mobsf.mobsfscan.best_practices.android_safetynetapi.android_safetynet_api

Author
unknown
Download Count*
License
This app does not uses SafetyNet Attestation API that provides cryptographically-signed attestation, assessing the device's integrity. This check helps to ensure that the servers are interacting with the genuine app running on a genuine Android device.
Run Locally
Run in CI
Defintion
rules:
- id: android_safetynet_api
patterns:
- pattern-either:
- pattern: |
import com.google.android.gms.safetynet.SafetyNetApi;
- pattern: |
$S = SafetyNet.getClient(...);
...
$T = $S.attest(...);
- pattern: |
new RNGoogleSafetyNetPackage(...)
message: "This app does not uses SafetyNet Attestation API that provides
cryptographically-signed attestation, assessing the device's integrity.
This check helps to ensure that the servers are interacting with the
genuine app running on a genuine Android device. "
languages:
- java
severity: INFO
metadata:
cwe: cwe-353
owasp-mobile: m8
masvs: resilience-1
reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1
license: LGPL-3.0-or-later
vulnerability_class:
- Other
Short Link: https://sg.run/1lOw