Every device goes through 11 verification steps before it's trusted. Click any step to see the details.
Each client (iOS app, Android app, web) has its own attestation_config JSON — storing mode, package name, per-action policies, certificate allowlists, environment checks, and error policies. Stored as a JSON column in the wp_enravo_api_clients table.
1{2 "attestation_config": {3 "mobile_app_types": ["android"],4 "android": {5 "mode": "enforce",6 "package_name": "com.enravo.app",7 "skew_tolerance": 15,8
9 "actions": {10 "install": { "enabled": true, "device_level": "device", "freshness": 120 },11 "login": { "enabled": true, "device_level": "device", "freshness": 120 },12 "register": { "enabled": false },13 "token_refresh": { "enabled": false, "freshness": 60 }14 },15
16 "app_integrity": {17 "require_recognized": true,18 "require_cert_match": true,19 "allowed_cert_sha256": ["AA:BB:CC:DD:..."],20 "min_version_code": 100,21 "grace_version_code": 9022 },23
24 "account": { "require_licensed": false },25
26 "environment": {27 "play_protect": { "enabled": true, "min_verdict": "no_issues" },28 "access_risk": {29 "enabled": true,30 "block_known": { "capturing": true, "overlays": false, "controlling": true },31 "block_unknown": { "capturing": false, "overlays": false, "controlling": false }32 }33 },34
35 "recent_activity": { "enabled": false, "max_level": 2 },36
37 "error_policy": {38 "on_invalid": "deny",39 "on_timeout": "soft_fail",40 "on_unevaluated": "allow"41 }42 }43 }44}Attestation doesn't have to be all-or-nothing. Start with telemetry to understand your device landscape, move to soft-fail for limited access, then enforce when ready. Each mode has its own error policy — configurable per failure type.
Every check is independently configurable per client and per action.
Three levels: MEETS_BASIC (passes CTS), MEETS_DEVICE (hardware-backed keystore), MEETS_STRONG (hardware security module). Configurable per action — install may require 'device', login may require 'strong'.
PLAY_RECOGNIZED verdict confirms the app was installed from Google Play. Signing certificate SHA-256 verified against your registered fingerprint. Repackaged or sideloaded apps are rejected.
Minimum version code enforced with grace window for rollouts. If min_version=100 and grace=90, versions 90-99 get limited access while users update.
Detect screen capturing, overlay, and remote controlling apps — both known and unknown. Configurable per risk type: block_known.capturing, block_unknown.overlays, etc.
Google's device activity level (0-3). High activity = suspicious. Configurable max threshold per client. Disabled by default — enable for high-security flows.
Minimum verdict enforcement: no_issues, possible_risk, medium_risk, high_risk. Devices with known malware are blocked before any other check.
For B2B apps: require the app to have a valid Google Play license. Devices without a license are denied regardless of integrity status.
Each action has its own freshness window. Install: 120s. Login: 120s. Token refresh: 60s. Prevents stale attestation tokens from being reused across different operations.