fid02 Grooty I took the easy way out and wrote their support. I have made a translated summary here (their email reply contains a whole lot of Google marketing, that I have filtered out):
We use Google Play Integrity on Android and Apple Integrity Assertion on iOS, to ensure that users are not using "false apps" that masquerade as MitID, and that the app is downloaded from an official store. We provide them the code and limited backend access, in order for them to verify that the app binary is legitimate. This is not a kind of scam that is currently being employed, but we want to stay ahead of the threat.
I initially asked them why they went the Google Play Integrity way, and not things like hardware attestation, but I got most of the relevant information for this thread.
Does anyone know of a way, to achieve the same as what they set out to do, but via hardware attestation instead? It sounds like they are trying to solve the following:
- Verify the operating system
- Verify the app binary is legitimate
- Verify that the app is downloaded from Google Play Store, and not somewhere else
If so, I wouldn't mind forwarding them that information, and see if I can change their minds about the implementation.