Android Setup & Backend Verification
复制一个包含安装步骤和完整 Markdown 指南的配置提示。
Android native system used
Section titled “Android native system used”On Android, this plugin uses Google Play Integrity Standard API:
prepareIntegrityTokenduringprepare()requestStandardIntegrityTokenforcreateAttestation()andcreateAssertion()
Requirements
Section titled “需求”- 通过 Google Play 生态系统发布的 Android 应用
- 设备上可用的 Google Play 服务
- 为您的应用启用了 Play Integrity API
- 已配置的 Google 云项目号
Google 设置
Section titled “Google 设置”- 启用 Play Integrity API 在您的 Google 云项目中
- 打开 Play Console 并为您的应用配置 Play Integrity 访问权限。
- 提供
cloudProjectNumber到插件。
Capacitor 配置
标题:Capacitor 配置plugins: { AppAttest: { cloudProjectNumber: '123456789012', },}您还可以传递 cloudProjectNumber 每次调用方法选项中的
客户端流程
标题:客户端流程import { AppAttest } from '@capgo/capacitor-app-attest';
const { keyId } = await AppAttest.prepare({ cloudProjectNumber: '123456789012',});
const attestation = await AppAttest.createAttestation({ keyId, challenge: 'backend-registration-challenge',});
const assertion = await AppAttest.createAssertion({ keyId, payload: 'backend-request-payload',});token 是一个Play Integrity令牌,必须在服务器端解码。
后端工作流(Android)
Section titled “Android 后端工作流程”Registration (createAttestation)
Section titled “注册 (createAttestation)”- 后端创建一次性
challenge. - App 调用
createAttestation({ keyId, challenge }). - 后端调用 Google
decodeIntegrityTokenAPI. - 后端至少验证:
requestDetails.requestHash === base64url(SHA256(challenge))appIntegrity.packageName等于您的 Android 应用程序 IDappIntegrity.certificateSha256Digest包含您的发布签名证书摘要- 完整性判决与您的安全策略匹配
请求保护 (createAssertion)
Section titled “防止请求保护(createAssertion)”- 后端创建一次性
payload. - App调用
createAssertion({ keyId, payload }). - 后端解码令牌并检查
requestHash === base64url(SHA256(payload)). - 强制实施重放防护(单次使用 + TTL)和完整性判决策略。
Android schema
Section titled “Android schema”sequenceDiagram participant App as Android App participant Plugin as AppAttest plugin participant PlaySDK as Play Integrity SDK participant BE as Backend participant Google as decodeIntegrityToken API
App->>Plugin: prepare(cloudProjectNumber) Plugin->>PlaySDK: prepareIntegrityToken() PlaySDK-->>Plugin: provider handle (keyId)
BE->>App: one-time challenge App->>Plugin: createAttestation(keyId, challenge) Plugin->>PlaySDK: requestStandardIntegrityToken(requestHash) PlaySDK-->>Plugin: integrity token Plugin-->>App: token + platform + format + keyId App->>BE: token + challenge + keyId BE->>Google: decodeIntegrityToken(token) Google-->>BE: decoded payload BE->>BE: verify requestHash + app identity + verdicts
BE->>App: one-time payload App->>Plugin: createAssertion(keyId, payload) Plugin->>PlaySDK: requestStandardIntegrityToken(requestHash) PlaySDK-->>Plugin: integrity token App->>BE: token + payload + keyId BE->>Google: decodeIntegrityToken(token) Google-->>BE: decoded payload BE->>BE: verify requestHash + replay policy最小后端载荷契约
Section titled “最小后端载荷契约”注册:
{ "platform": "android", "format": "google-play-integrity-standard", "keyId": "string", "challenge": "string", "token": "string"}断言:
{ "platform": "android", "format": "google-play-integrity-standard", "keyId": "string", "payload": "string", "token": "string"}从 Android Setup 和 Backend Verification 中继续
标题:从 Android Setup 和 Backend Verification 中继续如果您正在使用 Android Setup 和 Backend Verification 来规划安全性和合规性,连接它到 使用 @capgo/capacitor-app-attest 用于在使用 @capgo/capacitor-app-attest 中的原生能力 加密 用于加密的实现细节 合规性 为 Compliance 的实现细节 Capgo 安全扫描器 为 Capgo 安全扫描器 的产品工作流程, 和 Capgo 安全 为 Capgo 安全 的产品工作流程,