Overview
Kubian Attestation is a security layer designed to verify the integrity of your application and the hardware it is running on. This service exclusively supports Android/mobile devices and VR headsets. By utilizing the device's hardware keystore, it provides a high chance that the application binary matches your official build and that the device environment has not been tampered with.
Developer Responsibilities & Best Practices
To maintain maximum security, developers must not rely solely on a one-time check at startup. It is your responsibility to implement the following practices:
- Secure Nonces: Generate a cryptographically secure, unpredictable nonce on your server. Do not rely on sequential numbers.
- Expiration Tracking: Track the expiration (
exp) of the nonce on your backend to prevent replay attacks. - Re-verification: Recheck user attestation during important, high-stakes game actions. This includes leaving/joining rooms, purchasing items, trading, and entering competitive modes.
Backend Verification Update
verify_application_integrity:When calling your backend verification endpoint, you must now include specific headers to dictate how the payload is reviewed:
Authorization: OA|{project-app-id}|{project-app-secret}- OAuth style authorization for your project. Do NOT put any app-secrets in the Unity Client. Keep everything in a secure backend serverauto-review: true/false- Set totrueif you want the trusted Kubian backend to decide the device's fate. Set tofalseif you want our custom jwt token that you send to our /android/app/player/application/verify_application_integrity and we return the if the token is valid or not, and if valid we return the jwt for your servers to verify with your own logic.
/android/app/player/application/verify_application_integrity API Reference
Endpoint to verify the validity of an attestation token generated by a device.
Required Headers
| Header | Description | Example |
|---|---|---|
Authorization |
OAuth style authorization for your project combining the prefix OA, your App Id, and your App Secret separated by a pipe character. | OA|your-app-id|your-app-secret |
auto-review |
Determines whether Kubian will process the payload and evaluate device safety (true), or skip evaluation and return the raw decoded JWT (false). |
true or false |
Possible Responses
| Scenario | HTTP Status | Response Body |
|---|---|---|
| Invalid App Id or App Secret | 400 Bad Request | {"error": { "Object": { "Data": "Unable to find application with id {app_id}." } } } |
Missing auto-review header |
400 Bad Request | {"error": { "Object": { "Data": "Invalid request. Missing 'auto-review' header." } } } |
auto-review: false (Success) |
200 Success | {"message": { "Object": { "Data": "Success." } }, "attestation_token_decoded": { ... } } |
auto-review: true (Device Trusted) |
200 Success | {"message": { "Object": { "Data": "Application and Hardware verified." } } } |
auto-review: true (Device Compromised) |
401 Unauthorized | {"error": { "Object": { "Data": "Invalid hardware state 'Rooted'." } } } |
Integration Example
The Kubian platform handles the heavy lifting for you. By calling AppIntegrityAPI.AndroidAppPlayer.ApplicationIntegrityInformationGet, the framework automatically handles hardware keys, signs your payload, gathers device signals, and communicates with the backend.
