# App attestation
Page contents
# About app attestation
Our app attestation feature gives applications additional security, as it prevents third-party use of our APIs. Using this feature guarantees that our Encap server communicates with the correct app.
Without app attestation, any mobile client with a valid AppID and end-to-end (E2E) public key can call and use our Encap mobile client APIs. This could allow a third party to create a malicious app, which can pose security and privacy risks.
# How does app attestation work?
# Play Integrity for Android
On Android devices, we offer Play Integrity, which is provided by Google as part of the Android platform.
Play Integrity lets you enforce the use of trusted Android devices and genuine apps that have been installed from the Google Play Store.
We use the Play Integrity Attestation API (opens new window), which assesses the integrity of the device that an app is running on.
Note
If your app generates more traffic than the default Play Integrity API quota, your API requests may return errors. You can find more details about Play Integrity API quota and monitoring (opens new window) in the Android developer documentation.
# App Attest for iOS
On iOS devices, we offer App Attest, which is provided by Apple as part of the iOS platform.
App Attest gives your app a way to assert its validity, by enforcing the use of trusted apps with genuine SDKs.
This feature is available on Apple devices running iOS version 14 and later. You can find an overview of the service backing this feature in the Apple developer documentation (opens new window).
# App attestation response object
The attestation result is provided in the response as the attestation
object.
Field name | Description |
play_integrity_status | Play Integrity attestation status for the device. See Play Integrity statuses in our MobileID API reference documentation for a list of possible values. |
play_integrity_date | Date of when the Play Integrity attestation was performed. |
app_attest_status | AppAttest attestation status for the device. See App Attest statuses in our MobileID API reference documentation for a list of possible values. |
app_attest_date | Date of when the App Attest attestation was performed. |
Example: Attestation result for Android
"attestation" : {
"play_integrity_status" : "VERIFIED",
"play_integrity_date" : "2019-09-20T13:14:01.984UTC"
}
Example: Attestation result for iOS
"attestation" : {
"app_attest_status" : "VERIFIED",
"app_attest_date" : "2019-09-20T13:14:01.984UTC"
}
# Configuration options
The app attestation feature can be used in three different modes:
App attestation mode | Description |
OFF | Attestation is not performed. The default mode is OFF until Signicat has completed configuring the feature for you. |
OPTIONAL | Attestation is performed. Even if the attestation check fails, the device operation will not fail. It is up to you what action to take on the result. A new attestation is performed again on the next operation. |
REQUIRED | Attestation is performed. If the attestation check fails, then the device operation will fail. |
Note
If the app attestation mode is set to REQUIRED
, then the device must have performed a successful attestation before it can be used for future operations.
Attestation is triggered on new registrations, or the first authentication if the registration already exists.
If attestation was unsuccessful previously, then it will be compulsory in the next operation (registration, authentication, or signing).
# Make changes to your configuration
MobileID's app attestation feature is configured in your application configuration.
To set up and make configuration changes to app attestation, send your preferences to us at support@signicat.com. We will update your application configuration for you.