mobsf.mobsfscan.best_practices.android_safetynetapi.android_safetynet_api

MobSF

Author

unknown

Download Count*

License

This app does not uses SafetyNet Attestation API that provides cryptographically-signed attestation, assessing the device's integrity. This check helps to ensure that the servers are interacting with the genuine app running on a genuine Android device.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: android_safetynet_api
    patterns:
      - pattern-either:
          - pattern: |
              import com.google.android.gms.safetynet.SafetyNetApi;
          - pattern: |
              $S = SafetyNet.getClient(...);
              ...
              $T = $S.attest(...);
          - pattern: |
              new RNGoogleSafetyNetPackage(...)
    message: "This app does not uses SafetyNet Attestation API that provides
      cryptographically-signed attestation, assessing the device's integrity.
      This check helps to ensure that the servers are interacting with the
      genuine app running on a genuine Android device. "
    languages:
      - java
    severity: INFO
    metadata:
      cwe: cwe-353
      owasp-mobile: m8
      masvs: resilience-1
      reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1
      license: LGPL-3.0-or-later
      vulnerability_class:
        - Other

Short Link: https://sg.run/1lOw