Android SafetyNet API fails when using API key restriction

Question

When setting restriction to an API key the Attestation API stops working: OnFailureListener gets fired with the CANCELLED(16) status code

The restrictions are the android package name and the certificate signature(SHA-1)

Does the SafetyNet Attestation API support restricted API keys ?

Note: the same API key with the additional restriction works fine with Google Maps API

UPDATE: On devices running Google Play Services v13.0 and above, the SafetyNet Attestation API also supports app-restricted API keys. https://developer.android.com/training/safetynet/attestation

You may refer with this [thread](https://stackoverflow.com/questions/47068393/safety-environment-check-in-android-using-safetynet-attestation-api-is-not-worki). You might be restricting the key to the wrong package name. Try to recheck the API key or create a new one like in this [page](https://developer.android.com/training/safetynet/attestation.html#add-api-key). — abielita, Apr 26 '18 at 15:52
@abielita, double checked the package name and created the new one - still doesn't work. Also that key works fine with the Maps API — Mickey Tin, May 02 '18 at 21:42
@TheLittleNaruto, yes the service is enabled and everything works without the restrictions — Mickey Tin, May 15 '18 at 09:57
@YvetteColomb, the restrictions I'm using are the package name and the hash of the certificate which was used to sign the apk, I didn't set the API restriction — Mickey Tin, May 15 '18 at 09:58
@rekire I tried it with the official sample and the behavior is the same https://github.com/googlesamples/android-play-safetynet/blob/master/client/java/SafetyNetSample/Application/src/main/java/com/example/android/safetynetsample/SafetyNetSampleFragment.java — Mickey Tin, May 15 '18 at 15:29

Carl Anderson · Accepted Answer · 2018-05-15T23:37:14.443

4

I've contacted a friend of mine at Google, and he reached out to their team. This is currently not supported - there's no way to get this API restricted with the SHA1 fingerprint. It's on their internal roadmap to accommodate this, but for now it won't work.

If you go to their quota request page you can see that they specifically say not to use any form of API key restrictions.

edited May 15 '18 at 23:37

answered May 15 '18 at 23:31

Carl Anderson

3,446
1
25
45

And I'm replying here mainly because we ran into the same problem in our app today. – Carl Anderson May 15 '18 at 23:32
Hi Carl, thank you for the insights, the bounty is yours :) I didn't notice that they say not to use the restrictions. Looks like we need to find some ways to protect our api key from not being compromised – Mickey Tin May 16 '18 at 07:52
3

IMHO! If something like that is there, they should have added it in their document not on quota request page. I mean Nobody would check that out unless they need more requests. – TheLittleNaruto May 16 '18 at 09:02
Is this still the case? – neteinstein Jul 02 '19 at 11:38
I'm not sure and no longer work on an app using Safetynet. – Carl Anderson Jul 02 '19 at 17:10
API key restriction has been enabled for SafetyNet API keys @MickeyTin – Ishant Sagar Sep 11 '19 at 12:45

Android SafetyNet API fails when using API key restriction

1 Answers1

Linked