Improve application security through nonce field of play integrity API

author / Oscar Rodriguez, Developer Relations Engineer

We recently released Play Integrity API, Hope to help developers protect their applications and games , Protect them from fraudulent interactions that may pose risks ( Such as spoofing and unauthorized access ) Hazards of , Enable you to take appropriate measures to prevent attacks and reduce abuse .

• Play Integrity API
  

  https://developer.android.google.cn/google/play/integrity

In addition to application integrity 、 Useful signals related to equipment integrity and licensing information ,Play Integrity API It also provides a simple but very practical function , namely "nonce". If used properly , Developers can further strengthen Play Integrity API Existing protective measures , And reduce the risk of specific types of attacks , For example, intermediaries (PITM) Tamper attack and replay attack .

In this article , We will introduce in depth what is nonce、 How it works , And how to use it nonce Field to further protect your applications and games .

What is? nonce？

In cryptography and security engineering ,nonce (number once) It is a number that can only be used once in secure communication .nonce A wide range of uses , Like authentication 、 Data encryption and hash processing .

stay Play Integrity API in ,nonce You are calling API Opacity set before integrity check Base64 Code binary blob, And return the original sample through the signed response . Create and verify according to nonce The way , You can use it to further enhance Play Integrity API Existing protective measures , And mitigate specific types of attacks , For example, intermediaries (PITM) Tamper attack and replay attack .

Except return as is in the signed response nonce,Play Integrity API It won't be right nonce Any processing of actual data , So you can set any value , As long as it is an effective Base64 value . in other words , To digitally sign the response ,nonce The value will be sent to Google The server , So please do not nonce Set to any type of personally identifiable information (PII), For example, user name 、 Phone or email address .

Set up nonce 

Set your app to use Play Integrity API after , You can use setNonce() Method , Or its appropriate variant settings nonce, These variants apply to API Of Kotlin、Java、Unity and Native edition .

• Set your app to use Play Integrity API
  

  https://developer.android.google.cn/google/play/integrity/setup

• Set up nonce

  https://developer.android.google.cn/google/play/integrity/verdict#request

Kotlin: 

val nonce: String = ...


//  establish  manager  Example 
val integrityManager =
    IntegrityManagerFactory.create(applicationContext)


//  adopt  nonce  Get integrity token 
val integrityTokenResponse: Task<IntegrityTokenResponse> =
    integrityManager.requestIntegrityToken(
        IntegrityTokenRequest.builder()
             .setNonce(nonce) //  Set up  nonce
             .build())

Java: 

String nonce = ...


//  establish  manager  Example 
IntegrityManager integrityManager =
    IntegrityManagerFactory.create(getApplicationContext());


//  adopt  nonce  Get integrity token 
Task<IntegrityTokenResponse> integrityTokenResponse =
    integrityManager
        .requestIntegrityToken(
            IntegrityTokenRequest.builder()
            .setNonce(nonce) //  Set up  nonce
            .build());

Unity: 

string nonce = ...


//  establish  manager  Example 
var integrityManager = new IntegrityManager();


//  adopt  nonce  Get integrity token 
var tokenRequest = new IntegrityTokenRequest(nonce);
var requestIntegrityTokenOperation =
    integrityManager.RequestIntegrityToken(tokenRequest);

Native: 

//  establish  IntegrityTokenRequest  object 
const char* nonce = ...
IntegrityTokenRequest* request;
IntegrityTokenRequest_create(&request);
IntegrityTokenRequest_setNonce(request, nonce); //  Set up  nonce
IntegrityTokenResponse* response;
IntegrityErrorCode error_code =
        IntegrityManager_requestIntegrityToken(request, &response);

verification nonce

Play Integrity API Response of with JSON Network token (JWT) Form return of , Its load is plain text JSON, The format is as follows : 

{
  requestDetails: { ... }
  appIntegrity: { ... }
  deviceIntegrity: { ... }
  accountDetails: { ... }
}

• JSON Network token (JWT)
  

  https://jwt.io/

• Pure text JSON

  https://developer.android.google.cn/google/play/integrity/verdict#returned-payload-format

You can go to requestDetails Structure nonce, The format is as follows : 

requestDetails: {
  requestPackageName: "...",
  nonce: "...",
  timestampMillis: ...
}

nonce The value of the field should be the same as you called API The passed values match exactly . Besides , because nonce Values in the Play Integrity API In the encrypted signature response , After receiving the response, it cannot be changed . Through these properties , You can use nonce Further protect your application .

