How to validate apkCertificateDigestSha256 in the parsed JWS response? #21
Comments
|
I don't know if you have found the answer for that. However, after reading a little bit more about the Attestation API, I think you can match this value with the value you get from your You can get this value by doing: keytool -list -v -keystore ~/.android/debug.keystore -alias androiddebugkey -storepass android -keypass android(this will produce an output for you, containing the The tricky part here is that Buffer.from(apkCertificateDigestSha256, 'base64').toString('hex')Then you can match the values you have with the value you got from the API. |
|
@rajithareddy79 Updated: The correct answer was already given by @wmartins, still I don't know why I could not figured it out that time. I spent quite long time to verify apkCertificateDigestSha256 at my server. I will mention what I did just in case someone else comes on this page and does not understand. apkCertificateDigestSha256 is the Base64 encoded string of SHA256 fingerprint of the certificate which has been used to sign the build. To verify programmatically: If computedHash and apkCertificateDigestSha256 matches, it means the app was signed with your_keystore. Hence you prove the integrity of the APK (provided basicIntegrity and ctsProfileMatch is 'true'). Thanks |
|
Any update on this? I am facing the same issue. https://stackoverflow.com/q/68046717/4450098 |
|
Check the code here as reference on how to do the validations: https://github.com/Gralls/SafetyNetSample/blob/master/Server/src/main/java/pl/patryk/springer/safetynet/Main.kt I just found it while searching for the same thing, and all credit goes to the person that owns the repo. |
After parsing the JWS token, how do I validate apkCertificateDigestSha256 value? I also 've the keystore.jks file used to sign the apk of my app. So how do I use this to validate apkCertificateDigestSha256?
The text was updated successfully, but these errors were encountered: