Google SafetyNet concept; Android logo on safety net

What is SafetyNet and how does it improve Android security?

Google SafetyNet API is a service for checking the reliability of the Android operating system on a mobile device with a specific device. In this article we’ll look at what security it provides and how that will change as it is replaced by the Google Play Integrity API.

SafetyNet Overview

The advantages and disadvantages of using SafetyNet are summarized below, and a more in-depth analysis is available in one of our white papers over here.

Positives:

  • Check the file system: Identify mobile devices where the software environment has deviated in any way from the factory installation, for example, where the device has been rooted.
  • Free service: There is a limit of 10k certificates per day, which can be problematic for high volume applications, but in many cases SafetyNet will be useful in the early stages of development/deployment.
  • Running application authentication: The ability to ensure that the original application uses the SafetyNet service is certainly useful from a security perspective although it should be noted that the certificate of any applications running on the accessed devices cannot be trusted. Rooted phones, where there are no other security issues, are considered acceptable by some sectors, and for those companies, SafetyNet may not be useful.

Negatives:

  • Backend integration: The server side is responsible for providing the nonce value to start the SafetyNet process, therefore, as described in the Google documentation, the validation cannot be implemented in the API Gateway, WAF, CDN, etc., which may be an important limitation for some clients.
  • Service performance: SafetyNet does not come with any level of Service Level Agreement (SLA) and there is evidence that the certification process can take several seconds to complete. These facts mean that it is only practical to use SafetyNet authentication infrequently, which affects the effective level of security, perhaps not with high-volume applications.
  • man in the middle It should also be noted that there is no protection within the system against SafetyNet token interception despite a Man-in-the-Middle (MitM) attack, something that may be significant when conducting a threat assessment of the mobile channel for those companies that decide to allow rooted devices.

This is all interesting, but Google announced in June 2022 that the SafetyNet service would be phased out between June 2023 and June 2024, to be replaced by the Google Play Integrity API.

How does fair play change the picture?

Google Play Integrity is clearly an upgrade of the SafetyNet app and its primary purpose is to bring Google’s authentication capabilities into line with Apple’s, in the form of the Apple AppAttest system.

However, although there are some improvements in Play Integrity (for example, it supports a wider range of older OS versions than SafetyNet), most of the challenges described above still exist.

Mobile business insurance

End-to-end mobile platform protection requires a layered approach, as detailed on our website Working paper on mobile threats. The mobile app, device, and API must all be secured and each layer must work together. Furthermore, it is important that accurate and flexible security policies are implemented and updated over time so that protection can be tuned to business needs and adjusted based on the activities of bad actors.

Remote authentication is an important component of securing a mobile business – it matters and both Google and Apple now have services in this area – but it’s not an answer in and of itself. A comprehensive view is needed, based on an ongoing assessment of the nature of current mobile and API threats.

conclusions

If you’re thinking about how to improve the security of your Android platform, Google’s SafetyNet API, which is now being replaced by Play Integrity, should definitely be on your mind. However, you must provide yourself with the necessary information to make the right decision about if, how and where to use these capabilities.

Specifically, we suggest that you answer the following questions during your internal discussions:

  • Do you need to allow rooted phones to use your services because a large enough percentage of your real users are on rooted phones?
  • Want consistent security interfaces for the Android and iOS platforms?
  • Are you developing your mobile apps using a cross-platform development environment such as ReactNative, Xamarin or Cordova where SafetyNet / Play Integrity plugins may not be available?
  • Does your security posture require a guarantee that only native instances of your mobile app use your APIs on a request-per-API basis?
  • Need to ensure that your APIs are not read or manipulated by a man in the middle?

We have a lot of knowledge and experience in this area and will be happy to help you navigate your way to the most effective set of security layers for your use case. Verify SafetyNet white paper And/or call us today and speak to one of our security experts so we can help: https://approov.io/product/consult

*** This is a security blog shared by the Bloggers Network from aprov blog composing David Stewart. Read the original post at: https://blog.approov.io/what-is-safetynet-and-how-does-it-improve-android-security

#SafetyNet #improve #Android #security

Leave a Comment

Your email address will not be published. Required fields are marked *