Response signature validation: error on version 0.9

[ale5000-git]

With the version 0.9 I get:

SafetyNet request: success
Response signature validation: error

Error Msg:
Response signature validation error: https://www.googleapis.com/androidcheck/v1/attestations/verify?key=...

I was passing correctly in the previous version and it still passing in another app called "SafetyNet Test".

[username227]

Same problem here. The new version doesn't work at all.

[ale5000-git]

Is this no longer developed?

[scottyab]

I think this is more of an issues with the Sample app in the playstore? If so I had to change the way the Google Cloud API was configured to lock in down further as a previous API key was compromised. I think this is the reason this API calls is now failing.

Even if that isn't the case on reviewing the decision to add this validation to the library, I feel it's fairly pointless given this SafetyNet response is validated on device and this could be hooked/tampered with. In #62 and version 0.10.0 this will be removed.

[ale5000-git]

In my opinion it still would be nice to have the validation in the library to be able to test if the SafetyNet API is working correctly.

[scottyab]

@ale5000-git thanks for voicing that. This removal could just be temporary potentially someone could raise a PR with it back in. There's some offline validation we could add as mentioned here. This feels more inline with what this library is, app based safetynet check (with all the cavets that previously mentioned about app based being not the most ideal or secure)

Also just to confirm the library would still call the attest, decode the JWT response and validate the content matches the app. It just wouldn't be doing the API call to validate that the attest response actually came from Google.