Home

SafetyNet

SafetyNet is a set of services and APIs from Google designed to help Android applications assess the security and integrity of the device they run on and the apps themselves. It aims to reduce fraud, tampering, and unauthorized access by providing developers with attestations about device and app status, as well as compatibility with Google Play services.

The core component is the SafetyNet Attestation API. After a request from an app, Google returns a

Use cases include protection against fraud in in-app purchases, licensing enforcement, restricting access to premium features,

Limitations include that SafetyNet does not guarantee safety or non-tamperability; determined attackers can sometimes bypass checks

signed
attestation
token
(typically
a
JSON
Web
Token)
that
contains
information
such
as
basicIntegrity
and
ctsProfileMatch,
along
with
a
nonce
for
server-side
verification.
These
fields
indicate
whether
the
device
passes
basic
integrity
checks
and
whether
it
is
CTS-compliant.
The
token
is
designed
to
be
validated
by
the
app’s
backend
to
decide
whether
to
trust
the
device
or
proceed
with
restricted
functionality.
SafetyNet
also
includes
the
Verify
Apps
API
to
help
detect
if
an
installed
APK
has
been
modified
or
repackaged.
and
safeguarding
digital
content.
Practical
use
relies
on
Google
Play
services
being
present,
and
results
are
most
effective
when
combined
with
other
security
measures
in
a
defense-in-depth
strategy.
through
rooting,
emulation,
or
manipulation
of
the
attestation
flow.
As
part
of
its
evolution,
Google
has
introduced
the
Play
Integrity
API
to
complement
or
replace
parts
of
SafetyNet
for
newer
applications.