dreiAttest implements Google's SafetyNet and Apple's DeviceCheck Frameworks to allow you to verify that request made to your server come from an actual device. It can be used in Android and Kotlin Multiplatform projects. An iOS-only version is also available. To use dreiAttest you need to run dreiAttest on your server.
Typically only certain endpoints over which sensitive data can be accessed are protected by dreiAttest. For this reason you define a base URL: requests starting with this base URL are handled by dreiAttest, while requests to other endpoints are simply forwarded to your server. For example if you define the base URL https://example.com/attested:
- Requests to
https://example.com/loginare not handled by dreiAttest - Requests to
https://example.com/attested/profile-infoare handle by dreiAttest
You should only create a an AttestService after the user has logged in and pass in your service's user id. dreiAttest will generate a new key every time a user logs in with a different account. Apple counts these keys for you and allows you to identify suspicious login behavior.
For more information on how dreiAttest works read the whitepaper or our blog post.
First, add the github packages maven repo:
repositories {
...
maven {
url = uri("https://maven.pkg.github.com/dreipol/dreiAttest-android")
credentials {
username = <Github-Username>
password = <Github-Token>
}
}
}Add the dependendency to your build.gradle:
implementation("ch.dreipol.dreiattest.multiplatform:multiplatform:<version>")Add the android only dependency to your build.gradle:
implementation("ch.dreipol.dreiattest.multiplatform:multiplatform-android:<version>")The library uses the AttestationProvider - interface to wrap the actual google or apple device attestation services.
For android dreiattest is using Play Integrity API for your device attestation. To use this service you need to activate Integrity API as described here.
To use the DreiAttestService create a new instance and call the initWith - function, as follows:
val attestationProvider = ... // GoogleAttestationProvider on Android / AppleAttestationProvider on iOS
val attestService = DreiAttestService()
try {
attestService.initWith(baseAddress = "https://example.com/attested", sessionConfiguration = SessionConfiguration(user = "[email protected]", attestationProvider = attestationProvider))
} catch (e: UnsupportedException) {
// handle running on unsupported devices such as iOS Simulators
}You would typically want to create the GoogleAttestionProvider in your application's onCreate and the AppleAttestationProvider in your application(_:didFinishLaunchingWithOptions:) method and pass it to your multiplatform code from there.
There is a ktor-client plugin available, you can use it as follows:
HttpClient {
...
install(DreiAttestPlugin) {
this.attestService = attestService
}
...
}The plugin is now signing every request, for which the url matches the configured baseAddress in the DreiAttestService.
During development it may be useful to setup a shared secret on the server to bypass dreiAttest. You can pass this shared secret to the library using the DREIATTEST_BYPASS_SECRET environment variable or by passing it to the AttestServie in its initializer.