Match Android apk SHA256 with SafetyNet apkCertificateDigestSha256

0 votes

I am using SafetyNet to verify the integrity of the android app.

This is the what happeing:-

  1. I generate a nonce value in the server and send it to the SafetyNet service to get the response.
  2. I get the response from the server. Now I want to verify the result on the server.

I get a base64 string. I decode it and get the response as below.

{
    "evaluationType": "BASIC",
    "ctsProfileMatch": false,
    "apkPackageName": "com.test.safetynetproject",
    "apkDigestSha256": "CbU9JzwRzQneYqnEXewB56ZzPm1DgQ4LGUK0eGlWmyM=",
    "nonce": "U2FnYXI=",
    "apkCertificateDigestSha256": [
        "AJRBzWCfJIY7QD2cp4sv9t0cCGMRGdxuID9VdPLV1H4="
    ],
    "timestampMs": 1624099377557,
    "basicIntegrity": false
}

Now i want to verify the apkCertificateDigestSha256. The sha256 created from my system using cmd is -

C:\Program Files\Java\jdk-11.0.11\bin>keytool -list -v -alias androiddebugkey -keystore C:\Users\.android\debug.keystore
Enter keystore password:
Alias name: androiddebugkey
Creation date: May 25, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: C=US, O=Android, CN=Android Debug
Issuer: C=US, O=Android, CN=Android Debug
Serial number: 1
Valid from: Tue May 25 11:48:00 IST 2021 until: Thu May 18 11:48:00 IST 2051
Certificate fingerprints:
         SHA1: 43:16:E2:63:DB:2A:53:7C:7D:BB:E9:80:7B:05:1C:74:7C:84:66:A2
         SHA256: 00:94:41:CD:60:9F:24:86:3B:40:3D:9C:A7:8B:2F:F6:DD:1C:08:63:11:19:DC:6E:20:3F:55:74:F2:D5:D4:7E
Signature algorithm name: SHA1withRSA (weak)
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1

I cant seem to find solution for this. any input?
Jun 2 in Others by polo
• 1,500 points
30 views

1 answer to this question.

0 votes

Google depreciated SafetyAPI and Introduced PlayIntegrity API for attestation. PlayIntegrity Service provides the response as follows.

{
"tokenPayloadExternal": {
    "accountDetails": {
        "appLicensingVerdict": "LICENSED"
    },
    "appIntegrity": {
        "appRecognitionVerdict": "PLAY_RECOGNIZED",
        "certificateSha256Digest": ["pnpa8e8eCArtvmaf49bJE1f5iG5-XLSU6w1U9ZvI96g"],
        "packageName": "com.test.android.safetynetsample",
        "versionCode": "4"
    },
    "deviceIntegrity": {
        "deviceRecognitionVerdict": ["MEETS_DEVICE_INTEGRITY"]
    },
    "requestDetails": {
        "nonce": "SafetyNetSample1654058651834",
        "requestPackageName": "com.test.android.safetynetsample",
        "timestampMillis": "1654058657132"
    }
}}

Response contains only certificateSha256Digest of the app (The sha256 digest of app certificates) instead of having apkDigestSha256 and apkCertificateDigestSha256.

How do we validate the received certificateSha256Digest at server?

Below steps:-

public static Certificate getCertificate(String certificatePath)throws Exception {
  CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
  FileInputStream in = new FileInputStream(certificatePath);
  Certificate certificate = certificateFactory.generateCertificate(in);
  in.close();
 return certificate;
}

Generate checksum of the certificate

Certificate x509Cert = getCertificate("<Path of file>/deployment_cert.der");
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] x509Der = x509Cert.getEncoded();
md.update(x509Der);
byte[] sha256 = md.digest();
String checksum = Base64.getEncoder().encodeToString(sha256);

Then compare checksum with received certificateSha256Digest

String digest = jwsResponse.tokenPayloadExternal.appIntegrity.certificateSha256Digest;
if(checksum.contains(digest)){
  //
}
answered Jun 6 by nisha
• 2,160 points

Related Questions In Others

0 votes
1 answer

Invoke-customs are only supported starting with android 0 --min-api 26

After hours of working on this probleme, ...READ MORE

answered Feb 16 in Others by Soham
• 8,730 points
401 views
0 votes
0 answers
0 votes
0 answers

Android Studio AVD - Emulator: Process finished with exit code 1

Nothing appears to load when starting my android ...READ MORE

May 19 in Others by Kichu
• 19,040 points
83 views
0 votes
0 answers

Android facebook login not working with installed Facebook app

Session.openActiveSession(this, true, new Session.StatusCallback() { ...READ MORE

6 days ago in Others by nisha
• 2,160 points
4 views
0 votes
1 answer

Running docker on Android

According to the documentation, the Android kernel is ...READ MORE

answered Aug 1, 2018 in Docker by Kalgi
• 52,350 points
2,952 views
0 votes
1 answer

Task Canceled Exception while invoking AWS Lambda

I'm guessing either the TaskCanceledException instance is ...READ MORE

answered Sep 19, 2018 in AWS by Priyaj
• 58,080 points
1,509 views
0 votes
1 answer

Is there a way to run Python on Android?

YES! An example via Matt Cutts via SL4A -- "here’s ...READ MORE

answered Sep 19, 2018 in Python by Priyaj
• 58,080 points
388 views
0 votes
1 answer

How can we get the current location in Android?

First you need to define a LocationListener to handle ...READ MORE

answered Sep 25, 2018 in Java by Parth
• 4,630 points
367 views
0 votes
1 answer

Android APK - Google form to APK with camera access

Here is a link to similar form ...READ MORE

answered Jun 20 in Others by nisha
• 2,160 points
11 views
0 votes
1 answer

How to prepare an APK for the Amazon Android App Store

you should use zipalign during every build, ...READ MORE

answered Jun 1 in Others by nisha
• 2,160 points
21 views
webinar REGISTER FOR FREE WEBINAR X
Send OTP
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP