This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

DSR-RFC-06 Device Security Attributes

    Introduction

    This RFC defines which Zero Trust signals are collected on- and off-device for security rating.

    dev_sec_level

    Minimal Trust Base for Registration

    Minimal/basic trust that is needed for a successful registration at GMS and thus for participating in the DSR. Is verified by GMS during registration process.

    Android

    Google Play Integrity API

    Descriptions are partially taken from the Android Developers Play Integrity doucmentation.

    AttributeExpected ValueDescription
    requestDetails:
    requestPackageNameis equal to packageName from token payload and from AppIntegrity

    application package name the attestation was requested for

    check list with enrolled apps at GMS

    noncenonce_Integritybase64-encoded URL-safe no-wrap nonce provided by the developer
    timestampMillist + 10 min < time of creation on devicetimestamp in milliseconds when the request was made
    appIntegrity:
    appRecognitionVerdictPLAY_RECOGNIZEDapp and certificate match the versions distributed by Google Play
    packageNamemust be in the list of available packages

    package name of the app

    check list with enrolled apps at GMS

    certificateSha256Digestmust be equal to the sha256 digest, defined in the available packages list

    sha256 digest of app certificates

    check list with enrolled apps at GMS

    versionCodemust be in the list of available packages

    version of the app

    check list with enrolled apps at GMS

    deviceIntegrity:
    deviceIntegrityMEETS_DEVICE_INTEGRITYapp is running on an Android device powered by Google Play services, device passes system integrity checks and meets Android compatibility requirements
    accountDetails:
    appLicensingVerdictLICENSEDuser has an app entitlement (user installed or bought your app on Google Play)

    Android Key & ID Attestation

    Descriptions are partially taken from the Android Developers Key & ID Attestation article.

    AttributeExpected ValueDescription
    KeyDescription:
    attestationVersiontbdversion of the key attestation feature.
    attestationSecurityLevelTrustedEnvironment (1), StrongBox (2)security level of the attestation
    keyMintVersion / keymasterVersiontbdsecurity level of the attestation
    keyMintSecurityLevel / keymasterSecurityLeveltbdsecurity level of the Keymaster/KeyMint implementation
    attestationChallengenonce_keypair_attestchallenge from creation
    softwareEnforcedout of scope for PoC
    teeEnforcedout of scope for PoC

    iOS

    App Attest Service

    Descriptions are partially taken from the Apple Developer DeviceCheck documentation.

    AttributeExpected ValueDescription
    Attestation:
    RP ID (32 bytes)must be equal to the RP ID, defined in the available packages list at GMSA hash of your app’s App ID, which is the concatenation of your 10-digit team identifier, a period, and your app’s CFBundleIdentifier value
    counter (4 bytes)ignored for PoCvalue that reports the number of times your app has used the attested key to sign an assertion
    aaguid (16 bytes)productionApp Attest–specific constant that indicates whether the attested key belongs to the development or production environment
    credentialId (32 bytes)must be equal to the key used to sign the mTLS public keyhash of the public key part of the attested cryptographic key pair

    Device Rating Attributes

    Device security attributes that need to be provided by a device when trying to access a resource. GMS verifies token authenticity / integrity as well as app/Trust SDK info and forwards all information in device_token to PEP.

    Android

    Google Play Integrity API

    see Minimal Trust Base for Registration.

    Android Key & ID Attestation

    see Minimal Trust Base for Registration.

    Additional Security Attributes

    Descriptions are partially taken from the Android Enterprise Developers Zero Trust signals documentation.

    AttributeDescriptionAPIRoot of TrustAvailability
    Android versionAndroid version or API level / SDK version currently running on the deviceBuild.VERSION.SDK_INTSoftware>= Android 1.6
    Android version (release)Android version (API level) with which the device was released / CTS was passedgetprop('ro.product.first_api_level')SoftwareTODO
    PatchlevelOS patch levelBuild.VERSION.SECURITY_PATCHSoftware>= Android 6.0
    FDE / FBEIndicates whether device encryption is supported and whether it is activated.getprop('ro.crypto.state')SoftwareTODO
    System PIN / password / pattern setIndicates whether a PIN/pattern/password is set for the lock screen.KeyguardManager.isDeviceSecure(), BiometricManager.canAuthenticate(BiometricManager.Authenticators.DEVICE_CREDENTIAL), BiometricManager.canAuthenticate(BiometricManager.Authenticators.BIOMETRIC_STRONG)Software>= Android 6.0, >= Android 11, >= Android 12
    System PIN / password / pattern qualityThe Device Policy Manager can be used to query whether certain password complexity levels are currently being met.DevicePolicyManager.getPasswordComplexity(), requires android.permission.REQUEST_PASSWORD_COMPLEXITYSoftware>= Android 10
    Verified boot supportedIndicates whether VerifiedBoot is available on the device.PackageManager.FEATURE_VERIFIED_BOOTSoftware>= Android 5.0
    Mainline patch levelIndicates when the last mainline patch was installed.PackageManager.getPackageInfo("com.google.android.modulemetadata", 0).versionNameSoftwareAPI level > 1
    OEM / modelReturns information about manufacturer, model, etc.BUILD.MODEL, BUILD.PRODUCT, BUILD.MANUFACTURER, BUILD.BOARDSoftware
    Biometric classReturns information if class 3 biometrics is available.BiometricManager.canAuthenticate(Authenticators#BIOMETRIC_STRONG)Software>= Android 12

    iOS

    App Attest Service

    Descriptions are partially taken from the Apple Developer DeviceCheck documentation.

    AttributeExpected ValueDescription
    Assertion:
    RP ID (32 bytes)must be equal to the RP ID, defined in the available packages list at GMSA hash of your app’s App ID, which is the concatenation of your 10-digit team identifier, a period, and your app’s CFBundleIdentifier value
    counter (4 bytes)ignored for PoCvalue that reports the number of times your app has used the attested key to sign an assertion
    Fraud Risk (optional):
    tbd

    Additional Security Attributes

    AttributeDescriptionAPIRoot of TrustAvailability
    System NameThe name of the operating system running on the device.UIDevice: var systemName: String { get }Software>= iOS 2.0
    System versionThe current version of the operating system.UIDevice: var systemVersion: String { get }Software>= iOS 2.0
    ModelPossible examples of model strings are ”iPhone” and ”iPod touch”.UIDevice: var model: String { get }Software>= iOS 2.0
    identifierForVendorAn alphanumeric string that uniquely identifies a device to the app’s vendor.UIDevice: var identifierForVendor: UUID? { get }Software>=iOS 6.0
    App VersionThe current version of the App system.tbdSoftwaretbd