The bullet points from the quote snippit below are missing from the README about verifying the compatibility check response server side:

Verify the compatibility check response
You should take steps to make sure the response received by your app actually came from the SafetyNet service and matches the request data you provided. Follow these steps to verify the origin of the JWS message:

• Extract the SSL certificate chain from the JWS message.
• Validate the SSL certificate chain and use SSL hostname matching to verify that the leaf certificate was issued to the hostname attest.android.com.
• Use the certificate to verify the signature of the JWS message.

After completing this validation, you should also check the data of the JWS message to make sure it matches your original request, including the nonce, timestamp, package name, and the SHA-256 hashes. You can perform these validation steps within your app, or as a more secure option, send the entire JWS response to your own server for verification, via a secure connection.

(From https://developer.android.com/training/safetynet/index.html)

One note -- you can use Google's Android Device Verification API instead of doing the 3 bullet points above. Keep in mind that calls are rate limited to the Device Verification API and that it does NOT validate the safetynet payload itself.