Attestation (Play Integrity & DeviceCheck)
PushWave uses native attestation to reduce spoofed tokens and leaked keys. The SDK collects attestation data; the backend (when opened) will validate it before accepting tokens.
Android (Play Integrity)
What you provide:
packageName- SHA-256 signing cert fingerprints (all: Play App Signing + upload/rotation)
- The SDK must call Play Integrity with the PushWave cloud project number (we will serve this from the backend)
Validation (backend):
- Checks
packageNameandcertificateSha256Digestagainst your stored values. - Checks verdicts (
PLAY_RECOGNIZED, device integrity levels). - Uses PushWave’s service account + OAuth to decode tokens (no Google API key needed).
Requirements:
- Build distributed via Play (internal/closed track is fine) with Play App Signing.
- Play Integrity enabled for the app.
- Expo Go not supported; use EAS/Dev Client builds.
iOS (DeviceCheck)
What you provide:
teamId,keyId,bundleId.p8private key (stored encrypted)
Validation (backend):
- Signs requests to Apple’s DeviceCheck with your
.p8and metadata. - Verifies the token before accepting/storing a push token.
Requirements:
- Real builds (dev client or TestFlight). Expo Go not supported once native code is involved.
Data handling
- Android: Only
packageName, SHA-256 certs, and attestation verdicts are stored. Google API keys are not required. - iOS:
.p8is encrypted at rest; metadata (teamId,keyId,bundleId) stored in clear. - Both platforms: project secret + API key are required when calling PushWave (once API opens).
Current status
- Attestation is wired in the SDK; backend enforcement will be enabled when the SaaS opens.
- Treat attestation as best-effort until GA; tokens may be accepted without strict blocking during alpha.