Skip to content

Attestation (Android+ iOS): Best Practises, Know, Tests, Demos#3756

Open
Diolor wants to merge 40 commits into
OWASP:masterfrom
Diolor:key-attestation-best-practice
Open

Attestation (Android+ iOS): Best Practises, Know, Tests, Demos#3756
Diolor wants to merge 40 commits into
OWASP:masterfrom
Diolor:key-attestation-best-practice

Conversation

@Diolor

@Diolor Diolor commented Apr 2, 2026

Copy link
Copy Markdown
Collaborator

This PR closes #3505 and #3767

Description

Adds info regarding key attestation:

  1. One generic KNOWs
  2. Two separate KNOWs for device and app attestation, respectively for more granular information
  3. The best practice of it

Bonus: Added a Tests + Demos for attestation

TODO:

  • Allocate IDs before merge

AI Tool Disclosure

  • [x ] This contribution includes AI-generated content.

  • AI tools used: Claude 4.6 for grammar, feedback and reading cohesion

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds Android-focused guidance around Key Attestation by introducing new Knowledge pages (generic Key Attestation plus device/app-attestation-focused pages) and a new Best Practice that recommends using server-verified, hardware-backed attestation for integrity decisions.

Changes:

  • Moves/reworks the existing Key Attestation Knowledge content into MASVS-RESILIENCE and expands it with certificate-chain and field interpretation details.
  • Adds two new Knowledge pages for device attestation (rootOfTrust) and application attestation (attestationApplicationId).
  • Adds a new Android Best Practice describing a server-driven attestation flow and verification checks; updates related Storage Knowledge pages to reference the new Key Attestation KNOW.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 9 comments.

Show a summary per file
File Description
knowledge/android/MASVS-STORAGE/MASTG-KNOW-0047.md Updates wording around using Key Attestation to verify keys are hardware-backed.
knowledge/android/MASVS-STORAGE/MASTG-KNOW-0045.md Adds an explicit cross-reference to the Key Attestation Knowledge page.
knowledge/android/MASVS-STORAGE/MASTG-KNOW-0044.md Removes the old Storage-category Key Attestation Knowledge page content (relocated).
knowledge/android/MASVS-RESILIENCE/MASTG-KNOW-0044.md Adds the new Resilience-category Key Attestation Knowledge page with updated structure and references.
knowledge/android/MASVS-RESILIENCE/MASTG-KNOW-01kw.md Adds a new Knowledge page focused on device attestation fields (root of trust).
knowledge/android/MASVS-RESILIENCE/MASTG-KNOW-02kw.md Adds a new Knowledge page focused on application attestation fields (application ID).
best-practices/MASTG-BEST-00be.md Adds a new Best Practice recommending hardware-backed key attestation for device/app integrity.

Comment thread knowledge/android/MASVS-RESILIENCE/MASTG-KNOW-01kw.md
Comment thread knowledge/android/MASVS-RESILIENCE/MASTG-KNOW-01kw.md Outdated
Comment thread knowledge/android/MASVS-RESILIENCE/MASTG-KNOW-02kw.md
Comment thread knowledge/android/MASVS-RESILIENCE/MASTG-KNOW-02kw.md Outdated
Comment thread knowledge/android/MASVS-RESILIENCE/MASTG-KNOW-0044.md Outdated
Comment on lines +50 to +56
For a reference implementation, see [Dionysis Lorentzos' Android-Security sample](https://github.com/Diolor/Android-Security/blob/main/app/src/main/java/dio/security/crypto/KeyManager.kt#L45-L70).

## Reading the X.509 Certificate

The returned [X509Certificate](https://developer.android.com/reference/kotlin/java/security/cert/X509Certificate) chain from [`KeyStore.getCertificateChain(alias)`](https://developer.android.com/reference/kotlin/java/security/KeyStore#getcertificatechain) can be inspected to determine the key properties. X.509 certificates are described by [ASN.1 format](https://source.android.com/docs/security/features/keystore/attestation#tbscertificate-sequence) and the Android-specific extensions (certificate's payload) can be requested with OID `1.3.6.1.4.1.11129.2.1.17`. This attestation extension content is described by the [ASN.1 schema KeyDescription](https://source.android.com/docs/security/features/keystore/attestation#schema).

For a sample decoding functionality of X.509 certificate's payload, you may consult [Dionysis Lorentzos' - Simple attestation converter](https://github.com/Diolor/Android-Security/blob/main/app/src/main/java/dio/security/crypto/attestation/Attestation.kt#L34-L64).

Copilot AI Apr 8, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Knowledge page links to non-official, personal GitHub repositories as “reference implementations”. Knowledge pages are expected to rely on official documentation/standards; consider replacing these with official sources (Android docs, AOSP, or Google-maintained samples) or move third-party samples to DEMO/tooling content.

Copilot generated this review using guidance from repository custom instructions.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could copy the sample code here however the reader might lose context

Comment thread knowledge/android/MASVS-RESILIENCE/MASTG-KNOW-0044.md
Comment thread best-practices/MASTG-BEST-00be.md Outdated
Comment thread knowledge/android/MASVS-STORAGE/MASTG-KNOW-0045.md Outdated
Comment thread knowledge/android/MASVS-RESILIENCE/MASTG-KNOW-0044.md
@Diolor Diolor force-pushed the key-attestation-best-practice branch from 39b2e27 to 7d8ccdb Compare May 14, 2026 17:39
@Diolor Diolor force-pushed the key-attestation-best-practice branch from 7d8ccdb to aed967d Compare May 14, 2026 17:49
Comment thread best-practices/MASTG-BEST-0044.md Outdated
@@ -0,0 +1,73 @@
---
title: Mitigate the Risk of API Keys Hardcoded in the App Package

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a best for MASWE-0005. Attestation is a critical component of it.

@cpholguera cpholguera changed the title Key attestation best practice Key attestation best practice (Android) Jun 2, 2026
@Diolor Diolor changed the title Key attestation best practice (Android) Key attestation (Android) Jun 14, 2026
Diolor and others added 12 commits June 14, 2026 23:39
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Move attestation-focused TEST-0x01 here from the file-integrity branch.
Pairs with existing MASTG-KNOW-0x02 (DeviceCheck) and MASTG-KNOW-0x03 (App Attest).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Rename Android key-attestation test MASTG-TEST-0342 -> MASTG-TEST-0x01
  (resolves duplicate ID with iOS NETWORK MASTG-TEST-0342) and update
  MASTG-DEMO-0x01 to reference it.
- Rename iOS App Attest test MASTG-TEST-0x01 -> MASTG-TEST-0x02.

Android (original) attestation under 0x01, iOS (new) under 0x02.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Placeholder demo md only (no r2 or sample files), paired with MASTG-TEST-0x02.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@Diolor Diolor changed the title Key attestation (Android) Attestation (Android+ iOS): Best Practises, Know, Tests, Demos Jun 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Create new Android BEST practice: device, app attestation with hardware backed keys

3 participants