Cordova RootSafety plugin for root detection and certificate verification using Google SafetyNet API

It's a cordova plugin to assess android device using SafetyNet APIs. It won't work for iOS devices as SafetyNet APIs are not available for iOS devices. You can read more about SafetyNet here

Android developers can also use code snippets from this plugin in their project.

Features

• Google Play Service availability check
• Attestation
• Offline verification of the SafetyNet attestation response
• Online verification of the SafetyNet attestation response
• Decryption of payload from attestation signature
• List harmful apps
• Check/enable app verification service state

Getting Started

For using this plugin you need an API key for SafetyNet attestation. You can use these steps to generate the API key.

Install

cordova plugin add cordova-plugin-root-safety --save

Check the Google Play services

Google Play services is required for SafetyNet APIs to work.

declare var rootSafety: any;

rootSafety.checkGooglePlayServicesAvailability((state)=>{
	if(state == "success"){
		// other stuff
	}
}, (error)=>{
})

Attestation

You need a nonce and an API key while calling the SafetyNet Attestation API. The resulting attestation contains this nonce, allowing you to determine that the attestation belongs to your API call and isn't replayed by an attacker. Attest API returns JWS token which is just a 3 base64 encoded parts concatenated by a . (dot) character.

rootSafety.attest(nonce, apikey,successCallback,errorCallback)

Offline Verification

You can use this service to verify if SafetyNet attestation response actually came from the SafetyNet service and includes data matching your request. It verifies hostname of the attestation response.

rootSafety.offlineVerification(jwsResponse,successCallback,errorCallback)

This service returns a JSON with status parameter with value success if it successfully verifies the attestation signature certificate.

Online Verification

You can verify attestation signature by sending the entire JWS response to your own server, using a secure connection, for verification. It's not recommend that you perform the verification directly in your app.

This plugin also includes a service for verification of the JWS response which sends JWS token through a POST request to the following API, https://www.googleapis.com/androidcheck/v1/attestations/verify?key=ATTESTATION_API_KEY

rootSafety.onlineVerification(apiKey,jwsResponse,successCallback,errorCallback)

The above API return a JSON with isValidSignature parameter with value true if it successfully validates the signature.

Decryption of payload from attestation signature

It extracts the payload JSON string from the attestation signature.

rootSafety.extractPayload(jwsResponse,successCallback,errorCallback)

The payload response JSON contains following parameter:

{  
	"timestampMs": 9860437986543,  
	"nonce": "R2Rra24fVm5xa2Mg",  
	"apkPackageName": "com.package.name.of.requesting.app", 
	"apkCertificateDigestSha256": ["base64 encoded, SHA-256 hash of the certificate used to sign requesting app"],  
	"ctsProfileMatch": true,  
	"basicIntegrity": true,
}

nonce - nonce sent as part of the request. timestampMs - timestamp of the request. apkPackageName - package name of the APK that submitted this request. apkCertificateDigestSha256 - base-64 encoded representation of the SHA-256 hash of the calling app's signing certificate. ctsProfileMatch - if the value of ctsProfileMatch is true, then the profile of the device running your app matches the profile of a device that has passed android compatibility testing. basicIntegrity - true if the device has passed a basic integrity test, but the CTS profile could not be verified. A more lenient verdict of device integrity. If only the value of basicIntegrity is true, then the device running your app likely wasn't tampered with. advice - advice parameter provides information to help explain why the SafetyNet Attestation API set either ctsProfileMatch or basicIntegrity to false in a particular result.