# App attestation
Page contents
# About app attestation
Our app attestation feature gives applications additional security, as it prevents third-party use of our APIs. Using this feature guarantees that our Encap server communicates with the correct app.
Without app attestation, any mobile client with a valid AppID and end-to-end (E2E) public key can call and use our Encap mobile client APIs. This could allow a third party to create a malicious app, which can pose security and privacy risks.
# How does app attestation work?
# Play Integrity for Android
On Android devices, we offer Play Integrity, which is provided by Google as part of the Android platform.
Play Integrity lets you enforce the use of trusted Android devices and genuine apps that have been installed from the Google Play Store.
We use the Play Integrity Attestation API (opens new window), which assesses the integrity of the device that an app is running on.
Note
If your app generates more traffic than the default Play Integrity API quota, your API requests may return errors. You can find more details about Play Integrity API quota and monitoring (opens new window) in the Android developer documentation.
# App Attest for iOS
On iOS devices, we offer App Attest, which is provided by Apple as part of the iOS platform.
App Attest gives your app a way to assert its validity, by enforcing the use of trusted apps with genuine SDKs.
This feature is available on Apple devices running iOS version 14 and later. You can find an overview of the service backing this feature in the Apple developer documentation (opens new window).
# App attestation response object
The attestation result is provided in the response as the attestation
object.
Field name | Description |
play_integrity_status | Play Integrity attestation status for the device. See Play Integrity statuses in our MobileID API reference documentation for a list of possible values. |
play_integrity_date | Date of when the Play Integrity attestation was performed. |
app_attest_status | AppAttest attestation status for the device. See App Attest statuses in our MobileID API reference documentation for a list of possible values. |
app_attest_date | Date of when the App Attest attestation was performed. |
Example: Attestation result for Android
"attestation" : {
"play_integrity_status" : "VERIFIED",
"play_integrity_date" : "2019-09-20T13:14:01.984UTC"
}
Example: Attestation result for iOS
"attestation" : {
"app_attest_status" : "VERIFIED",
"app_attest_date" : "2019-09-20T13:14:01.984UTC"
}
# How to configure app attestation
To use our app attestation feature, you need to:
# Configure the mobile SDK
You can use the buttons below to learn how to configure the mobile SDK for app attestation.
# Configure the application configuration
To enable and configure app attestation, you need to update your application configuration.
You can see what values need to be set in the App attestation configurations table in the application configuration feature documentation.
To find out how to set these properties, see the Make changes to your configuration section on this page.
# Attestation modes
The app attestation feature can be used in multiple modes:
OFF
The OFF
mode means that attestation is not performed.
By default, attestation is turned OFF
.
OPTIONAL
The OPTIONAL
mode means that attestation is performed.
If attestation fails, then the transaction will not fail, and a new attestation is performed on the next transaction.
REQUIRED
The REQUIRED
mode means that attestation is performed.
If attestation fails, then the transaction will fail and the device is locked.
The device must perform a successful attestation before it can be used for future transactions. Attestation is triggered on new registrations, or the first authentication if the registration already exists.
Note: Devices running versions of iOS older than iOS 14 will always fail if the mode is REQUIRED
, due to requirements by the Apple App Attest API.
# Make changes to your configuration
To update your application configuration with the necessary properties, you can either:
- Use the Signicat Dashboard (opens new window).
- Use our MobileID Admin REST API.