# App attestation

# About app attestation

Our app attestation feature gives applications additional security, as it prevents third-party use of our APIs. Using this feature guarantees that our Encap server communicates with the correct app.

Without app attestation, any mobile client with a valid AppID and end-to-end (E2E) public key can call and use our Encap mobile client APIs. This could allow a third party to create a malicious app, which can pose security and privacy risks.

# How does app attestation work?

# Play Integrity for Android

On Android devices, we offer Play Integrity, which is provided by Google as part of the Android platform.

Play Integrity lets you enforce the use of trusted Android devices and genuine apps that have been installed from the Google Play Store.

We use the Play Integrity Attestation API (opens new window), which assesses the integrity of the device that an app is running on.

Note

If your app generates more traffic than the default Play Integrity API quota, your API requests may return errors. You can find more details about Play Integrity API quota and monitoring (opens new window) in the Android developer documentation.

# App Attest for iOS

On iOS devices, we offer App Attest, which is provided by Apple as part of the iOS platform.

App Attest gives your app a way to assert its validity, by enforcing the use of trusted apps with genuine SDKs.

This feature is available on Apple devices running iOS version 14 and later. You can find an overview of the service backing this feature in the Apple developer documentation (opens new window).

# App attestation response object

The attestation result is provided in the response as the attestation object.

Field name Description
play_integrity_status Play Integrity attestation status for the device.

See Play Integrity statuses in our MobileID API reference documentation for a list of possible values.
play_integrity_date Date of when the Play Integrity attestation was performed.
app_attest_status AppAttest attestation status for the device.

See App Attest statuses in our MobileID API reference documentation for a list of possible values.
app_attest_date Date of when the App Attest attestation was performed.

Example: Attestation result for Android

"attestation" : {
	"play_integrity_status" : "VERIFIED",
	"play_integrity_date" : "2019-09-20T13:14:01.984UTC"
}

Example: Attestation result for iOS

"attestation" : {
	"app_attest_status" : "VERIFIED",
	"app_attest_date" : "2019-09-20T13:14:01.984UTC"
}

# Configuration options

The app attestation feature can be used in three different modes:

App attestation mode Description
OFF Attestation is not performed.

The default mode is OFF until Signicat has completed configuring the feature for you.
OPTIONAL Attestation is performed.

Even if the attestation check fails, the device operation will not fail. It is up to you what action to take on the result.

A new attestation is performed again on the next operation.
REQUIRED Attestation is performed.

If the attestation check fails, then the device operation will fail.


Note

If the app attestation mode is set to REQUIRED, then the device must have performed a successful attestation before it can be used for future operations.

Attestation is triggered on new registrations, or the first authentication if the registration already exists.

If attestation was unsuccessful previously, then it will be compulsory in the next operation (registration, authentication, or signing).

# Make changes to your configuration

MobileID's app attestation feature is configured in your application configuration.

To set up and make configuration changes to app attestation, send your preferences to us at support@signicat.com. We will update your application configuration for you.

Last updated: 20/12/2023 09:45 UTC