Skip to main content

Device Integrity

To ensure the device remains secure and has not been tampered with, we mandate multiple integrity checks. These include a comprehensive SafetyNet or Play Integrity attestation, specific Key Attestation items, and other essential device characteristics. Following Google's announcement of the discontinuation of SafetyNet, PhonePOS supports Google Play Integrity from version v3.07.00 onwards.

SafetyNet fallback

During intensive automated stress testing, we identified that, in rare instances, the Play Integrity API services may crash. This lead to failed attestation requests with a negative result. In such cases, we will still perform a SafetyNet attestation to ensure terminals can continue processing payments.

This chapter provides guidance on verifying whether your device meets the required integrity standards. A positive result is not a guaranteed indication that PhonePOS will function perfectly, but it is a strong indicator. If your device fails the integrity check, please contact us for assistance. We may be able to offer a custom solution. Note that the combination of Play Integrity and Key Attestation is the most cost-effective option.

Preparation

To quickly verify attestation, we recommend downloading the following applications, which implement the same attestation methods that we use.

SPIC

SPIC will help you to verify the Play Integrity & SafetyNet attestation status.
SPIC on Play Store

Key Attestation Demo

Key Attestation Demo will help you to verify the Key Attestation status.
Key Attestation Demo on Play Store

Evaluation

This chapter outlines how to conduct the analysis and specifies the attestation results required.

Play Integrity Attestation

Process

  1. Open the SPIC app
  2. Make sure the “Play Integrity” section is selected at the bottom
  3. Leave the request settings as they are (Nonce: local, verdict: local)
  4. Click “Make Play Integrity Request”
  5. Scroll down so that the line “Play Integrity Result” is at the top of the screen
  6. Take a screenshot or if not possible a picture with a second phone

Requirements

  1. Device integrity: MEETS_DEVICE_INTEGRITY or MEETS_STRONG_INTEGRITY (better)

Example

playintegrity.webp

SafetyNet Attestation

Process

  1. Open the SPIC app
  2. Make sure the “SafetyNet” section is selected at the bottom
  3. Leave the request settings as they are (Nonce: local, verdict: local)
  4. Click “Make SafetyNet Attestation Request”
  5. Scroll down so that the line “SafetyNet Attestation Result” is at the top of the screen
  6. Take a screenshot or if not possible a picture with a second phone

Requirements

  1. Basic Integrity: Passed
  2. CTS Profile Match: Passed

Example

safetynet.webp

Key Attestation Demo

Process

  1. Open the “Key Attestation Demo” app
  2. Make a screenshot or if not possible a picture with a second phone
  3. Verify that the bootloader state is readable
  4. Verify that the “Authorization list” entry is visible.
  5. If it is not visible take a second screenshot (or picture) with this entry visible

Requirements

  1. Bootloader state: locked
  2. Security level: TrustedEnvironment or StrongBox (better)
  3. Verified boot state: Verified

Example

keyattestation.webp