{"id":25249583,"url":"https://github.com/provable-things/android-proof","last_synced_at":"2025-10-15T13:38:31.222Z","repository":{"id":56336288,"uuid":"139150260","full_name":"provable-things/android-proof","owner":"provable-things","description":null,"archived":false,"fork":false,"pushed_at":"2020-11-13T16:52:22.000Z","size":1268,"stargazers_count":5,"open_issues_count":2,"forks_count":2,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-04-02T16:11:44.861Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/provable-things.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-06-29T13:03:08.000Z","updated_at":"2024-10-06T01:56:00.000Z","dependencies_parsed_at":"2022-08-15T16:50:41.859Z","dependency_job_id":null,"html_url":"https://github.com/provable-things/android-proof","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/provable-things/android-proof","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/provable-things%2Fandroid-proof","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/provable-things%2Fandroid-proof/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/provable-things%2Fandroid-proof/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/provable-things%2Fandroid-proof/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/provable-things","download_url":"https://codeload.github.com/provable-things/android-proof/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/provable-things%2Fandroid-proof/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279083817,"owners_count":26099712,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-15T02:00:07.814Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-02-12T03:22:39.623Z","updated_at":"2025-10-15T13:38:31.185Z","avatar_url":"https://github.com/provable-things.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Android Proof\n\n### Instruction\n\nThe application accepts as mandatory parameters:\n* *url*: a URL (only HTTPS)\n* *requestId*: a request ID, which can be the Oraclize query id\n* *apiKey*: Android Device Verification API key for SafetyNet Attestation\n\nOptionally, they can be also specified:\n* *method*: the HTTP method used, e.g POST\n* *data*: the data payload/parameters\n* *readTimeout*: the URL query read timeout limit, default value is 12000ms\n* *connectTimeout*: the URL query connect timeout limit, default value is 15000ms\n* *requestProperty*: the request property for the URL query, default value is \"application/x-www-form-urlencoded\"\n* *timeoutBetweenRetries*: if SafetyNet response fails, retry request after the elapsed timeout, default value is 5000ms\n* *retriesMax*: if SafetyNet response fails, retry request a retriesMax number of times. Default value is 3\n\n\nWe start the application:\n\n```bash\nadb shell am start -n it.oraclize.androidproof/it.oraclize.androidproof.AndroidProofLauncher\n```\n\nWe start the proof generation process\n\n```bash\nadb shell am broadcast -a it.oraclize.intent.Proof --es url \"https://httpbin.org/post\" --es requestID  $(date +%s) --es method \"POST\" --es requestProperty \"application/json\" --es data '\\{\"\\\"jsonrpc\"\\\":\"\\\"2.0\"\\\"\\,\"\\\"method\"\\\":\"\\\"generateIntegers\"\\\"\\,\"\\\"params\"\\\":1}' --es readTimeout \"1000\" --es connectTimeout \"1000\" --es timeoutBetweenRetries \"1000\" --es retriesMax \"5\" --es apiKey \"$requestID\"\n```\n\nWe retrieve the proof from the device:\n```bash\nadb pull /storage/emulated/0/Android/data/it.oraclize.androidproof/files/Documents/AndroiProof_$requestID.proof\n```\n\nWe retrieve the certificate chain from the device:\n\n```bash\nadb pull /storage/emulated/0/Android/data/it.oraclize.androidproof/files/Documents/AndroidProof.chain\n```\n\n\n## Rationale and Overview of Design\n\nThe Android Proof leverages the security guarantees offered by Android devices shipped with \nAndroid Oreo and newer versions through the use of Software and Hardware Attestation for the \nprovision of a secure and auditable environment whereby authenticable data can be fetched.\n\nThe Android Proof is based on a service application, which is running on a physical Android device \nstored in our datacenter connected to the backend. \nThese devices have a Trusted Execution Environment which enables developers to generate a certificate \nchain from a key residing in the Android Hardware Keystore. The certificate chain has information \nneeded to prove that the key has been generated from the KeyStore and is retrieved and sent to Oraclize’s infrastructure. \n\nThe full chain of certificates must be verified against publicly available Google-owned Certificate Revocation Lists.\nIf this claim holds true, when a query is asked with AndroidProof, Oraclize backend sends the query URL \n(and other parameters) to the service running on the phone through a USB connection. The service \nreceives the parameters via ADB and it downloads the provided URL response via HTTPS (only). \n\nGoogle Play Services offers an API called SafetyNet to provide Software Attestation. This API\nprovides Android developers a way to discover if the device their app is running\non has been rooted or it is an unknown, possibly malicious device. The API\nuses proprietary mechanism, with Google promising that it will keep it updated to\ntheir best knowledge of new vulnerabilities.\n\nWe send the HTTPS response, the signature from the hardware-backed Keystore and the request ID \nas the nonce for the SafetyNet request. The API requires a Google API key that must be generated on their platform \nand passed via USB to the app.\n\nThe response is an AttestationResponse with a JWS (JSON Web Signature) object composed by\nthree parts, separated by a point:\n* An header: the certificate chain encoded in BASE64_URLSAFE\n* A payload: the SafetyNet response encoded in BASE64_URLSAFE\n* The signature: a 256-byte RSA_PCKS_V1.5 signature encoded in BASE64_URLSAFE, obtained signing the output of SHA256(header.payload) (both in encoded version).\n\nThe payload, which is the SafetyNet result contains:\n* nonce: a random token generated in a cryptographically secure manner.\n* package_name\n* timestamp\n* apkCertificateDigestSha256: sha256 of certificate used to sign app\n* apkDigestSha256: SHA256 of apk\n* ctsProfileMatch: Google compatibility test (true/false)\n* basicIntegrity: other device integrity tests besides Google's CTS (true/false)\n\nAfter a quick verification against the locally computed value, we send the HTTP response and \nattestation response via ADB to Oraclize backend and then to the querying contract, which can now verify the authenticity\nof the signature using the public key contained in the first certificate of the\nheader certificate chain. The SHA256 of the apk generated from our deterministic build process permits \neveryone to verify that the open-sourced app code is effectively the one generating the proof.\n \nYou can get more information on the Android Proof verification process on our guide [Advanced Verification](verification/README.md) or use our \n [Proof Verification Tool](https://github.com/oraclize/proof-verification-tool) to verify the proof.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprovable-things%2Fandroid-proof","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fprovable-things%2Fandroid-proof","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprovable-things%2Fandroid-proof/lists"}