SafetyNet provides services for determining whether a URL has been marked as a known threat by Google.
The service provides an API your app can use to determine whether a particular URL has been classified by Google as a known threat. Internally, SafetyNet implements a client for the Safe Browsing Network Protocol v4 developed by Google. Both the client code and the v4 network protocol were designed to preserve users' privacy, as well as keep battery and bandwidth consumption to a minimum. This API allows you to take full advantage of Google's Safe Browsing service on Android in the most resource-optimized way, and without having to implement its network protocol.
This document shows you how to use SafetyNet for checking a URL for threat types of interest.
By using the Safe Browsing API, you consent to be bound by the Terms of Service. Please read and understand all applicable terms and policies before accessing the Safe Browsing API.
To create an API key, complete the following steps:
Your new API key appears; copy and paste this key for future use.
Note: Your API key allows you to perform a URL check 10,000 times each day. The key, in this instance, should just be a hexadecimal string, not part of a URL.
If you need more help, check out the Google Developers Console Help Center.
Once your key has been whitelisted, you need to add the key to the
AndroidManifest.xml file for your app:
<application>
...
<!-- SafetyNet API metadata -->
<meta-data android:name="com.google.android.safetynet.API_KEY"
android:value="your-API-key" />
...
</application>
The SafetyNet API is part of Google Play services. To connect to the API, you need to create an instance of the Google Play services API client. For details about using the client in your app, see Accessing Google APIs. Once you have established a connection to Google Play services, you can use the Google API client classes to connect to the SafetyNet API.
To connect to the API, in your activity's onCreate()
method, create an instance of Google API Client using
GoogleApiClient.Builder. Use the builder to add the SafetyNet API,
as shown in the following code example:
protected synchronized void buildGoogleApiClient() {
mGoogleApiClient = new GoogleApiClient.Builder(this)
.addApi(SafetyNet.API)
.addConnectionCallbacks(myMainActivity.this)
.build();
}
Note: You can only call these methods after your app has
established a connection to Google Play services by receiving the
onConnected() callback. For details about listening for a completed
client connection, see Accessing
Google APIs.
A URL check allows your app to determine if a URL has been marked as a threat of interest. Some threat types may not be of interest to your particular app, and the API allows you to choose which threat types are important for your needs. You can specify multiple threat types of interest.
The constants in the {@code SafeBrowsingThreat} class contain the currently-supported threat types:
package com.google.android.gms.safetynet;
public class SafeBrowsingThreat {
/**
* This threat type identifies URLs of pages that are flagged as containing potentially
* harmful applications.
*/
public static final int TYPE_POTENTIALLY_HARMFUL_APPLICATION = 4;
/**
* This threat type identifies URLs of pages that are flagged as containing social
* engineering threats.
*/
public static final int TYPE_SOCIAL_ENGINEERING = 5;
}
When using the API, you must use constants that are not marked as deprecated. You add threat type constants as arguments to the API. You may add as many threat type constants as is required for your app.
The API is agnostic to the scheme used, so you can pass the URL with or without a scheme. For example, either
String url = "https://www.google.com";
or
String url = "www.google.com";
is valid.
SafetyNet.SafetyNetApi.lookupUri(mGoogleApiClient, url,
SafeBrowsingThreat.TYPE_POTENTIALLY_HARMFUL_APPLICATION,
SafeBrowsingThreat.TYPE_SOCIAL_ENGINEERING)
.setResultCallback(
new ResultCallback<SafetyNetApi.SafeBrowsingResult>() {
@Override
public void onResult(SafetyNetApi.SafeBrowsingResult result) {
Status status = result.getStatus();
if ((status != null) && status.isSuccess()) {
// Indicates communication with the service was successful.
// Identify any detected threats.
if (result.getDetectedThreats().isEmpty()) {
}
} else {
// An error occurred. Let the user proceed without warning.
}
}
});
The result is provided as a list of {@code SafeBrowsingThreat} objects by calling the {@code SafetyNetApi.SafeBrowsingResult.getDetectedThreats()} method of the returned {@code SafetyNetApi.SafeBrowsingResult} object. If the list is empty, no threats were detected; otherwise, calling {@code SafeBrowsingThreat.getThreatType()} on each element in the list enumerates the threats that were detected.
Please see the Safe Browsing API Developer's Guide for suggested warning language.