Play Integrity on Android and App Attest on iOS verify that the application is genuine, unmodified, and running on trusted hardware. Tampered or sideloaded apps are detected before they reach the API.
Each mobile platform provides its own attestation mechanism. Enravo Trust integrates both natively and evaluates attestation results as part of the guard pipeline.
Google's Play Integrity API verifies the app binary, the device environment, and the Google Play license. Three integrity levels — basic, device, and strong — provide graduated trust signals.
Apple's App Attest service verifies that the app is running on genuine Apple hardware with an unmodified binary. Hardware-backed attestation keys ensure the device has not been jailbroken.
Play Integrity evaluates three dimensions of device trust: the app binary matches what was published to Google Play, the device passes integrity checks at configurable levels, and the runtime environment is free from instrumentation frameworks or root access.
1POST /api/v1/sessions HTTP/1.12Host: core.enravo.com3Content-Type: application/json4Authorization: Bearer <access_token>5X-Play-Integrity-Token: eyJhbGciOiJBMjU2S0...truncated6
7{8 "device_id": "d4f7a2b1-9c3e-4e8a-b6d5-1a2b3c4d5e6f",9 "client_version": "2.4.1",10 "timestamp": "2026-04-06T10:30:00Z"11}App Attest uses the Secure Enclave on iOS devices to generate hardware-backed attestation keys. The attestation proves that the app binary is unmodified, the device is genuine Apple hardware, and the Secure Enclave has not been compromised. Jailbroken devices fail attestation automatically.
1POST /api/v1/sessions HTTP/1.12Host: core.enravo.com3Content-Type: application/json4Authorization: Bearer <access_token>5X-App-Attest-Assertion: o2NmbXRmYXBwbGU...truncated6
7{8 "device_id": "A1B2C3D4-E5F6-7890-ABCD-EF1234567890",9 "client_version": "2.4.1",10 "timestamp": "2026-04-06T10:30:00Z"11}Attestation enforcement is configurable per policy. Choose the right mode based on your threat model and rollout stage.
Attestation failure blocks the request. The client receives a 403 with an attestation error code. Used for high-security endpoints where device trust is mandatory.
Attestation failure is recorded but the request proceeds with reduced capabilities. Rate limits may be tightened and certain operations restricted for unattested devices.
Attestation is evaluated and logged but has no effect on request processing. Used during rollout to measure attestation pass rates before enabling enforcement.