Feature Preview: SafetyNet Attestation API evaluationType

[SafetyNet API Clients]

Hi,

We have started rolling out a new feature that will provide developers with insight into the types of signals/measurements that have contributed to each individual SafetyNet Attestation API response.

 

Our JWS responses now have a new optional field named evaluationType.
The value of this field will be a list of comma-separated string tokens, where each token represents an enum-like value.

 

Currently, the following string tokens may be indicated::

- BASIC  - When we use typical signals and measurements along with reference data during our evaluation.

- HARDWARE_BACKED - When we use the available hardware-backed security features of the remote device (e.g. hardware-backed key attestation) to influence our evaluation.

 

Examples of field values that you may expect:

- {“evaluationType”: “BASIC”}

- {“evaluationType”: “BASIC,HARDWARE_BACKED”}

 

We’re currently evaluating and adjusting the eligibility criteria for devices where we will rely on hardware-backed security features. So please do not use the presence or value of this field as a signal by itself (for now).

 

Note that this feature has not been officially documented yet. Presently, we’re only communicating it to this announcement-list to collect feedback.

 

We encourage you to use our feedback form based on your experience with this new feature as well as the overall service.

 

Thanks & Regards,

SafetyNet API Clients team