Android and SafetyNet to ensure calls made to the API are from my app only

0 投票
最新提问 用户: (140 分)

My Android app makes some REST calls to my backend. I wish that only and only my app is authorized to call the endpoints.

I intend to use Google's SafetyNet to archive this.

1) My app ask my server fora random nonce
2) My app ask for an .attest()
3) My app receive the JWT
4) My app call one of my endpoint by providing the JWT
5) My server calls Google server to verify the JWT is correct
6) If yes, the call is processed, rejected otherwise..

My question is: is there a rate limit on the .attest() ? My app will be making several POST request every 2 or 3 seconds seconds

Is the above logic going to work at this scale? Is there any other way I can assure that the data posted to my endpoint is coming from my app and only my app?


0 投票
最新回答 用户: (140 分)

Yes, you will be throttled if you call attest() that frequently. Rate-limiting aside, you would not want to call it as often as every few seconds as you may begin to notice an adverse performance impact (the API call is computationally expensive, and not fast).

The logic you describe is good, but I'd recommend thinking carefully about what specific endpoint actions you need to protect. Typically it is appropriate to use SafetyNet Attestation alongside specific high value actions such as a login or payment transaction, for example. Doing so for every POST request you make may have little incremental benefit.

Depending on your use-case, the documentation makes an additional suggestion about how the API result should be used:

Ideally, you should use the SafetyNet Attestation API as an additional in-depth defense signal as part of an anti-abuse system, rather than the sole anti-abuse signal for your app.

发表于 用户: (140 分)
This what I thought yes. The 'issue' with my use case i that my API has only 1 endpoint (post) and the data posted by all my user will be shared on a common map. So without something like safetyNet it trivially easy for someone to start posting fake data. Guess my other alternative is to not call that POST endpoint every second but every minutes or so and android side I just aggregate the data and send it in bulk.
发表于 用户: (140 分)
@Johny19 Is there a sign-in step required before your app will start posting data for the map? Even if not, you could maybe issue a token in response to an initial 'start' request (the first time the app is opened, which is protected with SafetyNet Attestation) which you'd hold in memory and include in subsequent data posts. I'd caution you that SafetyNet Attestation alone isn't a magical anti-abuse API, and so this alone may not solve all the problems you are envisaging.
欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。