[/tools/mobile]

mobile / attestation reference

share on xlinkedin

reference only · the web cannot attest mobile

the off-browser axis: device + app attestation on android and ios, and the evasion + proxy vectors that attack them. there is no live self-probe and no harness data here, a web page has no path to a device's secure enclave or play services. this is a reading surface for the completeness of the picture.

reference as-of 2026-06-15

  • android · attestation
  • ios · attestation
  • cross-surface · proxy

google play integrity api

android · attestation

mechanism

an app asks google play services to vouch for the request. play returns a signed verdict token covering three labels: device integrity (is this a genuine, uncompromised android device), app integrity (is this the unmodified play-distributed binary), and account/licensing. the app's server decrypts and verifies the token google-side, never trusting the client to self-report.

what it proves

that a request comes from a genuine play-certified device running the official app, not an emulator, a rooted device, or a repackaged apk. the binding is to play services + the device, not to anything the page's javascript can read.

attacked by

notes

supersedes safetynet attestation (deprecated, shutdown completing through 2024-2025). the strong-integrity label leans on hardware-backed key attestation (a key in the tee / strongbox), which raises the bar but is bypassable on compromised devices and via play-services hooking on rooted hardware. rate-limited and quota'd, so it is a gate, not a per-request stamp.

confidence
confirmed
as-of
2026-06-15

go deeper

  • → ai-agent detection the declared-agent attestation parallel: signed agents (web bot auth) vs hardware-backed device tokens.
  • → network details where sdk-proxy networks surface: residential / mobile asn class on the transport axis.
  • → velocity & device reputation the money lens: when a rented real device passes attestation, reputation and velocity are what is left.

go deeper

  • → ai-agent detection the web-to-app collusion vector: an operator on web, an attested app on the same device, signals stitched.
  • → network details the sdk-proxy axis: mobile traffic relayed to look residential, the transport reputation it inherits.
  • → velocity & device-reputation attestation as the strongest device-reputation signal, where the off-browser axis meets the money lens.