app_device_integrity_plus 1.0.0 copy "app_device_integrity_plus: ^1.0.0" to clipboard
app_device_integrity_plus: ^1.0.0 copied to clipboard

Published 49 days ago β€’ Latest: 1.0.2
[unknown platforms]
β†’

Metadata

Flutter plugin for App Attest and Play Integrity with real challenge (nonce) support. Replaces static dummy nonce with server-generated values.

More...

App Device Integrity Plus #

πŸ‡ΊπŸ‡Έ English

Why? #

What This Fork Fixes #

The original app_device_integrity had a critical issue:

  • The challengeString (nonce) sent from Flutter was completely ignored.

  • The plugin always used a static Base64.encode(ByteArray(40)) value.

  • This produced the well-known "AAAAAAAAAAAA..." nonce in Play Integrity logs.

  • Real server-side verification was not possible because the nonce never matched.

Fixes in This Version #

This fork fixes all of that.

  • Proper nonce passthrough from Flutter β†’ Native β†’ Play Integrity

  • Removed static dummy nonce (ByteArray(40))

  • Added proper MethodChannel argument handling

  • Updated API to accept challengeString exactly as given

  • Real attestation with server-side validation now works

  • README rewritten for clarity

  • Additional flow diagram for easier understanding


πŸš€ How to Use #

  1. Request nonce from your backend

Your server must generate a unique challenge per session.

final sessionId = await api.getNonce();
  1. Pass nonce into the plugin
final integrity = AppDeviceIntegrityPlus();

if (Platform.isAndroid) {
  final token = await integrity.getAttestationServiceSupport(
    challengeString: sessionId,
    gcp: 523725941100,
  );
} else {
  final token = await integrity.getAttestationServiceSupport(
    challengeString: sessionId,
  );
}
  1. Send token to backend for validation
await api.verifyIntegrity(token);

πŸ“Š Attestation Flow (App ↔ API Server ↔ Google) #

sequenceDiagram
    participant APP
    participant API as API Server
    participant GOOGLE as Google Server

    APP->>API: Request nonce
    API-->>APP: Issue nonce (server-generated value)
    APP->>GOOGLE: Call Play Integrity API (with nonce)
    GOOGLE-->>APP: Return signed token (JWT)
    APP->>API: Send token for verification
    
    note right of API: Backend verification begins
    
    API->>API: 1. Verify JWT signature using cached Google public keys
    API->>API: 2. Decode token payload
    API->>API: 3. Validate nonce, timestamp, package name, etc.
    
    note right of API: Verification complete
    
    API-->>APP: OK (trusted device/app) or Error

πŸ“š References #

πŸ‡°πŸ‡· ν•œκ΅­μ–΄

πŸ”§ μ™œ λ§Œλ“€κ²Œ λ˜μ—ˆλŠ”κ°€? #

원본 app_device_integrity ν”ŒλŸ¬κ·ΈμΈμ˜ 문제 #

  • Flutterμ—μ„œ λ„˜κΈ΄ challengeString(nonce)을 μ „ν˜€ μ‚¬μš©ν•˜μ§€ μ•ŠμŒ
  • λ‚΄λΆ€μ—μ„œ 항상 ByteArray(40) β†’ Base64 μΈμ½”λ”©ν•œ κ°’ μ‚¬μš©
  • κ·Έλž˜μ„œ Play Integrity λ‘œκ·Έμ— "AAAAAAAAAA..." nonce만 좜λ ₯됨
  • μ„œλ²„ 검증 μ‹œ nonce 뢈일치 β†’ 정상적인 λ³΄μ•ˆ 검증 λΆˆκ°€λŠ₯

βœ… 이 λ²„μ „μ—μ„œ μˆ˜μ • / κ°œμ„ λœ λ‚΄μš© #

이 ν¬ν¬λŠ” 이 문제λ₯Ό μ „λΆ€ ν•΄κ²°ν•©λ‹ˆλ‹€.

  • μ„œλ²„μ—μ„œ 받은 nonceλ₯Ό κ·ΈλŒ€λ‘œ Play Integrity에 전달

  • 더 이상 static dummy nonce μ‚¬μš©ν•˜μ§€ μ•ŠμŒ

  • MethodChannel νŒŒλΌλ―Έν„° 처리 μˆ˜μ •

  • Android/iOSμ—μ„œ μ‹€μ œ nonce 기반 토큰 생성 κ°€λŠ₯

  • README μ „λ©΄ μž¬μž‘μ„±

  • ν”Œλ‘œμš° λ‹€μ΄μ–΄κ·Έλž¨ μΆ”κ°€

πŸš€ μ‚¬μš© 방법 #

  1. μ„œλ²„μ—μ„œ nonce λ°œκΈ‰
final sessionId = await api.getNonce();
  1. ν”ŒλŸ¬κ·ΈμΈμ— nonce 전달
final integrity = AppDeviceIntegrityPlus();

if (Platform.isAndroid) {
  final token = await integrity.getAttestationServiceSupport(
    challengeString: sessionId,
    gcp: 523725941100,
  );
} else {
  final token = await integrity.getAttestationServiceSupport(
    challengeString: sessionId,
  );
}
  1. 토큰을 μ„œλ²„λ‘œ 전달해 검증
await api.verifyIntegrity(token);

πŸ“Š 전체 ν”Œλ‘œμš° (μ•± ↔ μ„œλ²„ ↔ Google) #

sequenceDiagram
    participant APP
    participant API as API Server
    participant GOOGLE as Google Server

    APP->>API: nonce λ°œκΈ‰ μš”μ²­
    API-->>APP: nonce λ°œκΈ‰ (고유 κ°’ 생성)
    APP->>GOOGLE: Play Integrity API 호좜 (nonce 포함)
    GOOGLE-->>APP: signed token λ°˜ν™˜ (JWT)
    APP->>API: token 전달 (검증 μš”μ²­)
    
    note right of API: API μ„œλ²„(λ°±μ—”λ“œ)μ—μ„œ 둜컬 검증 μ‹œμž‘
    
    API->>API: 1. (μΊμ‹œλœ) Google Public Key둜 토큰 μ„œλͺ… 검증
    API->>API: 2. 토큰 payload λ””μ½”λ”©
    API->>API: 3. nonce, timestamp, μ•± 정보(νŒ¨ν‚€μ§€λͺ…) λ“± 확인
    
    note right of API: 검증 μ™„λ£Œ
    
    API-->>APP: OK (μ •ν’ˆ μ•±/μ‹ λ’°ν•  수 있음) λ˜λŠ” Error

← Metadata

0
likes
0
points
138
downloads

Publisher

unverified uploader

Weekly Downloads

Metadata

Flutter plugin for App Attest and Play Integrity with real challenge (nonce) support. Replaces static dummy nonce with server-generated values.

Repository (GitHub)
View/report issues

License

unknown (license)

Dependencies

flutter, plugin_platform_interface

More

Packages that depend on app_device_integrity_plus

Packages that implement app_device_integrity_plus

Back