IBM Security MaaS360

 View Only

Migrating from Safety Net Attestation to Play Integrity API

By T SANJANA posted Fri April 05, 2024 02:37 AM


Authors: @T SANJANA @Mohammed Daoud

“Whoever walks in integrity walks securely, but whoever takes crooked paths will be found out”

In our interconnected world, where data flows seamlessly between devices and services, ensuring safety and security online has become more crucial than ever. Imagine walking on a tightrope; you'd want a safety net beneath you, right? Well, in the digital realm, Play Integrity API serves as that virtual safety net, offering protection against malicious activities and unauthorised access. A major component of UEM is the management of a large number of devices. When we are dealing with a huge number of devices, integrity plays a very important role. To maintain integrity we have migrated to a better version of Safety Net Attestation API i.e. Play Integrity API.

Why Play Integrity over Safety Net?
The Play Integrity API encompasses all the integrity signals provided by SafetyNet Attestation, along with additional features such as Google Play user license verification and enhanced error messaging capabilities. Crafted with a forward-looking approach, this new API ensures effortless integration of upcoming features, minimizing the time needed for upgrades. Moreover Safety Net API has fewer checks and does not support Google Play user license and better error messaging.

Play integrity attestation during Enrollment with MaaS360
In the MaaS360 portal navigate to SETUP → SETTINGS → Advanced Enrollment setting there will be section titled Advanced Management for Android Devices. Admins can enable/disable device integrity and select following strictness levels:

  • High: Run advanced checks on device which ensures that MaaS360 app is running on an Android-powered device with Google Play services and has a strong guarantee of system integrity. The device passes system integrity checks and meets Android compatibility requirements.
  • Moderate: Runs basic checks to ensure that MaaS360 app is running on a device that passes basic system integrity checks. Android compatibility requirements may not be approved

Furthermore, administrators have the option to choose the Hardware-backed feature, which guarantees Hardware-backed proof of boot integrity. This ensures that encryption keys are securely stored in a separate, inaccessible memory enclave, thwarting any attempts by malicious apps to gain access. This approach strengthens the device's defences against unauthorized access, successfully clears system integrity checks, and aligns with Android compatibility standards.

Periodic attestation for enrolled devices with MaaS360
Admins can do periodic checks on enrolled device using MaaS360. Enabling this feature ensures that devices are regularly checked and tampered devices are immediately flagged, and admins can take appropriate action against them. To enable periodic checks Admins need to enable Device security in MDM policy under Security tab.

Results of periodic checks are visible under device details view in MaaS360 portal

Navigating through the online world on Android devices, it's important to have safeguards in place to ensure our devices are secure. Play integrity on Android, helps ensure that our devices haven't been tampered with or rooted. This is important because rooting or tampering can make our devices vulnerable to security threats. By using Play integrity checks, we can verify that our devices are in a safe and trustworthy state, protecting us from potential risks and ensuring a more secure digital experience

