/safetynet-spring

Secure implementation of SafetyNet Attestation flow in Spring 5

Primary LanguageKotlinApache License 2.0Apache-2.0

Secure implementation of SafetyNet Attestation API developed in Spring

CircleCI codecov Apache License 2

This project aims to provide implementation of secure flow of SafetyNet Attestation API by Google.

What's a SafetyNet Attestation?

SafetyNet is a mechanism designed to check whether a mobile device has been tampered. It means that it could be rooted, runs a custom ROM or has been infected with a malware.

What's a secure flow anyway?

The secure flow is a implementation of SafetyNet Attestation that is performed on the server instead of a mobile phone.

SafetyNet Attestation secure flow

More on that topic: https://www.synopsys.com/blogs/software-security/using-safetynet-api/

Contents of this project

This project contains two endpoints - first one gets nonce and second one verifies JWT token obtained from Google services.

Nonce endpoint

GET /nonce?login=username&deviceId=uniqueDeviceId  HTTP/1.1

In order to get a nonce application needs to send user login and unique device id.

Service generates unique nonce and stores it along given login and device id in the temporary cache with TTL.

Login endpoint

POST /login HTTP/1.1
Content-Type: application/json; charset=utf-8

{
  "login": "username",
  "password": "mySecretPassword",
  "jwt": "eyJhbGciOiJSU..."

This endpoint is responsible for user 'login' along with verification of jwt token.

Running the tests

./gradlew clean test

Authors

License

This project is licensed under the Apache License 2.0 - see the LICENSE file for details