Single backend · Offline verification · No device IDs

Attestation that feels boringly reliable.

Unified Attestation is a free, open-source alternative to Google Play Integrity. It delivers short-lived integrity tokens signed by a single backend, verified offline by app servers, and issued via a privileged Android system service. It can live alongside Play Integrity, and it’s simple to integrate for app developers on both the app and server sides.

An initiative by Volla Systeme GmbH.

Launch the stack See architecture Source code

Backend Device + App-server combined

Attestation KeyMint + Standard requestHash

Federation Offline trust anchors

requestHash = SHA-256(canonicalRequest)

Device → Backend

POST /api/v1/device/process
{
  projectId,
  requestHash,
  attestationChain[],
  deviceMeta: {
    manufacturer,
    brand,
    model,
    device,
    buildFingerprint
  }
}

App Server → Backend

POST /api/v1/app/decodeToken
{
  projectId,
  token,
  expectedRequestHash
}

Architecture

An alternative to Google Play Integrity that’s easy to integrate and can run in parallel.

Unified Backend

Acts as Device + App-server backend. Stores trust anchors, verifies chains, and signs short-lived tokens. Federation works fully offline.

GET /api/v1/info
POST /api/v1/device/process
POST /api/v1/app/decodeToken

Android System Service

Privileged service that talks to KeyMint, fetches attestation chains, and sends them to the backend. Apps only call the SDK.

Provider discovery
Per (app, backend) keys
Binder/AIDL boundary

SDK + Example App

Thin SDK exposes Play Integrity-style API. Example app shows canonical request hashing, provider selection, and verdict display.

No networking
No cert exposure
Opaque token

End-to-end flow

App → SDK → Service → Backend → App server. No nonce protocol. Simple for app devs.

Canonical request

App + server compute identical requestHash.

Provider discovery

SDK returns enabled backendIds only.

KeyMint attestation

Service sets challenge = requestHash and posts chain.

Token issuance

Backend verifies chain + policies, signs token (60s TTL).

Offline verification

App server checks signature + requestHash.

Key APIs

Minimal endpoints with strict role separation.

Public

GET /api/v1/info

Returns backendId + public keys.

Device-facing

POST /api/v1/device/process

Verifies chain + attestation challenge, mints token.

App server

POST /api/v1/app/decodeToken

Offline verification using federation trust store.

OEM/Admin

/api/v1/oem/*

Device families, builds, trust anchors.

SDKs & Services

Android SDK, system service, and server SDKs for JS/Python — free and open source.

Android SDK

Public API mirroring Play Integrity, no networking.

getProviderSet(projectId)
requestIntegrityToken(backendId, projectId, requestHash)

Server SDK (JS/Python)

Helper utilities for decoding tokens and trust checks.

getBackendInfo()
decodeToken(projectId, token)

Example App Server

TypeScript demo selecting backend and verifying tokens.

Backend selection
RequestHash comparison

Run locally

Quick commands to bootstrap the stack. Use the docker-compose file inside the Backend repo.

Docker (prebuilt)

git clone https://github.com/unifiedAttestation/Backend.git
cd Backend
docker-compose up

Backend and Portal

git clone https://github.com/unifiedAttestation/Backend.git
cd Backend
npm install
npm run dev:backend
npm run dev:portal

Example App Server

git clone https://github.com/unifiedAttestation/Example-App-Server.git
cd Example-App-Server
npm install
npm run dev