Key attestation best practice (Android)#3756
Open
Diolor wants to merge 28 commits into
OWASP:masterOWASP/mastg:masterfrom
Diolor:key-attestation-best-practiceDiolor/mastg:key-attestation-best-practiceCopy head branch name to clipboard
Open
Key attestation best practice (Android)#3756Diolor wants to merge 28 commits intoOWASP:masterOWASP/mastg:masterfrom Diolor:key-attestation-best-practiceDiolor/mastg:key-attestation-best-practiceCopy head branch name to clipboard
Diolor wants to merge 28 commits into
OWASP:masterOWASP/mastg:masterfrom
Diolor:key-attestation-best-practiceDiolor/mastg:key-attestation-best-practiceCopy head branch name to clipboard
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds Android-focused guidance around Key Attestation by introducing new Knowledge pages (generic Key Attestation plus device/app-attestation-focused pages) and a new Best Practice that recommends using server-verified, hardware-backed attestation for integrity decisions.
Changes:
- Moves/reworks the existing Key Attestation Knowledge content into
MASVS-RESILIENCEand expands it with certificate-chain and field interpretation details. - Adds two new Knowledge pages for device attestation (
rootOfTrust) and application attestation (attestationApplicationId). - Adds a new Android Best Practice describing a server-driven attestation flow and verification checks; updates related Storage Knowledge pages to reference the new Key Attestation KNOW.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| knowledge/android/MASVS-STORAGE/MASTG-KNOW-0047.md | Updates wording around using Key Attestation to verify keys are hardware-backed. |
| knowledge/android/MASVS-STORAGE/MASTG-KNOW-0045.md | Adds an explicit cross-reference to the Key Attestation Knowledge page. |
| knowledge/android/MASVS-STORAGE/MASTG-KNOW-0044.md | Removes the old Storage-category Key Attestation Knowledge page content (relocated). |
| knowledge/android/MASVS-RESILIENCE/MASTG-KNOW-0044.md | Adds the new Resilience-category Key Attestation Knowledge page with updated structure and references. |
| knowledge/android/MASVS-RESILIENCE/MASTG-KNOW-01kw.md | Adds a new Knowledge page focused on device attestation fields (root of trust). |
| knowledge/android/MASVS-RESILIENCE/MASTG-KNOW-02kw.md | Adds a new Knowledge page focused on application attestation fields (application ID). |
| best-practices/MASTG-BEST-00be.md | Adds a new Best Practice recommending hardware-backed key attestation for device/app integrity. |
Comment on lines
+50
to
+56
| For a reference implementation, see [Dionysis Lorentzos' Android-Security sample](https://github.com/Diolor/Android-Security/blob/main/app/src/main/java/dio/security/crypto/KeyManager.kt#L45-L70). | ||
|
|
||
| ## Reading the X.509 Certificate | ||
|
|
||
| The returned [X509Certificate](https://developer.android.com/reference/kotlin/java/security/cert/X509Certificate) chain from [`KeyStore.getCertificateChain(alias)`](https://developer.android.com/reference/kotlin/java/security/KeyStore#getcertificatechain) can be inspected to determine the key properties. X.509 certificates are described by [ASN.1 format](https://source.android.com/docs/security/features/keystore/attestation#tbscertificate-sequence) and the Android-specific extensions (certificate's payload) can be requested with OID `1.3.6.1.4.1.11129.2.1.17`. This attestation extension content is described by the [ASN.1 schema KeyDescription](https://source.android.com/docs/security/features/keystore/attestation#schema). | ||
|
|
||
| For a sample decoding functionality of X.509 certificate's payload, you may consult [Dionysis Lorentzos' - Simple attestation converter](https://github.com/Diolor/Android-Security/blob/main/app/src/main/java/dio/security/crypto/attestation/Attestation.kt#L34-L64). |
There was a problem hiding this comment.
This Knowledge page links to non-official, personal GitHub repositories as “reference implementations”. Knowledge pages are expected to rely on official documentation/standards; consider replacing these with official sources (Android docs, AOSP, or Google-maintained samples) or move third-party samples to DEMO/tooling content.
Collaborator
Author
There was a problem hiding this comment.
I could copy the sample code here however the reader might lose context
cpholguera
reviewed
May 13, 2026
39b2e27 to
7d8ccdb
Compare
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
7d8ccdb to
aed967d
Compare
Diolor
commented
May 20, 2026
| @@ -0,0 +1,73 @@ | ||
| --- | ||
| title: Mitigate the Risk of API Keys Hardcoded in the App Package |
Collaborator
Author
There was a problem hiding this comment.
This is a best for MASWE-0005. Attestation is a critical component of it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR closes #3505
Description
Adds info regarding key attestation:
Bonus: Added a Test + Demo for attestation
TODO:
AI Tool Disclosure
[x ] This contribution includes AI-generated content.
AI tools used: Claude 4.6 for grammar, feedback and reading cohesion