryk/springer/safetynet/Main.kt

I just found it while searching for the same thing, and all credit goes to the person that owns the repo.

shahmharsh avatar Aug 12 '21 05:08 shahmharsh