Sorry if I was confusing.X2
Well Hardware evaluationTypes are used if available by default even if just calling Device_Integrity. That's why @kdragon uses both fake keystone (causes exception which triggers fall back to basic attestation) and altered Model prop (mismatch this causes allows enforcement of a Hardware based verdict to be bypassed, is the forced basic attestation becomes acceptable)...
The statement "JSON ... details was the CTS Profile checked on TEE or not (= STRONG integrity for the be PI API)" is misleading; actually CTS Profile checked in TEE (ie. we see HARDWARE) = is used here to attest to DEVICE_INTEGRITY if it's available by default (ie. on A8+ devices); a CTS Profile match=true result using BASIC evaluation is still enough for this (or pre A8 devices couldn't give MEETS_DEVICE_INTEGRITY), but it would not be accepted if a STRONG_INTEGRITY verdict were called.
Don't confuse evaluationType with the choice of verdict type; Devs can choose any of three levels for verdict but cannot choose evaluationType used; Hardware will be used if it's available for that type unless userspace tricks are used to spoof device and cause fallbacks...
It's an API, (Application Programming Interface) requiring server-end support by Google; I gave you the dates / link a couple of times now for 'Migration deadline' & 'Full turndown' of S/N API at which point there will be no choice but to use PI API...
Sorry, are you referring to Play Integrity response labels?... These are all part of Play Integrity, of course!?
Main signals (responses) are defined as:
- Application integrity
- Account details
- Device integrity
For Device integrity, device_recognition_verdict is called.
By default, this can have one of the following labels:
No labels (a blank value)
If you opt in to receive additional labels in the integrity verdict, device_recognition_verdict can have the following additional labels:
and for emulators only
These 'fields' are all called via the Device Integrity API.
PS. Just did this on 140 min flight from Broken Hill to Sydney... Just landed...
I'm still not quite clear on this...
What's the difference between evaluation type and verdict type?
You said developers can't choose the former but they can choose the latter; is this referring to the MEETS_x_INTEGRITY responses?
Are applications able to see these responses themselves, or does the API present some sort of "layer" between the application and the verdicts?