Proof that with a few hours work, you can easily provide aribitrary data to the Google SafetyNet API and receive a valid Attestation signed by attest.android.com.
I've captured the HARDWARE_BACKED flag. Check this comment.
This is only a software backed attestation, as you can see with the evaluationType=BASIC. I don't have any devices that support hardware backed attestations via TEE, however once I do, I'll be taking a look into them 🤠
- nonce: base64(
liam@liamcottle.com) - packageName:
liam@liamcottle.com