pyattest

pyattest

pyattest provides a common interface that helps you verify attestations from either Google or Apple. The package works standalone but if you use django and need a full implementation with key generation and storage then django-dreiattest could be of interest for you.

Installation

pyattest is available on PyPI and can be installed via $ python -m pip install pyattest

Usage

In it's most basic form you can create either a GoogleConfig, GooglePlayIntegrityApiConfig or AppleConfig instance, create an Attestation and verify it.

Google Play Integrity API

The following parameters are important:

• decryption_key: A Base64 encoded AES key secret as described here
• verification_key: A Base64 encoded public key as described here
• apk_package_name: Name of your apk
• allow_non_play_distribution: Set to true if you want to verify apps distributed via other means than Google Play (you need to set verify_code_signature_hex) Note: should not be used for dev builds set production to False in that case instead.
• verify_code_signature_hex: The sha256 hash of the signing identity you use for distributing your app. This can be obtained using ./gradlew signingReport in your Android project.
• required_device_verdict: If you want to require stronger integrity guarantees pass the corresponding key here.
• attest: The jwt object string representing the attestation, which is a jws nested in a jwe object
• nonce: The nonce used to create the attestation

config = GooglePlayIntegrityApiConfig(
            decryption_key=[decryption_key],
            verification_key=[decryption_key],
            apk_package_name='ch.dreipol.demo',
            production=True,
            allow_non_play_distribution=True,
            verify_code_signature_hex=["00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"],
            required_device_verdict="MEETS_STRONG_INTEGRITY"
        )
attestation = Attestation(attest, nonce, config)

try:
    attestation.verify()
except PyAttestException as exception:
    # Do your thing
    pass

Google (Legacy: SafetyNet)

The following parameters are important:

• key_id: A Base64 encoded SHA-256 hash of your apps certificate
• apk_package_name: Name of your apk
• production: Ignores basic integrity and cts profile check if False
• attest: The jws object string representing the attestation
• nonce: The nonce used to create the attestation

config = GoogleConfig(key_ids=[key_id], apk_package_name='ch.dreipol.demo', production=True)
attestation = Attestation(attest, nonce, config)

try:
    attestation.verify()
except PyAttestException as exception:
    # Do your thing
    pass

Apple

The following parameters are important:

• key_id: SHA-256 hash of the public key form the cert you got back from the attestation
• app_id: Your app’s App ID, which is the concatenation of your 10-digit team identifier, a period, and your app’s CFBundleIdentifier value
• production: Checks for the appropriate aaguid
• attest: The apple attestation as binary
• nonce: The nonce used to create the attestation

config = AppleConfig(key_id=key_id, app_id='1234ABCDEF.ch.dreipol.demo', production=True)
attestation = Attestation(attest, nonce, config)

try:
    attestation.verify()
except PyAttestException as exception:
    # Do your thing
    pass

Assertion

Once you verified and obtained a public key, you can use it to assert further requests. For a full implementation on how to get to the public key check out django-dreiattest. To check if an assertion is valid we check if it was signed with given pem_key.

• assertion: Raw bytes of the assertion you want to test
• expected_hash: The hash we want to compare the signature against
• pem_key: The public key to verify the signature
• config: A AppleConfig or GoogleConfig instance

assertion = Assertion(assertion, expected_hash, pem_key, config)
assertion.verify()