Is it possible to determine if an Android (banking) app is using hardware attestation, instead of Play Integrity API?

[wutr]

As per the title, is it possible to determine if an Android (banking) app is using hardware attestation, instead of Play Integrity API?

The list at https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/ only indicates if an app is working currently, not necessarily if it's likely to do so in the future. The reports at https://github.com/PrivSec-dev/banking-apps-compat-report/issues/ are helpful, but don't necessarily include this information either, until they stop working.

[wj25czxj47bu6q]

@akc3n

[akc3n]

@wutr,

As per the title, is it possible to determine if an Android (banking) app is using hardware attestation, instead of Play Integrity API?

Check the bank's app settings for the feature option once you log in.. Otherwise, if you don't have an account with that bank, then unless the information is stated on published app listings or the bank's website, you may have to inquire directly from the bank.
There are advanced methods to potentially find hints of this, but I think that would be out of scope here.

The timeline for (bank) apps to switch over to the new Play Integrity API is here https://developer.android.com/privacy-and-security/safetynet/deprecation-timeline#safetynet_attestation_deprecation_timeline

There is really no way to determine during that time frame ^ when a financial institutions internal or external app development team would be releasing an update with the Play Integrity API, which needs pass both basicIntegrity and ctsProfileMatch to MEETS_DEVICE_INTEGRITY

The list at https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/ only indicates if an app is working currently...

That's right.

not necessarily if it's likely to do so in the future.

Users are responsible for updating their reports or others who use same banking apps and tracking the status of the reports may also update it in the comments of that report.

I will look into your question a bit more in depth as time permits and find out if any additional information from the developer side of things should be added here.

[wutr]

Thank you for the comprehensive reply. What I was hoping to accomplish is to determine a way to guarantee (in so far as that is possible) that an app works on GrapheneOS using hardware attestation, as I understood that to be a requirement for GrapheneOS because the Play Integrity API would cause false positives.

However I now understand it differently: The Play Integrity API can work with or without hardware attestation, but only if hardware attestation is utilised will an app using the Play Integrity API work on GrapheneOS. Is that correct?

If so, then simply knowing whether the Play Integrity API is utilised doesn't help, as you suggest.