Protect important operations

Imagine this scene , An attacker is trying to maliciously falsely report players' scores to the game server . In this case , The equipment and application are complete , However, the attacker can still view and modify the communication data flow with the game server through the proxy server or virtual private network , So as to achieve the purpose of falsely reporting scores .

under these circumstances , Call only Play Integrity API Not enough to protect the application :  The device has not been cracked 、 Application is also legal , Therefore, this operation can be done through Play Integrity API All inspections of .

But you can use Play Integrity API Of nonce To protect this specific high-value operation that reports game scores , That is to say nonce The value of the encoding operation in . The implementation method is as follows : 

1. Users initiate important operations ;

2. The application is ready to protect messages , for example JSON Formatted message ;

3. The application calculates the encrypted hash value of the message to be protected . for example , Use SHA-256 or SHA-3-256 The hash algorithm ;

4. Application call Play Integrity API, And call setNonce() In order to nonce Field is set to the encrypted hash value calculated in the previous step ;

5. The message that the application will protect and Play Integrity API Send the signature result of to the server ;

6. The application server verifies whether the encrypted hash value of the message it receives is consistent with nonce Field values match , And reject any mismatched results .

The following sequence diagram illustrates the relevant steps : 

As long as the protected original message is sent with the signature result , And both the server and the client use the same mechanism to calculate nonce, In this way, the message will not be tampered .

Please note that , In the above scenario , The effectiveness of the security model is limited to attacks that occur in the network ( Not in devices or applications ), So verify Play Integrity API The equipment and application integrity signals provided are also particularly important .

Prevent replay attacks

Let's imagine another scenario , An application or game uses Play Integrity API To protect yourself C/S framework , But the attacker tried to interact with the server by using the cracked device , And don't let the server detect .

If you want to " a " This attack target , The attacker will first make the application and Play Integrity API Interact , And get the signed response content , Then run the application on the cracking device and intercept Play Integrity API Call to , Use previously recorded 、 Respond with the signed response content , In this way, the integrity check will not be performed .

Since the signed response has not been changed in any way , So digital signature seems normal , The application server will mistakenly think that it is communicating with legitimate devices . We call this Replay attack .

The first line of defense against such attacks is to verify the signature response timestampMillis Field . This field contains the timestamp when the response was created , Even if the digital signature is verified , It can also be used on the server side to detect whether it is a suspicious old response .

in other words , Application servers can also take advantage of Play Integrity API Medium nonce, Assign a unique value to each response , And verify that the response matches the unique value set previously . The implementation method is as follows : 

1. The server creates globally unique values in a way that attackers cannot predict . for example ,128 Encrypted secure random numbers with bits or more ;

2. Application call Play Integrity API, And will nonce Field is set to the unique value received by the application server ;

3. The app will Play Integrity API Send the signature result of to the server ;

4. The server verifies nonce Whether the field matches the previously generated unique value , And reject all mismatched results .

The following sequence diagram illustrates the relevant steps : 

After realizing the above process , Every time the server requires the application to call Play Integrity API when , It will use different globally unique values , So as long as the attacker cannot predict this value ,nonce Does not match the expected value , The previous response cannot be reused .

Combine two protective measures

Although the above two mechanisms work in different ways , But if the application needs two kinds of protection at the same time , These two mechanisms can be combined in one Play Integrity API in call , for example , Attach the results of the two protective measures to a larger Base64 nonce in . The implementation method of combining the two protection measures is as follows : 

1. Users initiate important operations ;

2. The application requires the server to provide a unique value to identify the request ;

3. The application server generates a globally unique value , Prevent attackers from making predictions . for example , You can create such a value using a cryptographic secure random number generator . We recommend that you create not less than 128 The value of a ;

4. The application server sends a globally unique value to the application ;

5. The application is ready to protect messages , for example JSON Formatted message ;

6. The application calculates the encrypted hash value of the message to be protected . for example , Use SHA-256 or SHA-3-256 The hash algorithm ;

7. The application creates a string by appending the unique value received from the application server and the hash value of the message to be protected ;

8. Application call Play Integrity API, And call setNonce() In order to nonce Field is set to the string created in the previous step ;

9. The message that the application will protect and Play Integrity API Send the signature result of to the server ;

10. Application server split nonce Value of field , Then verify whether the encrypted hash value of the message and the previously generated unique value match the expected value , And reject any mismatched results .

The following sequence diagram illustrates the relevant steps : 

The above is what you can use nonce Some examples of further protecting applications from malicious user attacks . If your application can handle sensitive data , Or easy to be abused , We suggest you consider using Play Integrity API, Take relevant measures to mitigate the threat .

For information about using Play Integrity API For more information and start experiencing , Please go to Play Integrity API page :

https://developer.android.google.cn/google/play/integrity

  Click at the end of the screen  |  Read the original  |  immediately understand Play Integrity API For more information

Check the size and color of the square at the same time