kkocel/safetynet-spring
Secure implementation of SafetyNet Attestation flow in Spring 5
Secure implementation of SafetyNet Attestation API developed in Spring
This project aims to provide implementation of secure flow of SafetyNet Attestation API by Google.
What's a SafetyNet Attestation?
SafetyNet is a mechanism designed to check whether a mobile device has been tampered.
It means that it could be rooted, runs a custom ROM or has been infected with a malware.
What's a secure flow anyway?
The secure flow is a implementation of SafetyNet Attestation that is performed on the server instead of a
mobile phone.
More on that topic: https://www.synopsys.com/blogs/software-security/using-safetynet-api/
Contents of this project
This project contains two endpoints - first one gets nonce and second one verifies JWT token obtained from Google
services.
Nonce endpoint
GET /nonce?login=username&deviceId=uniqueDeviceId HTTP/1.1In order to get a nonce application needs to send user login and unique device id.
Service generates unique nonce and stores it along given login and device id in the temporary cache with TTL.
Login endpoint
POST /login HTTP/1.1
Content-Type: application/json; charset=utf-8
{
"login": "username",
"password": "mySecretPassword",
"jwt": "eyJhbGciOiJSU..."This endpoint is responsible for user 'login' along with verification of jwt token.
Running the tests
./gradlew clean test
Authors
- Krzysztof Kocel - kkocel
License
This project is licensed under the Apache License 2.0 - see the LICENSE file for details