Back to top
Home / Knox Attestation / API reference /

Knox Attestation API reference v2.0

redocly logoAPI docs by Redocly

Knox Attestation API reference (v2.0)

Overview

This document explains how to use the Samsung Knox Attestation REST APIs. Knox Attestation lets you verify that a Samsung Android device has not been rooted or running unofficial firmware that can compromise the data integrity.

Resources

URI Definition Service
/nonces A nonce is a random number that uniquely identifies each attestation request. The server creates and returns a nonce, which you use to identify an attestation request. The server stores the nonce with a timestamp to avoid replay attacks that could allow an attacker to access a past attestation result.
/blobs A blob (Binary Large OBject) is used to hold device integrity measurements, device ID, signature, and public key certificate. The server checks the validity of the blob using the signature and public key certificate. It then parses the integrity measurements and returns a verdict indicating whether or not the device has official firmware.

How it works

Here is an overview of how you use these services:

  1. Your web server requests a nonce from Samsung's Attestation Server.

  2. Your web server passes the nonce to your Android app, which starts an attestation check on a device. This is to see if the device is running authorized firmware. Your Android app sends back a blob (Binary Large OBject) containing the attestation results.

  3. Your web server requests an attestation verdict from Samsung's Attestation Server, based on the generated blob. The verdict indicates if the device passed or failed the attestation check. Knox Attestation process
    For details, see the Knox Attestation Developer Guide.

Requirements

To communicate with the Attestation Server, you must use the following:

  • HTTPS – This provide secure delivery of the nonces, blobs, and attestation verdicts. For coding examples showing how to use HTTPS, see the Attestation Developer Guide
  • SSL certificate – You need this to encrypt data over the HTTPS connection. Make sure that the certificate is:
    • from a trusted provider. Do not use self-signed certificates, which cannot be trusted.
    • contains the complete certificate chain. For help, please consult with your web provider.

Attestation

nonces

Request a nonce from Samsung's Attestation Server.

header Parameters
x-knox-attest-api-key
required
string
Default: <insert-token-here>

API key obtained from KPP portal.

Responses

Request samples 

curl -X POST \ https://attest-api.secb2b.com/v2/nonces \ -H 'cache-control: no-cache' \ -H 'x-knox-attest-api-key: 1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF'

Response samples

Content type
application/json
{
  • "nonce": "string"
}

blobs

Request Samsung's Attestation Server to translate a blob into an attestation verdict.

header Parameters
x-knox-attest-api-key
required
string
Default: <insert-token-here>

API key obtained from KPP portal.

Accept
string

application/json (default) or application/xml

Content-type
required
string

application/octet-stream

Responses

Request samples 

curl -X POST \ 'https://attest-api.secb2b.com/v2/blobs?nonce=ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890' \ -H 'Content-Type: application/octet-stream' \ -H 'cache-control: no-cache' \ -H 'x-knox-attest-api-key: 1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF'

Response samples

Content type
application/json
{
  • "measurements": "string",
  • "tamperBit": "string",
  • "IMEI": "string",
  • "status": "string",
  • "nonce": "string",
  • "chipId": "string",
  • "verdict": "string",
  • "MAC": "string",
  • "version": "string",
  • "createdDate": "string",
  • "updateDate": "string"
}

Error codes

Errors

The Knox Attestation API uses the conventional HTTP response code to indicate the success or failure of a request. A 2XX response code indicates success, a 4XX response code indicates an error given the inputs of the request, and a 5XX response code indicates a failure with the Knox Attestation platform.

In addition, errors will contain a JSON response body with more information about the error:

HTTP/1.1 200 OK Content-Type: application/json

{
    "result" : "SUCCESS",
    "objectId" : "SDAKJ23DKCMSDAKENXSSAEQ",
    "requestedId": "111000291332456"
}

Async result : POST /api/v1/transaction

HTTP/1.1 200 OK Content-Type: application/json

{
    "count" : 3,
    "success": 2,
    "fail": 1,
    "resultList": [
        {
            "result": "FAIL",
            "requestedId": "123456789012347"
            "error" : {
                "code" : "4000000",
                "message" : "RESOURCE_INVALID_PARAM",
                "reason" : "RESOURCE_INVALID_PARAM"
            }
        }
    ]
}

HTTP/1.1 401 Unauthorized Content-Type: application/json

{
    "result" : "FAIL",
    "error" :
       {
          "code": 4010000,
          "message": "AUTHORIZATION_FAIL",
          "reason": "Invalid Api Key"
       }
}

Error response body

The error response attributes are.

Property Type Required Description
result String Yes SUCCESS/FAIL
error Error Yes Error object

Error object

The error objects contain the following attributes.

Property Type Required Description
code String Yes A Knox Attestation defined error code that serves as a more specific indicator of the error than the HTTP response code.
message String Yes A description of the error, intended to aid developers in debugging the error response.
reason String Yes A description of the error, intended to aid developers in debugging the error response.

Common Error Codes

The following table lists the most common HTTP error responses.

Code Name Description
400 Bad Request The client has issued an invalid request. This is commonly used to specify validation errors in a request payload.
401 Unauthorized Authorization for the API is required, but the request has not been authenticated.
403 Forbidden The request has been authenticated but does not have the appropriate permissions, or the requested resource cannot be found.
404 Not Found Specifies that the requested path does not exist.
405 Method Not Allowed Use only the POST method. The Attestation Server does not support other HTTP methods like GET, PUT, and DELETE.
406 Not Acceptable The client has requested a MIME type via the Accept header for a value not supported by the server.
415 Unsupported media type The blob in the request body is not a binary stream. See the Example for sample code showing how to build the HTTP request.
422 Unprocessable Entity The client has made a valid request, but the server cannot process it. This is often returned for APIs when certain limits have been exceeded.
429 Too Many Requests The client has exceeded the number of requests allowed for a given time window.
500 Internal Server Error An unexpected error on the SmartThings servers has occurred. These errors should be rare.
501 Not Implemented The client request was valid and understood by the server, but the requested feature has yet to be implemented. These errors should be rare.
Back to guide

Is this page helpful?