Android Key attestation as a backend based root check
https://developer.android.com/privacy-and-security/security-key-attestation#key_attestation_ext_schema
Is it safe to assume that device is not rooted when deviceLocked=True and verifiedBootState=Verified, and SecurityLevel>0 is present in attestation data and certificate chain is verified as well? Or maybe this can be bypassed on a rooted device somehow even though checks would occur on a separate server/backend? I’m aware that some devices may have unlocked bootloaders but device itself is not rooted.
AndroidKeyStore – SecureKeyImport: How to use the imported key? (Receiving errors on calling `keyStore.getEntry`)
I tried using the secure key import feature of AndroidKeyStore, following the example at: