pyattest
pyattest provides a common interface that helps you verify attestations from either Google or Apple. The package works standalone but if you use django and need a full implementation with key generation and storage then django-dreiattest could be of interest for you.
Installation
pyattest is available on PyPI and can be installed via $ python -m pip install pyattest
Usage
In it's most basic form you can create either a GoogleConfig
, GooglePlayIntegrityApiConfig
or AppleConfig
instance, create an Attestation
and verify it.
Google Play Integrity API
The following parameters are important:
-
decryption_key
: A Base64 encoded AES key secret as described here -
verification_key
: A Base64 encoded public key as described here -
apk_package_name
: Name of your apk -
attest
: The jwt object string representing the attestation, which is a jws nested in a jwe object -
nonce
: The nonce used to create the attestation
config = GooglePlayIntegrityApiConfig(
decryption_key=[decryption_key],
verification_key=[decryption_key],
apk_package_name='ch.dreipol.demo',
production=True
)
attestation = Attestation(attest, nonce, config)
try:
attestation.verify()
except PyAttestException as exception:
# Do your thing
pass
Google (Legacy: SafetyNet)
The following parameters are important:
-
key_id
: A Base64 encoded SHA-256 hash of your apps certificate -
apk_package_name
: Name of your apk -
production
: Ignores basic integrity and cts profile check ifFalse
-
attest
: The jws object string representing the attestation -
nonce
: The nonce used to create the attestation
config = GoogleConfig(key_ids=[key_id], apk_package_name='ch.dreipol.demo', production=True)
attestation = Attestation(attest, nonce, config)
try:
attestation.verify()
except PyAttestException as exception:
# Do your thing
pass
Apple
The following parameters are important:
-
key_id
: SHA-256 hash of the public key form the cert you got back from the attestation -
app_id
: Your app’s App ID, which is the concatenation of your 10-digit team identifier, a period, and your app’s CFBundleIdentifier value -
production
: Checks for the appropriateaaguid
-
attest
: The apple attestation as binary -
nonce
: The nonce used to create the attestation
config = AppleConfig(key_id=key_id, app_id='1234ABCDEF.ch.dreipol.demo', production=True)
attestation = Attestation(attest, nonce, config)
try:
attestation.verify()
except PyAttestException as exception:
# Do your thing
pass
Assertion
Once you verified and obtained a public key, you can use it to assert
further requests. For a full implementation on how to get to the public key check out django-dreiattest. To check if an assertion
is valid we check if it was signed with given pem_key
.
-
assertion
: Raw bytes of the assertion you want to test -
expected_hash
: The hash we want to compare the signature against -
pem_key
: The public key to verify the signature -
config
: AAppleConfig
orGoogleConfig
instance
assertion = Assertion(assertion, expected_hash, pem_key, config)
assertion.verify()