Replace Google SafetyNey with Play Integrity

[EdilsonGalvao]

This PR updates SafetyNet content for Play Integrity.

Complete rewrite of the content highlighting the main points: summary, limitations, best practices and errors.
Update of references.
JSON example.

• Your contribution is written in the 2nd person (e.g. you)
• Your contribution is written in an active present form for as much as possible.
• You have made sure that the reference section is up to date (e.g. please add sources you have used, make sure that the references to MITRE/MASVS/etc. are up to date)
• Your contribution has proper formatted markdown and/or code
• Any references to website have been formatted as [TEXT](URL “NAME”)
• You verified/tested the effectiveness of your contribution (e.g.: is the code really an effective remediation? Please verify it works!)

This PR closes #686.
owasp-masvs/issues/686

[cpholguera]

Thanks for opening the PR @EdilsonGalvao!

@SirionRazzer would you mind reviewing it? Thank you very much!

[TheDauntless]

I've made 2 suggestions which you can quickly 'accept' if you agree.

[TheDauntless]

Hi @EdilsonGalvao!

Thanks for the contribution! 🎉

I made two suggestions based on the usage of the word 'attest'. If you agree with them, please click the Merge buttons and then we can merge this PR! :)

[SirionRazzer]

Hi @EdilsonGalvao ,
I reviewed the content, and I think we should consider moving the whole section to the bottom of the document (above References section). Also, it would be good to prepend it with an introduction paraph. What do you think about the following one? Enveloping it with a general overview of attestation/anti-fraud services would be beneficial for the reader to understand the broader landscape of attestation without promoting just Google's.

DISCLAIMER:
I work for Talsec, and in the text below, I added its commercial service 'Talsec AppiCrypt' because it is relevant in this context. I believe it doesn't violate Contributing guideline (https://mas.owasp.org/contributing/#what-not-to-do) claiming that 'Commercial tools are typically not accepted, but might be referenced in some specific cases.'.

If we agree on this, I would follow with accepting your current submission and creating a new PR with the suggested change:

...

Integrated anti-fraud services

Anti-fraud services like Google Play Integrity, Huawei SysIntegrity API, Talsec AppiCrypt, Copperhead, and GrapheneOS provide users and businesses with a range of options to protect against fraudulent activities in the digital space. The choice between these services is based on several factors, including the intended use case, operational area, data processing, legal aspects, and differentiating features.

For example, Google Play Integrity is a popular choice for Android developers as it provides a comprehensive suite of services to detect and prevent fraudulent activity within Google Play Services-enabled devices. However, Google Play Integrity may not be usable with some enterprise devices, such as point-of-sale (POS) or kiosks that run on vanilla Android or in non-Google areas where Google services are unavailable.

These services offer features like app and device tampering protection, API protection, license verification, or physical tampering protection, enabling businesses to validate the genuinity of devices, client apps, or API requests and verify that it has not been tampered with by a third party. It is essential to assess each service's strengths and weaknesses and consider the application's specific needs.

Google Play Integrity

[your current submission]

References

...

[EdilsonGalvao]

Hello @SirionRazzer
Yeah, that makes a sense. Feeling free to accept this PR.
After that, we can add the Device Check for IOS in the tool list described in 'Integrated anti-fraud services' topic as well.

[TheDauntless]

The current location isn't too important, since we are working on a major refactor of the entire guide and everything will be split up into different files.

The intro is nice, but I don't think referencing commercial products is needed here or adds any value. The typical exceptions for adding commercial products are tools such as Ida Pro, Hopper, JEB, ... . In that same logic, why not add GuardSquare, zImperium, Promon, OneSpan, ..., which all provide some form of commercial RASP services with threat-signals for context based risk assessment, application-layer encrypted communication, etc? I can't immediately find any technical documents that explain how AppiCrypt is different from these other commercial products either.

I'm also not that familiar with GrapheneOS and Copperhead, but we should at least refer to specific integrity solutions/features rather than just the name of the OS.

[EdilsonGalvao]

Hello @TheDauntless
Reading your comment, and Issue 2376.
I believe that we can to approve this PR, because it is just an update of the old content, and it doesn't change the chapter structure.
Posteriorly, We can add a new chapter with third party tools as requested by Mr. @sushi2k

[SirionRazzer]

@TheDauntless My main intention was to generalize this topic and highlight alternatives to Google Play Integrity. The original SafetyNet and the proposed Play Integrity update may mislead the reader to think these are the only option for the app to backend protection.

The original article describes techniques used in RASP technology. Google Play Integrity/others are a step towards API protection and are better categorized as a WAAP technology. I think this guide shouldn't include Google Play Integrity without further explanation. Ultimately, there should be separate testing procedures regarding the WAAP technology (it's MASTG, after all). Still, Google Play Integrity demonstrates such technology and can be used as an implementation example.

[0xroot-bf]

Some minor style tweaks to remain consistent with other guides

[cpholguera]

Hi @EdilsonGalvao, there seems to be something wrong with the file now as it's being shown as if it were completely new, all lines have changed. Could you please take a look and verify that only your changes are being displayed in the diff? Thank you very much!

Everything is good to go and all changes addressed