-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create exmaple server side implementation to improve safetynet strength #11
Comments
How were you looking to implement this? I have implemented the server but some of the cert verifications get pretty hairy.
More information on what needs to be done to check the JWS (as well as som client side code) can be found here: https://developer.android.com/training/safetynet/index.html |
Hey @robsmall I was looking for a open source nodeJS, PHP, ruby (or any web language really) server implementation that I could either link to or include in this repo. This way people can see how the implement the server side validation - much of which I've done in the library already in Java. I guess it would also be cool if I could easily host on heroku.com for the smaple safternet app I have in the play store. I figured two APIs from the server: If you've already implemented the server great maybe you could share with me privately if it's not ready for open source? |
This is already done in https://play.google.com/store/apps/details?id=com.cigital.safetynetplayground It's all open-sourced here (server-side) https://github.com/cigital/safetynet-web-php |
Hey @scottyab & @robsmall I'm looking for solution for client side validation of SSL certificate and Signature received in JWS response instead of using Verification API is there any code snippet on how can we validate signature I just put up so question on this. |
@khalid64927 thanks for commenting. If i understand your question... you're after client side parsing/reading and validation? This is exactly what safetynethelper does, maybe I need to make the readme.md clearer. But just to be clear it's more secure to have a server perform the validation (which is the point of this issue). In future it would probably help if you raised a new issue. Thanks |
@scottyab Yes you are right I have to do the validation on client due to unavailability of service on the server at the moment. And what i'm looking for is Validation of Signature and SSL chain ( all points also mentioned by @robsmall ). I can see safetynethelp does the payload validation and use verification API to do Signature validation but app i'm working has over million user and that's hitting limit with verification api (10k per day) so as per google. They suggested we can do that on client side as well and not required to hit this api. Since then i've been tinkering on this approach do you might be having any insights on this |
Arrh ok, i'm with you. I would of thought only Google can verify the request came from Google? That's the point of that Google Verification API? maybe i'm missing something. |
Hey guys, Sorry for taking a while to respond to this thread. You can verify that the request came from google by verifying the cert chain and that the leaf cert came from |
Hey Rob, |
Hi All, `private boolean verifyLeafCert(String certString){
Signature validation using JOSE library `public boolean parseJws(String responseString){
|
Hey @khalid64927, Without diving too far into the code snippit I just wanted to ask some quick questions/give some comments:
One thing that is helpful is parsing the response string into their respective 3 pieces so you can work with them separately as needed. I hope this was helpful. If not, I can dive more into the code snippits you posted. I used python for my implementation, just as an FYI. |
Hi @robsmall
For cross verification you can try manipulating the payload/header data part the Signatures wouldn't match. |
I don't think you should run into any issues here since this is all included in the JWS. They actually just updated their cert a few days ago and it did not cause any issues.
That makes sense, but when you call
My apologies if I am ignorant to the inner workings of the library you are using, I should be able to spend some more time looking at this over the weekend if you are still in need. For more info on JWS: https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-36 |
If anybody requires the host validation in PHP follow this URL https://github.com/phpseclib/phpseclib, get headers from the JWS which consists of two certificates in |
If someone figured out my app's apkCertificateDigestSha256 would that be a disaster or no big deal? |
@bob-seeger I believe that the SHA-256 hash of any apps signing cert can be obtained by running I don't see any issue with someone getting their hands on the hash for your cert since they should not be able to create an app signed by said cert (if they do, then you do have a problem!) so they will not be able to get a valid JWS blob containing said |
@robsmall My only pitfall is what you initially bulleted at the top of this forum:
All of which I'm not currently doing because the server code samples provided by the Google employees are only in Java and C++ which makes me extremely angry because my back end is pure PHP. @ikoz in this forum provided a link to his Github with some PHP however his code doesn't actually do any of the SSL stuff you bullet pointed at the top of this forum. And @ikoz must have missed the part of the article where they explicitly say not to verify the JWS response with Google in a production scenario. I (and the world) need a PHP translation of the following |
@robsmall It's been a while, but did you manage to find any solutions for PHP. I am in a similar situation. |
Based on feedback from Google's security team, for the safetynet to be more secure way of checking device integrity the
The text was updated successfully, but these errors were encountered: