Appbase is a mechanism that allows developers to trust a native app without the need to integrate with Android or iOS attestation APIs directly.

It solves the following problems:

• Trust the previously untrusted origin of a deep link, universal link or app link.
• Trust the previously untrusted orgin of HTTP API call created by a native app.

This can be done through binding a private key, that is managed in the secure, non-exportable, tamper-proof key storage of the mobile platform, to an app attestation after a trusted witness verified the native app through Android Safetynet/Play Integrity and iOS DeviceCheck/App Attest Services.

For example, today it is not possible for a native app wallet such as MetaMask to verify the native app origin of a WalletConnect request.

• App obtains a nonce from a trusted Rebase witness.
• App generates an app attestation using Android or iOS services which incorporates the nonce.
• App sends a certificate request to the Rebase witness along with the app attestation and the public key.
• Witness verifies the app attestation and generates a certificate that is bound to the public key and bundle ID of the app.
• Witness provides the certificate to the app.
• App stores the certificate.

sequenceDiagram
  participant app as App
  participant witness as Rebase Witness

  app->>app: Generate key pair : (pub, priv)
  app->>witness: GET /nonce
  witness-->>app: nonce
  app->>app: Generate app attestation (nonce)
  app->>witness: POST /get_app_certificate (app_attestation, pub)
  witness->>witness: Verify app_attestation
  witness->>witness: Generate app certificate (pub, bundle_id)
  witness-->>app: app_certificate
  app->>app: Store app certificate (app_certificate)

• Native app creates a JWT that includes the app certificate, a short expiration date, hash of the actualy request and a nonce, signed by the certified keypair.
• Native app appends the JWT to a deep link, app link or universal link as an additional parameter.
• Native app presents the deep link, universal link or app link, e.g., some://request?appbase=<JWT>
• User clicks on the link which opens the target native app.
• Target native app verifies the JWT by verifying the signature, the expiration date, the hash against the public key in the app certificate.
• Target native app reads the bundle ID and can trust that the origin is what they say they are.

sequenceDiagram
  participant user as User
  participant app as App (Origin)
  participant target as Target App

  user->>app: Open App
  app->>app: Generate and sign JWT <br/> (priv, exp, hash, app_certificate) : JWT
  app->>app: Generate app link (JWT) <br/> : "some://appbase=<JWT>"
  app-->>user: Show link
  user->>app: Click on link
  app->>target: open some://appbase=<JWT>
  target--xapp: nop
  target->>target: Verify appbase JWT
  target->>target: Get bundle_id from JWT
  Note over target: Target App can now trust App (Origin)  
  target-->>user: ...