Below is a C# Unity example demonstrating how to initialize the process using a cryptographically secure nonce generated within the client (though ideally, this nonce is fetched from your server):
using System;
using System.Security.Cryptography;
using UnityEngine;
public class KubianInitExample : MonoBehaviour
{
public UnityEngine.UI.Text InfoText;
public void Start()
{
if (KubianTech.KubianPlatformServices == null)
{
InfoText.text = "Failed to initialize Kubian";
}
else if (AppIntegrityAPI.AndroidAppPlayer == null)
{
InfoText.text = "Failed to get AndroidAppPlayer integrity token";
}
else if (AppIntegrity.AndroidAppIntegrity == null)
{
InfoText.text = "Failed to get AttestationToken";
}
else
{
KubianTech.KubianPlatformServices.InitiateKubianServices();
loadMaintenanceData();
checkAuth();
Initialize();
}
}
private void Initialize()
{
AppIntegrityAPI.AndroidAppPlayer.ApplicationIntegrityInformationGet(securenonce(), (jwt, error) =>
{
if (!string.IsNullOrEmpty(jwt))
{
AppIntegrity.AndroidAppIntegrity.ApplicationAndroidIntegrity(jwt, (attestationToken, attestationError) =>
{
if (!string.IsNullOrEmpty(attestationToken))
StartCoroutine(verifygame(attestationToken));
else
InfoText.text = string.IsNullOrEmpty(attestationError) ? "Failed to authenticate" : attestationError;
});
}
else
{
InfoText.text = string.IsNullOrEmpty(error) ? "Failed to authenticate" : error;
}
});
}
private string securenonce()
{
byte[] nonceBytes = new byte[32];
using (var rng = new RNGCryptoServiceProvider())
{
rng.GetBytes(nonceBytes);
}
return Convert.ToBase64String(nonceBytes);
}
private System.Collections.IEnumerator verifygame(string token)
{
yield return null;
}
}
Understanding the Attestation Response
Once the device is verified, the server will issue a decoded JSON payload. Below is an example of what a successful device response looks like:
{
"message": "Decoded Results",
"exp": 1775784915,
"iat": 1775783115,
"sub": "Random-UUID-Generated-ID",
"aud": "The device fingerprint",
"Details": {
"application_sha256_digest": "7d58011b6e80f8055f993c62d7df806069188131470b33a0d6e09d24c43edd6e",
"application_package_identifier": "com.DefaultCompany.DefaultProduct",
"application_binary_recognized": "RecognizedApplication",
"application_package_recognized": "RecognizedPackage",
"device": {
"nonce": "Your-Secure-Server-Nonce",
"device_cert": "Device-Certificate-Tied-Fingerprint",
"state": {
"Standing": "Normal",
"Signals": {
"Rooted": false,
"Debugger": false,
"Emulator": false,
"Hooks": false
}
},
"trust": {
"SecurityLevel": "Advanced",
"VerifiedBoot": "Trusted",
"BootloaderLocked": "True"
}
}
},
"Request_Details": {
"device_id": "device-id",
"app-id": "your-projects-app-id",
"device-certificate-id": "Device-Certificate-Tied-Fingerprint"
}
}
Attestation Outcomes & Status Definitions
The device state is determined through a combination of keystore features and environment checks. You must handle various compromised states based on the backend evaluation.
1. Security Level (device.trust.SecurityLevel)
Device Status is verified in our secure backend servers verifying the client's AB (Attestation-Bytes) from the hardware. Verifying against Google Root Certificates (GRCs) with overall low false positives in testing. We verify the Attestation Hardware Signature against our list of trusted Android attestation PEM GRCs Keys. If this is not in a trusted category it is an extremely high chance that the client is using a spoofed Hardware Root Certificate to spoof request. Ensure Device standing is not 'Compromised' as that is another indicator
| Status | Description |
|---|---|
| Advanced | Backed by Android StrongBox. The key is isolated in a separate, highly secure hardware chip. |
| Basic | Backed by a Trusted Execution Environment (TEE). Secure, but utilizing the main processor's secure enclave. |
| NotTrusted | Unable to determine or was generated from Software-Level. Other wise NotTrusted is usually a common sign of the device / application being compromised. |
2. Device Standing (device.state.Standing)
General state of the operating environment. A safe device will return Normal.
| Standing | Signals Triggered |
|---|---|
| Normal | No common threats found. |
| Rooted | Indicates Superuser binaries (su) or test-keys were found. |
| Debugger | A live debugger is currently attached to the application process. |
| Emulator | The environment matches known emulators or SDK images. |
| Hooked | Tamper frameworks (e.g., Frida, Xposed, Magisk, Zygisk) were detected injecting into memory. |
| Compromised | The device is likely compromised. This usually happens due to the device being used by an emulator, spoofed root certificate keys, or an unknown device. |
3. Verified Boot (device.trust.VerifiedBoot)
Reflects the integrity of the operating system booting process.
| Status | Description |
|---|---|
| Trusted | The OS is official with no immediate threats reported by the Hardware. |
| Unofficial | The OS has been replaced and is most likely compromised. |
| NotTrusted | The OS has been modified and re-signed by an unknown publisher. |
| Compromised | The OS has been compromised and all security has been stripped away allowing any attack from the OS. |
| Unknown | Kubian was unable to determine if the OS was legitimate or not. This is most likely due to a faulty startup on the device, or a hiccup in the hardware. |
Our Research & Resources
Kubian aims to improve the fields of Game Security and Cybersecurity by maintaining a balance between our research and security. While we do not disclose sensitive implementation details that may weaken our systems, we provide insights and resources to support research, understanding, and responsible development.
