# App attestation

# About app attestation

Our app attestation feature gives applications additional security, as it prevents third-party use of our APIs. Using this feature guarantees that our Encap server communicates with the correct app.

Without app attestation, any mobile client with a valid AppID and end-to-end (E2E) public key can call and use our Encap mobile client APIs. This could allow a third party to create a malicious app, which can pose security and privacy risks.

# How does app attestation work?

# Play Integrity for Android

On Android devices, we offer Play Integrity, which is provided by Google as part of the Android platform.

Play Integrity lets you enforce the use of trusted Android devices and genuine apps that have been installed from the Google Play Store.

We use the Play Integrity Attestation API (opens new window), which assesses the integrity of the device that an app is running on.


If your app generates more traffic than the default Play Integrity API quota, your API requests may return errors. You can find more details about Play Integrity API quota and monitoring (opens new window) in the Android developer documentation.

# App Attest for iOS

On iOS devices, we offer App Attest, which is provided by Apple as part of the iOS platform.

App Attest gives your app a way to assert its validity, by enforcing the use of trusted apps with genuine SDKs.

This feature is available on Apple devices running iOS version 14 and later. You can find an overview of the service backing this feature in the Apple developer documentation (opens new window).

# App attestation response object

The attestation result is provided in the response as the attestation object.

Field name Description
play_integrity_status Play Integrity attestation status for the device.

See Play Integrity statuses in our MobileID API reference documentation for a list of possible values.
play_integrity_date Date of when the Play Integrity attestation was performed.
app_attest_status AppAttest attestation status for the device.

See App Attest statuses in our MobileID API reference documentation for a list of possible values.
app_attest_date Date of when the App Attest attestation was performed.

Example: Attestation result for Android

"attestation" : {
	"play_integrity_status" : "VERIFIED",
	"play_integrity_date" : "2019-09-20T13:14:01.984UTC"

Example: Attestation result for iOS

"attestation" : {
	"app_attest_status" : "VERIFIED",
	"app_attest_date" : "2019-09-20T13:14:01.984UTC"

# How to configure app attestation

To use our app attestation feature, you need to:

# Configure the mobile SDK

You can use the buttons below to learn how to configure the mobile SDK for app attestation.

# Configure the application configuration

To enable and configure app attestation, you need to update your application configuration.

You can see what values need to be set in the App attestation configurations table in the application configuration feature documentation.

To find out how to set these properties, see the Make changes to your configuration section on this page.

# Attestation modes

The app attestation feature can be used in multiple modes:


The OFF mode means that attestation is not performed.

By default, attestation is turned OFF.


The OPTIONAL mode means that attestation is performed.

If attestation fails, then the transaction will not fail, and a new attestation is performed on the next transaction.


The REQUIRED mode means that attestation is performed.

If attestation fails, then the transaction will fail and the device is locked.

The device must perform a successful attestation before it can be used for future transactions. Attestation is triggered on new registrations, or the first authentication if the registration already exists.

Note: Devices running versions of iOS older than iOS 14 will always fail if the mode is REQUIRED, due to requirements by the Apple App Attest API.

# Make changes to your configuration

To update your application configuration with the necessary properties, you can either:

Last updated: 06/05/2024 07:22 UTC