如何从Android应用程序中的标头数据验证Safety Net JWS签名 [英] How to validate Safety Net JWS signature from header data in Android app
问题描述
我正在使用 SafetyNet API 来检查设备是否已植根 并使用以下有用的代码,但这使用了Android验证API 验证JWT签名:
I'm using SafetyNet API for checking if device is rooted or not and using the below helpful code but this uses Android verification API to validate the JWT signature:
https://github.com/scottyab/safetynethelper
我只想在客户端进行验证,以减少所有其他Web服务的开销,此外,它每天的请求量只有1万个限制.
And I want to validate on client side only to reduce the overhead of another web service all and besides it has limitation on only 10k request per day.
因此,在解码JWS之后,我得到了以下信息
So after decoding the JWS i'm getting the below info
示例JWS消息响应
xxxx.yyy.zzzz
xxxx.yyy.zzzz
标题数据
{"alg":"RS256","x5c":["<certificate1 string>","<certificate2 string>"]}
有效载荷数据
{"nonce":"<nounce>",
"timestampMs":1472794339527,
"apkPackageName":"<apkPackageName>",
"apkDigestSha256":"<sha digest string>",
"ctsProfileMatch":true,
"extension":"<extension string>",
"apkCertificateDigestSha256":["<apkCertificateDigestSha256 string>"],"basicIntegrity":true}
签名 在这一部分中,如果执行Base64解码,它将变得不可读,因此下面是JWS最后一个元素中收到的Signature字符串
Signature in this part if perform Base64 decoding it becomes unreadable so below is the Signature string as received in JWS last element
Gw09rv1aBbtd4Er7F5ww_3TT1mPRD5YouMkPkwnRXJq8XW_cxlO4428DHTJdD8Tbep-Iv3nrVRWt2t4pH1uSr2kJ9budQJuXqzOUhN93r2Hfk-UAKUYQYhp89_wOWjSCG4ySVHD4jc9S1HrZlngaUosocOmhN4SzLZN5o8BXyBdXkjhWwgArd4bcLhCWJzmxz5iZfkhDiAyeNRq09CeqjRx_plqAy8eR_OaI_2idZBNIGfd2KmLK_CKaeVjDxuC4BzJsIlVRiuLrvP362Wwhz4r1bHh8flmHr88nK99apP2jkQD2l7lPv8y5F3FN3DKhJ15CzHR6ZbiTOw1fUteifg
现在按照Google
Now as per google
验证兼容性检查响应:提取SSL证书 JWS消息中的链.验证SSL证书链并使用 SSL主机名匹配以验证是否已颁发叶证书 到主机名attest.android.com.使用证书来验证 JWS消息的签名."
"Verify the compatibility check response: Extract the SSL certificate chain from the JWS message. Validate the SSL certificate chain and use SSL hostname matching to verify that the leaf certificate was issued to the hostname attest.android.com. Use the certificate to verify the signature of the JWS message."
我确实具有证书字符串和签名,我该如何验证SSL证书,该证书是第二个证书上与字符串和主机名匹配的字符串,并且 如何验证签名.
I do have the cert string and signature how should I go about validating SSL certificate which is string and host name matching on second cert and how to validate signature.
我需要有关此的指针,并且代码摘要将非常有帮助.
I need pointers on this and code snipped would be very helpful.
推荐答案
您要在设备上验证JWT签名的方式并不安全.考虑下一种情况:
The way you want to validate JWT signature on the device is not secure. Think about next case:
-
该设备已植根,具有root特权的恶意软件应用程序 将您的请求捕获到Google的SafetyNet并返回自签名 响应.
the device is rooted, malware application with root privileges catches your request to Google's SafetyNet and returns self-signed response.
当您使用自己的服务器服务验证响应时-您将得到的响应不是Google提供的.如果您在设备上本地执行此操作-同一恶意软件应用程序可能会捕获您的请求,以验证JWT签名并以true响应.
When you verify the response with your own server service - you will get that the response you've got wasn't provided by Google. If you do this locally on the device - the same malware app could catch you request to verify JWT signature and respond with true.
无论如何,您可以在本地执行此操作
Anyway, you can do this locally:
- 您需要从Google开发人员那里获取针对您的应用程序的API密钥.
- 使用Android设备验证API:
来自 Android开发人员:
注意:验证响应消息的API方法每个项目每天有10,000个请求的固定速率限制.您只应在最初的开发阶段就使用verify()方法进行测试. 您不应在生产场景中调用该方法.
[...]
要使用Android设备验证API,请执行以下操作:
To use the Android Device Verification API:
创建一个包含JWS全部内容的JSON消息 消息,格式如下:
Create a JSON message containing the entire contents of the JWS message in the following format:
{ "signedAttestation": "<output of> getJwsResult()>" }
使用HTTP POST请求发送带有以下内容的消息:
"application/json"的Content-Type到以下URL:
> https://www.googleapis.com/androidcheck/v1/attestations/verify ?key = <your API key>
Use an HTTP POST request to send the message with a
Content-Type of "application/json" to the following URL:
https://www.googleapis.com/androidcheck/v1/attestations/verify?key=<your API key>
该服务验证消息的完整性,以及是否
该消息有效,它返回带有以下内容的JSON消息
内容:{ isValidSignature: true }
The service validates the integrity of the message, and if
the message is valid, it returns a JSON message with the following
contents: { "isValidSignature": true }
实际上(从
这篇关于如何从Android应用程序中的标头数据验证Safety Net JWS签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
