Unified Attestation: open-source alternative to Google Play Integrity
4 days ago
- #Unified Attestation
- #Offline Verification
- #Google Play Integrity Alternative
- Unified Backend acts as both Device and App-server backend, storing trust anchors, verifying chains, and signing short-lived tokens.
- Federation works fully offline, with minimal endpoints like GET /api/v1/info, POST /api/v1/device/process, and POST /api/v1/app/decodeToken.
- Unified Attestation is a free, open-source alternative to Google Play Integrity, delivering short-lived integrity tokens signed by a single backend.
- Tokens are verified offline by app servers and issued via a privileged Android system service, living alongside Play Integrity.
- Simple integration for app developers on both app and server sides, with a thin SDK exposing Play Integrity-style API.
- Workflow: App → SDK → Service → Backend → App server, with no nonce protocol and identical requestHash computation.
- Backend verifies chain + policies and signs token (60s TTL), while app server checks signature + requestHash.
- Public API mirrors Play Integrity, with helper utilities for decoding tokens and trust checks.
- Quick setup using docker-compose or npm commands for Backend and Example-App-Server repositories.