Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace SafetyNet recommendations with up-to-date information #686

Open
cpholguera opened this issue Jan 30, 2023 Discussed in #676 · 4 comments
Open

Replace SafetyNet recommendations with up-to-date information #686

cpholguera opened this issue Jan 30, 2023 Discussed in #676 · 4 comments
Assignees
@EdilsonGalvao

Comments

@cpholguera
Copy link
Collaborator

Discussed in #676

Originally posted by SirionRazzer December 21, 2022
Since SafetyNet is deprecated (https://developer.android.com/training/safetynet/deprecation-timeline), I would like to update the relevant sections with up-to-date alternatives.This field seems to be coined as the app and device attestation or integrity control. Each major platform comes with a default solution, and there are alternative 3rd party solutions. While the features and functionality differ, the ultimate goal is to ensure that:

  • Requests come from your genuine app
  • Requests come from a genuine, untampered device
    Attestation helps minimize fraud both on the client and backend sides. Hence, this topic can be mapped to related ASVS requirements as this topic extends to the ASVS domain.

Parts for removal

Related MASVS 2.0 IDs

  • MASVS-RESILIENCE-1 - The app validates the integrity of the platform.
  • MASVS-RESILIENCE-2 - The app validates its integrity.

Upsides

  • Protection from risky and fraudulent interactions
  • Reduces attack surface
  • Integrity verdicts can suggest the possible attack
  • Enrollment protection

Downsides

  • It may be network dependent
  • May have a dependency on the integrity provider's web service, which may introduce some networking latency
  • May have usage quotas
  • Vendor-dependant platform support
  • Proprietary algorithms

Providers
@EdilsonGalvao
Copy link

Mr. @cpholguera

I will update it as follows below:

  1. Explaining the Safety Net deprecation and guide the reader to use Google Play Integrity.
  2. To explain a few exceptions that google can't capture (in default flow) and how can we use in our benefits.

@SirionRazzer
Copy link

Please, go on! I'll help you to review it and then I'll add my points :)

  1. There is a migration guide somewhere
  2. This is interesting. Which exceptions do you mean?

@EdilsonGalvao
Copy link

Could you open an issue in MASTG repository to remove this part?
https://mas.owasp.org/MASTG/Android/0x05j-Testing-Resiliency-Against-Reverse-Engineering/#safetynet
https://mas.owasp.org/MASTG/Android/0x05j-Testing-Resiliency-Against-Reverse-Engineering/#safetynet-attestation

@cpholguera
Copy link
Collaborator Author

Hi @EdilsonGalvao, that should be done within the same PR associated with this ticket. We don't need an additional ticket. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@EdilsonGalvao EdilsonGalvao

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@EdilsonGalvao @SirionRazzer @cpholguera