When a banking app rejects your device or a game flags your root status, the root cause is almost always hardware key attestation. KeyAttestation, developed by vvb2060 and licensed under Apache 2.0, is the definitive offline diagnostic tool for Android's attestation system. Generate a fresh attestation certificate, parse its full chain, inspect every extension field, and verify the revocation status of your device's signing keys — all without a single byte of network traffic.
Core Attestation Features
A complete diagnostic toolkit for Android's hardware-backed key and ID attestation system — no root, no network, no compromise.
Generate & Parse Attestation
Generates a fresh attestation key pair via the Android Keystore API and parses the returned X.509 certificate chain in full detail — displaying every extension field, security level, authorization list, and root of trust in a human-readable format.
Certificate Chain Verification
Verifies the full certificate chain signature — from the leaf certificate up to the Google Hardware Attestation Root CA — using the embedded revocation list bundled in the APK. No internet connection needed; the revocation data is baked in at build time.
Save, Load & Export
Export attestation data to a file for offline analysis or cross-device verification. Supports loading certificate chains generated by any external software, and exports in p7b format for Windows-compatible certificate tools. Safe to transfer and inspect on a clean device.
Keybox Import as Attest Key
Supports importing a custom keybox as the attestation key — allowing you to test whether a provisioned or injected keybox produces a valid, unrevoked attestation chain. Essential for verifying keybox-based bypass solutions like TEESimulator-RS.
Fully Offline — No Network Permission
The APK declares zero network permissions. No attestation data, no certificate chain, and no device information is ever transmitted externally. The embedded revocation list is bundled at compile time and updated with each new release.
Shizuku & Samsung Knox Support
Optional Shizuku integration unlocks advanced features: device unique identifier (IMEI/Serial) attestation, remote key provisioning (RKP) testing, and custom RKP server configuration. Samsung devices also gain Knox attestation support.
How Does Key Attestation Work?
Android's Key Attestation is a mechanism by which an app can cryptographically prove to a remote server that a specific cryptographic key was generated and is stored inside genuine, verified hardware — specifically a Trusted Execution Environment (TEE) or a dedicated StrongBox security chip. When an app requests an attestation certificate, the Android Keystore asks the TEE to sign a certificate containing detailed claims about the device's software state, boot status, and security level.
This signed certificate chains up to a Google Hardware Attestation Root CA — a certificate authority whose root key is embedded in the device's secure hardware at manufacturing time. Because the signing key never leaves the hardware, the entire chain is cryptographically verifiable by anyone who trusts Google's root. If the bootloader is unlocked or the system partition is modified, the attestation will honestly report this — causing apps that check for MEETS_STRONG_INTEGRITY to reject the device.
KeyAttestation surfaces all of this data in a readable UI. It generates a test key via the Keystore API, retrieves the attestation certificate chain, parses every ASN.1 extension (including the KeyDescription extension defined in the Android Key Attestation spec), checks each certificate's signature validity, and cross-references the device's signing certificate against the embedded revocation list — showing you exactly why your device passes or fails hardware-backed integrity checks.
Understanding the Security Levels
KeyAttestation reports three key security levels for the attestation certificate and three Play Integrity verdicts that depend on the attestation result. Here is what each means:
Key Security Level
Keys are stored in a dedicated hardware security chip — physically isolated from the main processor. Highest level of protection. Common in Pixel 3+ and flagship Samsung devices.
Keys are stored in the Trusted Execution Environment — a secure, isolated partition of the main CPU. Hardware-backed but not a separate chip. Common on most modern Android devices.
Keys are protected only in software, with no hardware backing. This typically means the TEE is unavailable, broken, or the device uses a software-only keystore implementation.
Play Integrity Verdict
| Verdict | Meaning | Typical Cause of Failure |
|---|---|---|
| MEETS_STRONG_INTEGRITY | Hardware-backed attestation passes. Locked bootloader, unmodified system. | Unlocked bootloader, modified system partition, revoked keybox |
| MEETS_DEVICE_INTEGRITY | Valid Android certificate, TEE intact. Device may be rooted or run custom ROM. | Root detected, custom ROM with no valid attestation cert |
| MEETS_BASIC_INTEGRITY | Passes basic Android software checks only. No hardware integrity verification. | Emulator, outdated security patch, no valid TEE chain |
| FAILS ALL | Does not pass any integrity check. Device is considered fully compromised. | Tampered system, no valid Android certificate chain |