Resources Used for Device-Level Security (Secure Backend Server)
The following resources and methodologies contribute to Kubian’s layered device integrity validation system.
| Name | Description |
|---|---|
| GRCs (Google Root Certificates) | Hardware-backed public attestation certificates used to verify device authenticity. Kubian leverages publicly documented trusted root certificates provided by platform vendors to validate attestation signatures and reduce spoofing attempts. Resource: https://developer.android.com/privacy-and-security/security-key-attestation#root_certificate |
| Name | Description |
|---|---|
| VR Hardware Certificate Keys | Kubian may collect and validate hardware root certificates from VR devices when necessary. These certificates are added to internal validation datasets to improve compatibility and reduce false positives for newer or uncommon hardware environments. |
| Name | Description |
|---|---|
| ARC Database (Attestation Root Certificates) | A curated dataset of trusted hardware attestation root certificates, including both standard platform certificates and VR-specific certificates. This dataset is used to validate hardware authenticity and detect anomalous or untrusted keys. |
| Name | Description |
|---|---|
| ASN.1 Analysis | Kubian processes and decodes ASN.1 attestation payloads to extract verified hardware-backed information such as boot state, security level, and system integrity indicators. This allows for deeper validation beyond surface-level checks while relying on hardware-signed data. |
| Name | Description |
|---|---|
| Device Risk Signals | Device Risk Signals represent a collection of discrete indicators used to assess the integrity and state of a device or execution environment. These signals are derived from a combination of internal analysis and platform-level integrity mechanisms, including hardware-backed attestation, certificate validation, and revocation status checks. Kubian does not rely on a single identifier and instead evaluates multiple independent signals to determine overall device trust and integrity. Signals are returned as structured values, such as boolean flags (e.g., rooted, emulator, debugger), enumerated states (e.g., security level, verified boot status), and descriptive strings provided by the underlying hardware or platform. These signals are intended to assist developers in making their own security decisions and should not be treated as definitive proof of compromise. Additional verification endpoints and expanded signal coverage are currently in development. |
| Name | Description |
|---|---|
| DHSAR | DHSAR (Deep Hardware Security Analysis Reporting) focus on evaluating overall device integrity rather than only application integrity. Kubian acts as a secondary verification layer, allowing backend systems to make final trust decisions based on validated hardware signals. |
| Name | Description |
|---|---|
| DHASR | DHASR (Deep Hardware Application Security Reporting) extends hardware validation to application integrity by verifying hardware-reported keystore signatures against developer-provided application data. This allows Kubian to detect modified or tampered application builds while maintaining reliance on hardware-backed verification. |
Security Responsibility & Developer Liability Disclaimer
By using Kubian Attestation, you acknowledge and agree that you, as the developer, are solely responsible for implementing and maintaining the overall security of your application, backend systems, and network infrastructure.
Kubian provides device and application integrity signals; however, these signals are not a replacement for proper backend validation, authentication systems, or secure architecture design.
You are required to implement additional security layers, including but not limited to:
- Server-side verification of attestation tokens issued by Kubian
- Secure session handling and authentication systems (e.g., Photon Authentication or equivalent)
- Backend validation for multiplayer interactions, game state, and account actions
- Issuance and verification of your own secure tokens, keys, or session identifiers after successful attestation
Kubian strongly recommends that after a successful attestation verification, your backend issues its own trusted token or session key, which must then be validated across your services, including but not limited to multiplayer networking, account systems, and game servers.
Failure to implement proper backend security or reliance solely on Kubian Attestation may result in vulnerabilities, unauthorized access, or exploitation. Kubian and Static Labs LLC shall not be held responsible for any security breaches, data loss, or damages resulting from improper implementation or misuse of the service.
