Back to BlogTechnical

Understanding Device Attestation

November 30, 202510 min read

Richard Achampong

Principal Engineer

Device attestation is one of the most powerful—and least understood—security features in modern mobile authentication. Let's take a deep dive into how it works and why it matters.

What Is Device Attestation?

Device attestation is a mechanism that allows a server to verify that a request comes from a genuine, unmodified device running authentic software. It's like a notarized certificate for your phone that says "this device is real and hasn't been tampered with."

What Attestation Verifies

  • The device is genuine hardware (not an emulator)
  • The operating system hasn't been modified (not rooted/jailbroken)
  • The app is the authentic version from the official store
  • Hardware-backed security features are available

How It Works: The Technical Details

The attestation process involves three parties: your app, the device's secure hardware, and the platform vendor's attestation service. Here's how they work together:

// Simplified attestation flow

1. Server generates a random challenge (nonce)
   challenge = crypto.randomBytes(32)

2. App requests attestation from secure hardware
   attestation = device.attest(challenge, appId)

3. Secure hardware creates signed statement
   {
     "challenge": "abc123...",
     "device": {
       "model": "Pixel 7",
       "integrity": "MEETS_STRONG_INTEGRITY"
     },
     "app": {
       "packageName": "com.affirmid.app",
       "certificateHash": "sha256:xyz..."
     },
     "timestamp": 1699999999,
     "signature": "SIGNED_BY_HARDWARE_KEY"
   }

4. Server verifies signature against Google/Apple root certificates
5. Server checks that challenge matches and app is legitimate

Platform-Specific Implementations

Android: Play Integrity API

Google's Play Integrity API (which replaced SafetyNet) provides three levels of integrity signals:

MEETS_DEVICE_INTEGRITY

App is running on a genuine Android device. Emulators and virtual devices fail this check.

MEETS_BASIC_INTEGRITY

Device may be rooted but passes basic checks. Useful for less sensitive operations.

MEETS_STRONG_INTEGRITY

Device has hardware-backed key attestation. Highest assurance level available.

iOS: App Attest

Apple's App Attest service uses the Secure Enclave to generate attestations. Key features include:

  • Hardware-bound keys: Private keys never leave the Secure Enclave
  • Counter-based assertions: Each assertion increments a counter, preventing replay attacks
  • Risk metrics: Apple provides fraud risk signals based on device behavior

What Attackers Can't Do

Device attestation makes several attack vectors significantly harder:

Emulator Attacks

Can't impersonate a legitimate device from an emulator or simulator—attestation will fail.

Repackaged Apps

Modified or repackaged apps fail signature verification in attestation.

Hooking Frameworks

Tools like Frida or Xposed are detected by integrity checks on unmodified devices.

Replay Attacks

Challenge-response with nonces ensures old attestations can't be reused.

Limitations and Considerations

Attestation is powerful, but it's not a silver bullet. There are important limitations to understand:

Not All Devices Support It

Strong attestation requires specific hardware. Older devices or budget phones may only support basic integrity checks. Your app needs graceful fallbacks for these cases.

Legitimate Users on Rooted Devices

Some users root their devices for legitimate reasons (custom ROMs, development, etc.). Strict attestation policies may block these users. Consider your audience and the sensitivity of your use case.

Cat and Mouse Game

Attackers continuously develop new bypass techniques. Google and Apple regularly update their attestation services in response. Always use the latest SDK versions and stay informed about known bypasses.

How AffirmID Uses Attestation

In our authentication flow, device attestation adds a crucial security layer:

  1. 1
    Device Registration

    When you first set up AffirmID, we verify your device passes attestation checks.

  2. 2
    Authentication Requests

    Each push notification response includes a fresh attestation.

  3. 3
    Risk Signals

    We incorporate attestation results into our risk scoring for each authentication.

  4. 4
    Configurable Policies

    Organizations can set their own attestation requirements based on risk tolerance.

Implementation Best Practices

If you're implementing attestation in your own app, keep these practices in mind:

  • Always verify server-side: Never trust attestation results checked only on the client
  • Use fresh challenges: Generate a new nonce for each attestation request
  • Validate certificate chains: Verify the attestation signature chain up to the platform root
  • Handle failures gracefully: Have fallback paths for devices that don't support attestation
  • Monitor and alert: Track attestation failure rates to detect potential attacks

Conclusion

Device attestation is one of the most underutilized security features available to mobile developers. While it's not perfect, it significantly raises the bar for attackers trying to impersonate legitimate devices or tamper with your app.

For authentication systems like AffirmID, attestation is a crucial layer of defense that helps ensure the device approving a login request is actually the user's trusted device—not an attacker's emulator or compromised phone.

Want to learn more?

Check out our technical documentation on device attestation configuration and API details.

Read the attestation docs →

Related Articles

Security

Why Push Notifications Are More Secure Than SMS

The security advantages of push authentication

Trends

The Future of Passwordless Authentication

Where authentication is headed next