Today we’re excited to introduce the Platform Integrity Attestation API (Attestation API)—a new anti-abuse solution to protect your apps from unauthorized modifications and potential security breaches. This API detects whether your app’s server is interacting with an untampered VR device and ensures your app is authentic.
As the Meta Quest ecosystem continues to grow, both in terms of the number of apps being distributed and the size of the Meta Quest community, it's increasingly important to instill a consistent method for validating the integrity of apps in order to provide a secure and safe user experience for everyone. The Attestation API gives you a simple solution for a variety of security-related use cases:
- Securing device authentication
- Protecting financial and enterprise app data
- External data misuse
- Anti-piracy
Dive in below to learn more about how the Attestation API works and how to start leveling up the security of your apps on Meta Quest 2, Quest Pro, and Quest 3 (launching later in 2023).
Attestation: A Common, Flexible, and Robust Security Solution
Attestation is a common security feature used by some of the biggest tech platforms to validate and verify the integrity of the firmware and operating system an app is running on. Once integrated, the API will provide you with an “attestation token,” which you can use to determine if an app running on a Meta device has been tampered with. This token is cryptographically signed by the Attestation Server to reinforce the security and reliability of the attestation process.
A step-by-step overview of the Attestation API call flow.
You can run the API under the
Trust on First Use (TOFU) authentication method to acquire an attestation token at a certain point in time—like when an app is first launched or when it connects to a backend server—and cache it locally for the entire session. The Attestation Server validates the token and sends back a success or failure message along with token claims to the Application Server, which decides whether to deny or provide its service to the application client. If the token verification is successful, the server fulfills the service request from the application client. If the token is invalid, an error message is sent.
Get Started with Attestation API
Learn more about the Attestation API call flow and get started integrating it today by checking out the documentation for
Unity,
Unreal, and
Native.
We’re excited to offer you more tools to bolster the security of your apps and reinforce the integrity of the Meta Quest Platform. Be sure to stay up to date on more news and tips for developers by following us on
Twitter and
Facebook.