By integrating Kubian, you accept full responsibility for securing your application beyond the attestation layer and acknowledge that Kubian acts only as an assisting component within a broader security architecture.
Third-Party uses
By using Kubian you understand that Kubian is and will only ever be a third-party solution for any application. We do not use Play Integrity, Meta Attestation and so on. This allows us to create an open Android environment allowing Meta and Android devices.
Kubian supplies you with the SDK but we are not responsible if it ends up breaking your project due to an incompatibility issue.
We highly recommend to take precautions when setting up Kubian from the following, but not limited to:
- A backup of original project in case of any accident.
- Keeping your Kubian project app-secret hidden from anyone to prevent any type of abuse that we are not responsible for.
- To understand that Kubian is a Third-Party system that will not be updated immediately upon any new device being released.
- Kubian does not use Play Integrity or any pre-made attestation systems to allow a fully custom attestation use.
By using and integrating Kubian you agree that you take full risk of using Kubian and understand that it is a Third-Party system that will not be updated immediately upon any new hardware.
Error/Failure Responses
This section documents all possible error responses from the Kubian Attestation API, their meanings, and how to resolve them.
Authentication & Authorization Errors
{
"error": {
"Object": {
"Data": "Expired 'AttestationToken'."
}
}
}Meaning: The attestation token has exceeded its expiration time.
Fix: Generate a new attestation token from the device with a fresh nonce.
{
"error": {
"Object": {
"Data": "Unable to find application with id {app-id-used}."
}
}
}Meaning: The provided App ID in the Authorization header does not exist in the Kubian system.
Fix: Verify your App ID is correct and that your application is registered in the Kubian dashboard.
{
"error": {
"Object": {
"Data": "Invalid request. Missing 'AttestationToken' in json body."
}
}
}Meaning: The request body does not contain the required 'AttestationToken' field.
Fix: Ensure your JSON request body includes the 'AttestationToken' field with the device-generated token.
{
"error": {
"Object": {
"Data": "Invalid request. Missing 'json' body."
}
}
}Meaning: The request was sent without a JSON body.
Fix: Ensure you are sending a JSON body with Content-Type: application/json header.
{
"error": {
"Object": {
"Data": "Invalid request. Malformed 'Authorization' header."
}
}
}Meaning: The Authorization header format is incorrect.
Fix: Use the correct format: Authorization: OA|{app-id}|{app-secret}
{
"error": {
"Object": {
"Data": "Invalid request. Missing 'Authorization' header."
}
}
}Meaning: The Authorization header is not present in the request.
Fix: Add the Authorization header with your project credentials: OA|{app-id}|{app-secret}
{
"error": {
"Object": {
"Data": "Invalid 'AttestationToken' signature."
}
}
}Meaning: The attestation token's signature could not be verified.
Fix: Ensure the token was generated by a legitimate device and has not been tampered with.
{
"error": {
"Object": {
"Data": "Invalid request. Missing 'auto-review' header."
}
}
}Meaning: The required 'auto-review' header is missing.
Fix: Add the 'auto-review' header with value 'true' or 'false' to your request.
General Errors
{
"error": {
"ETBID": "400-26.16d11d1sa",
"copyright_OR_US": "Kubian / Static Labs LLC. All rights reserved",
"data": {
"details": {
"endpoint": "/android/app/player/application/verify_application_integrity",
"message": "Failed to serve request. The endpoint /android/app/player/application/verify_application_integrity failed to understand the request.",
"method": "POST"
},
"error_message": "Bad request exception."
},
"message": "Invalid request. DNS Server failed to understand the request."
}
}Meaning: The server could not process the request due to malformed data or a DNS-related issue.
Fix: Verify your request format, check network connectivity, and ensure all required fields are present.
{
"error": { "Object": { "Data": "Invalid request." }, },
"security-check-dont-share": "Error-Developer-See-Only"
}Meaning: The request made encountered an unknown error and a detailed error has been provided for you (the developer) to figure out the cause.
