App attestation
About app attestation
Our app attestation feature gives applications additional security, as it prevents third-party use of our APIs. Using this feature guarantees that our Encap server communicates with the correct app.
Without app attestation, any mobile client with a valid AppID and end-to-end (E2E) public key can call and use our Encap mobile client APIs. This could allow a third party to create a malicious app, which can pose security and privacy risks.
How does app attestation work?
Play Integrity for Android
On Android devices, we offer Play Integrity, which is provided by Google as part of the Android platform.
Play Integrity lets you enforce the use of trusted Android devices and genuine apps that have been installed from the Google Play Store.
We use the Play Integrity Attestation API, which assesses the integrity of the device that an app is running on.
If your app generates more traffic than the default Play Integrity API quota, your API requests may return errors. You can find more details about Play Integrity API quota and monitoring in the Android developer documentation.
App Attest for iOS
On iOS devices, we offer App Attest, which is provided by Apple as part of the iOS platform.
App Attest gives your app a way to assert its validity, by enforcing the use of trusted apps with genuine SDKs.
This feature is available on Apple devices running iOS version 14 and later. You can find an overview of the service backing this feature in the Apple developer documentation.
App attestation response object
The attestation result is provided in the response as the attestation object.
Example: Attestation result for Android
"attestation" : {
"play_integrity_status" : "VERIFIED",
"play_integrity_date" : "2019-09-20T13:14:01.984UTC"
}
Example: Attestation result for iOS
"attestation" : {
"app_attest_status" : "VERIFIED",
"app_attest_date" : "2019-09-20T13:14:01.984UTC"
}
How to configure app attestation
To use our app attestation feature, you need to:
Configure the mobile SDK
You can use the buttons below to learn how to configure the mobile SDK for app attestation.
Configure the application configuration
To enable and configure app attestation, you need to update your application configuration.
You can see what values need to be set in the App attestation configurations table in the application configuration feature documentation.
To find out how to set these properties, see the Make changes to your configuration section on this page.
Attestation modes
The app attestation feature can be used in multiple modes:
The OFF mode means that attestation is not performed.
By default, attestation is turned OFF.
The OPTIONAL mode means that attestation is performed.
If attestation fails, then the transaction will not fail, and a new attestation is performed on the next transaction.
The REQUIRED mode means that attestation is performed.
If attestation fails, then the transaction will fail and the device is locked.
The device must perform a successful attestation before it can be used for future transactions. Attestation is triggered on new registrations, or the first authentication if the registration already exists.
Note: Devices running versions of iOS older than iOS 14 will always fail if the mode is REQUIRED, due to requirements by the Apple App Attest API.
Make changes to your configuration
To update your application configuration with the necessary properties, you can either:
- Use the Signicat Dashboard.
- Use our MobileID Admin REST API.