Creating a Safety Net Checker Application in Android
In this tutorial we will build a SafetyNet checking application which will help us to understand how exactly does Google’s Safetynet Attestation API Functions and also understand JWS resolving in Kotlin to objects, generating a nonce and passing them during API call. Moreover, understanding Safetynet is necessary for every Android App developer because of its security checking mechanism and makes developers rely upon google’s security check implementation which must be taken into reference while building apps that scale.
- Android Studio 4.x.x
- Google Cloud Account
- Android Device or Emulator
SafetyNet is a simple and scalable solution from Google to verify device compatibility and security. For app developers having concerns about their application’s security, Google trusts its Android SafetyNet will be the right answer. With a strong emphasis on security, SafetyNet essentially protects the sensitive data within an application and helps preserve user trust as well as device integrity. SafetyNet is a part of Google Play Services and is independent of the device manufacturer. Therefore, it requires Google Play Services to be enabled on the device for the API to function smoothly.
Create a Project under Google Cloud Project
Firstly you need to create a project under GCP and activate Android Device Verification API. Then go to the Credentials section on the platform to get the key, it would be required later for sending attestation request to SafetyNetAttestation API.
Now create an empty project in Android Studio
Basically, create an Empty Application in Android Studio and add the dependencies we will be using for this project. In this, we will use Fragment Navigation and also view binding for handling functionalities of views. For enabling View Binding in your project follow View Binding Guide. Below is the code for the build.gradle file.
Setting up for Safetynet Application
Now we need to Create 2 Fragments under the MainActivity and can call them as RequestFragment and ResultFragment. Request fragment would have a button to tap on and pull out a request to SafetyAttestationApi for fetching data from it to display in Result fragment. First, create navigation in res named as nav_graph.xml and it should look like this. and add the below code to that file. Below is the code for the nav_graph.xml file.
This graph will connect our Request and Result fragment on top of MainActivity and thus the flow of the application can work smoothly.
Now we need to add functions in Request.kt to get data from API and then display it in the Result screen. Before implementing logic in Kotlin, We need to prepare layouts as following. Below is the code for the activity_main.xml file.
Below is the code for the fragment_request.xml file.
Below is the code for the fragment_result.xml file.
So as of now, we’re done with basic layouts of the application and ready to implement the logic which the application needs to work on. The request sent on Safetynet API depends on initially the availability of Google Play Services. So the first and foremost thing that needs to be done is setting up the check for the availability of Google Play Services. Then we can send a request to API with a generated nonce which is needed by API to recheck it while data is returned. Data is returned in JsonWebSignature which needs to be parsed into Kotlin object to be displayed. Google suggests verifying returned data by the backend to avoid irregular attacking on the API system. Here we will just test the application and will not implement it by backend which is required to be done while making production-ready applications. Below is the code for the Request.kt file.
With this, we generate nonce of 24 bytes and then send a request to API passing none into it and we get data as JsonWebSignature(jws) which we fetch into a SafetynetResultModel which is a simple data class which we parcel to send it across fragments. Below is the code for the SafetynetResultModel.kt file.
We parceled the data and send it to the Result fragment by navController which we implemented into nav_graph during the first steps. This way our Result fragment has access to the arguments and thus we can extract data and display it on a simple page. Below is the code for the Result.kt file.
We get data with navArgs which is generated by passing the data into navController while navigating between fragments. Similar to passing data into intents. Then displayData() function can display it into the views we created in the layout earlier. This creates a basic SafetyNet application. For creating a production-ready application for distribution. You must add a backend to verify the data returned and check if API is abused or attacked and to prevent it add checks into it.
Project Link: Click here
Please Login to comment...