Fix: Review your request parameters, headers, and body format. Contact support if the issue persists.
{
"error": { "Object": { "Data": "Missing segments in 'AttestationToken'." }, }
}Meaning: The JWT token structure is incomplete or malformed.
Fix: Ensure the attestation token is a valid JWT with all required segments (header, payload, signature).
Performance Improvements & Response Time Optimization
Kubian has undergone significant performance optimizations to achieve sub-320ms response times across all endpoints, enhancing the overall user experience and API efficiency.
Through systematic optimization of our infrastructure and codebase, we've achieved sub-320ms response times across all major endpoints. Our testing shows consistent performance with rare spikes only on attestation verification due to cryptographic operations. Connection warm-up delays have been completely eliminated through background keep-alive mechanisms.
Key Performance Optimizations Implemented
1. Connection Pre-Warming
- MongoDB Pre-Warming: Database connections are established on application startup, eliminating connection overhead on first requests
- Redis Pre-Warming: Redis connections are established and tested during initialization to ensure immediate availability
- Template Pre-Compilation: Jinja2 templates are pre-compiled and cached to avoid runtime compilation overhead
2. Advanced Caching Systems
- Redis Integration: Implemented Redis caching for frequently accessed data including user sessions, project information, and API usage metrics
- Multi-layer Caching: Added in-memory caching with thread-safe LRU eviction for ultra-fast data access
- Smart Cache Invalidation: Intelligent cache invalidation strategies ensure data consistency while maximizing cache hit rates
3. Database Connection Optimization
- Connection Pooling: Implemented MongoDB connection pooling with optimized pool sizes (10-100 connections) to reduce connection overhead
- Query Optimization: Enhanced database queries with proper indexing and projection to minimize data transfer
- Pre-Established Connections: Connections are established during startup to eliminate first-request latency
4. Response Compression & Content Optimization
- Gzip Compression: Added automatic response compression for JSON, HTML, CSS, and JavaScript content
- Optimized JSON Serialization: Disabled JSON pretty printing and sorting for faster API responses
- Content Delivery: Implemented proper caching headers for static assets and dynamic content
5. Application-Level Optimizations
- Performance Monitoring: Added real-time performance tracking with response time headers
- Lazy Loading: Implemented lazy loading for heavy dashboard components to improve initial page load
- Resource Optimization: Minimized redundant database calls and optimized data structures
Performance Metrics & Benchmarks
| Endpoint | Response Time | Notes |
|---|---|---|
| Dashboard Load | <250ms | Most common response time |
| SDK Endpoints | <700ms | Consistently sub 700ms |
| Attestation Verification (/verify_application_integrity) | <~1.3s | Rare spikes to ~1.5s+ due to crypto operations |
Technical Implementation Details
Caching Strategy
Our caching implementation uses a multi-tier approach:
- L1 Cache (In-Memory): Thread-safe LRU cache for ultra-fast access to frequently used data
- L2 Cache (Redis): Distributed caching for session data, user projects, and API metrics
- L3 Cache (Database): Optimized MongoDB queries with proper indexing
Connection Pool Configuration
MongoDB Connection Pool Settings:
- Max Pool Size: 50 connections
- Min Pool Size: 10 connections
- Max Idle Time: 30 seconds
- Wait Queue Timeout: 5 seconds
- Retry Writes: Enabled
- Write Concern: "majority"Compression Settings
Response Compression Configuration:
- Compression Level: 6 (balanced)
- Compressed MIME Types:
* text/html, text/css, text/xml
* application/json, application/javascript
* text/plain
- Minimum Size: 100 bytesImpact on Your Applications
These performance improvements directly benefit your integration with Kubian:
- Faster API Responses: Reduced latency for attestation verification means quicker user authentication
- Improved Reliability: Better resource management leads to more stable service availability
- Enhanced User Experience: Faster dashboard loads and project management
- Scalability: Optimized infrastructure supports higher concurrent user loads
All API responses now include X-Response-Time headers showing actual processing time in milliseconds. You can monitor these metrics to track performance in your applications.