Android safetynet attestation for WebAuthn returns the all zeroed out AAGUID
Reported by
shinki...@gmail.com,
Nov 8
|
|||||
Issue descriptionSteps to reproduce the problem: 1. Set platform authenticator and direct attestation conveyance for create call from Android Chrome browser 2. Verify attestation on RP server 3. AAGUID is zeroed out. What is the expected behavior? Direct attestation for safetynet should have a valid (identifiable) AAGUID. What went wrong? AAGUID is zeroed out. So, RP cannot figure out the authenticator. Did this work before? No Does this work in other browsers? Yes Chrome version: 70.0.3538.80 Channel: stable OS Version: 8.0.0 Flash Version:
,
Nov 8
Hi there, can you confirm version of Google Play Services are you using? Starting with v13.4.0, there will be a non-zero AAGUID, but versions up until then always return a zero AAGUID even for requests for 'direct' attestations.
,
Nov 8
,
Nov 8
Hi Kim, this is Ki-Eun from LINE. The version of play services is 14.5.75 from beta channel. Thanks.
,
Nov 8
Hi Ki-Eun! Ah, I double-checked with Google Play services folks and I was wrong earlier. AAGUID will be populated starting in 14.7.00. So what you're seeing is expected.
,
Nov 8
Understood. Do you now expected release date for 14.7.00? and publishing the FIDO mds metadata for it?
,
Nov 8
I don't think we're at liberty to share expected release dates right now, unfortunately. It's on the order of multiple weeks. How about I keep this open and update the bug when it goes out.
,
Nov 8
Thanks, Kim! I will track this issue.
,
Jan 16
(6 days ago)
Closing this out as non-zero AAGUIDs have been present since v23. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by jochen@chromium.org
, Nov 8Owner: kpaulhamus@chromium.org
Status: Assigned (was: Unconfirmed)