AndroidAttestationConfiguration
Main Android attestation configuration class serving as ground truth for all key and app attestation verifications.
Parameters
list of applications to be attested
optional parameter. If set, attestation enforces Android version to be greater or equal to this parameter. Caution: Major Android versions increment in steps of ten-thousands. I.e. Android 11 is specified as 110000 Can be overridden for individual apps
optional parameter. If set, attestation enforces Security patch level to be greater or equal to this parameter
optional parameter. Set to true if StrongBox security level should be required
optional parameter. Set to true if unlocked bootloaders should be allowed. Attention: Allowing unlocked bootloaders in production effectively defeats the purpose of app attestation. (but retains the ability to attest whether a key is securely stored in hardware) Useful for debugging/testing
optional parameter. Unsupported by most devices. See Official Documentation
optional parameter. Whether to ignore the timely validity of the leaf certificate (looking at you, Samsung!)
Manually specify the trust anchor for HW-attested certificate chains. Defaults to google HW attestation key. Overriding this set is useful for automated end-to-end tests, for example. The default trust anchors are accessible through DEFAULT_HARDWARE_TRUST_ANCHORS
Manually specify the trust anchor for SW-attested certificate chains. Defaults to google SW attestation keys. Overriding this set is useful for automated end-to-end tests, for example. The default trust anchors are accessible through DEFAULT_SOFTWARE_TRUST_ANCHORS
Entirely disable creation of a HardwareAttestationChecker. Only change this flag, if you really know what you are doing!
Enables hybrid attestation. NougatHybridAttestationChecker can only be instantiated if this flag is set to true. Only change this flag, if you require support for devices, which originally shipped with Android 7 (Nougat), as these devices only support hardware-backed key attestation, but provide no indication about the OS state. Hence, app-attestation cannot be trusted, but key attestation still can.
Enables software attestation. A SoftwareAttestationChecker can only be instantiated if this flag is set to true. Only change this flag, if you really know what you are doing! Enabling this flag, while keeping disableHardwareAttestation true makes is possible to instantiate both a HardwareAttestationChecker and a SoftwareAttestationChecker.
Constructors
Convenience constructor to attest a single app
Constructor used when loading this class from a config file through Hoplite
Types
Specifies a to-be attested app
Builder to construct an AndroidAttestationConfiguration in a java-friendly way
Properties
Set to true if unlocked bootloaders should be allowed. Attention: Allowing unlocked bootloaders in production effectively defeats the purpose of Key Attestation. Useful for debugging/testing BEWARE that this switch is utterly useless if NougatHybridAttestationChecker of SoftwareAttestationChecker is used
optional parameter. If set, attestation enforces Android version to be greater or equal to this parameter. Caution: Major Android versions increment in steps of ten-thousands. I.e. Android 11 is specified as 110000 Can be overridden for individual apps
List of applications which can be attested
Validity of the attestation statement in seconds. This is not the certificate validity! An attestation statement has a creation time. This value indicates how far in the past the creation time might be.
Entirely disable creation of a HardwareAttestationChecker. Only change this flag, if you really know what you are doing!
Enables hybrid attestation. A NougatHybridAttestationChecker can only be instantiated if this flag is set to true. Only change this flag, if you require support for devices, which originally shipped with Android 7 (Nougat), as these devices only support hardware-backed key attestation, but provide no indication about the OS state. Hence, app-attestation cannot be trusted, but key attestation still can.
Enables software attestation. A SoftwareAttestationChecker can only be instantiated if this flag is set to true. Only change this flag, if you really know what you are doing! Enabling this flag, while keeping disableHardwareAttestation true makes is possible to instantiate both a HardwareAttestationChecker and a SoftwareAttestationChecker.
Manually specify the trust anchor for HW-attested certificate chains. Defaults to google HW attestation key. Overriding this set is useful for automated end-to-end tests, for example. The default trust anchors are accessible through DEFAULT_HARDWARE_TRUST_ANCHORS
Whether to ignore the timely validity of the leaf certificate
Internal representation of the patch level as contained in the com.google.android.attestation.ParsedAttestationRecord
Mandates Remote Key Provisioning (RKP) for attestation checks to pass
Unsupported by most devices. See Official Documentation
Set to true if StrongBox security level should be required. BEWARE that this switch is utterly useless if NougatHybridAttestationChecker of SoftwareAttestationChecker is used
Manually specify the trust anchor for SW-attested certificate chains. Defaults to google SW attestation keys. Overriding this set is useful for automated end-to-end tests, for example. The default trust anchors are accessible through DEFAULT_SOFTWARE_TRUST_ANCHORS
Tolerance in seconds added to verification date