App Device Integrity
This plugin was created to make your app attestation more easy. It uses the Native Attestation Providers from Apple and Google, App Attest and Play Integrity respectively, to generate tokens to be decrypted by your Server to check if your app is being accessed by a reliable device.
How to Use It
To use this plugin correctly, you need to contemplate these two steps:
Provide a Session UUID, in iOS Case
Provide your GCP Project ID, in Android Case
iOS:
The Session UUID is the challenge created by your server for App Attest to issue the token requested from the device to be "marked".
Basically your server sends the challenge to Apple to ensure that the token is marked with it, attested by the service with it so that when the server receives the token, it was actually sent by the device with that session UUID sent by the server before.
Android:
Providing the GCP Project ID links your app with your development and deployment environment. Before you implement it in your project, you need to follow the steps provided by the following doc:
https://developer.android.com/google/play/integrity/setup?set-google-console#set-google-console
To be more "precise", when you link you GCP Project to your app in Google Play Console, the project ID is right beside of your project name. That's the information you need.
It's recommended to create environmental variable with the project ID to maintain your app, and project, integrity.
How To Implement
After you import the plugin to your project, implement the token generation using the following steps:
// Instance the way you prefer
final _appAttestationPlugin = AppDeviceIntegrity();
// You need to provide
// An UUID generated by your server (you can customize the rules to generate it)
// In case the platform is Android, the GCP Project ID needs to be informed.
// For a more practical implementation, check the plugin example.
String sessionId = '550e8400-e29b-41d4-a716-446655440000';
int gpc = 0000000000; // YOUR GCP PROJECT ID IN ANDROID
if (Platform.isAndroid) {
tokenReceived = await _appAttestationPlugin
.getAttestationServiceSupport(challengeString: sessionId, gcp: gpc);
return;
}
tokenReceived = await _appAttestationPlugin
.getAttestationServiceSupport(challengeString: sessionId);
return;
Server:
I am very proud to provide you with an open-source service that you can Attest your implementations in server side.
It checks from which platform the token is sent and verifies the token, providing very important information about risks, enabling better decision-making to reinforce the security of your services.
Feel comfortable to fork it, or clone it, and customize it, according to your business demands.
For more information about App Attest and Play Integrity, you can access the docs from Apple and Google in the links bellow:
https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity
https://developer.android.com/google/play/integrity