Use the Play Integrity API to secure your apps and games

There are rich applications and games on the Android platform, bringing users a lot of excellent experience. Most of them will follow the experience route designed by the application or game to enjoy the fun it brings. However, there are still some users who are not good, they will abuse the application or game through cheating, malicious tampering, fraud, theft, piracy or unauthorized, which makes developers have to rack their brains to deal with it. Untrusted interactions with applications usually using unknown accounts or unknown devices will bring abuse, and the forms are becoming more and more complex, and the challenges posed to developers are constantly escalating. In this article, you'll learn how to use the latest Play Integrity APIs to provide developers with security and integrity of their apps while maintaining convenience.

If you prefer to see this through video, check it out here:

https://www.bilibili.com/video/BV1PS4y117wR/?aid=723764898&cid=503811410&page=1

△ Use Play Integrity API to protect your apps and games

Play Integrity API

We have launched separate APIs to deal with such specific issues, such as SafetyNet Attestation API and Google Play Licensing , helping thousands of applications every day with trust issues for devices and user accounts. However, as the challenges escalate, the situation to be faced becomes more and more complex. Developers often have to integrate multiple APIs to successfully deal with the anti-abuse problem, but the complexity brought about by this is easy to cause omissions, and the result of an omission is often May lead to serious misuse of the app.

To solve such problems, we have integrated the most advanced integrity technology and provided a new Play Integrity API , which enables developers to protect the entire application by simply calling a single API. The API will detect risks and untrusted interactions in the application, and send a signal to the application backend server, and the application backend service will determine whether the interaction with the application can be trusted.

Play Integrity API helps protect your apps and games from potentially risky fraudulent interactions such as spoofing and unauthorized access, enabling you to take appropriate steps to prevent attacks and reduce Abuse.

When your app is used on a device running Android 4.4 (API level 19) or higher, the Play Integrity API provides a signed and encrypted response that contains the following information:

• Genuine App Binary: Determine if the binary you are interacting with is approved by Google Play and has not been tampered with.
• Legitimate Play Installs: Determines whether the current user account has acquired the app or game in a legitimate way (eg, through Google Play install or pay-per-purchase).
• Genuine Android Device: Determine if your app is running on a known, untampered Android device powered by Google Play Services .

Once you find a problem, you can decide whether you need to raise the user threshold to make it more difficult for the app to be abused, thereby reducing the risk that the app may face. We've worked closely with some developers to test this API, and it's in production use to protect apps and games from misuse.

△ Advantages of Play Integrity API

The Play Integrity API has the following key benefits:

1. It is powered by Google Play and provides up-to-date documentation, code samples and best practices, configurable by developers from Play Console , and supported by developers;
2. The data packets returned by the Integrity API are small and encrypted, and a single returned data packet encapsulates multiple integrity detection signals, eliminating the need for multiple API calls;
3. This is a future-proof API that will support integrity checks for newer device types and specifications.

The Play Integrity API allows your app server to communicate with the Play server in a hard-to-hack way and further handles crediting. The specific steps are shown in the following figure:

△ Play Integrity API credit steps

1. The user starts an action, such as logging into an app or joining a multiplayer game;
2. The application backend server starts to generate a unique ID and starts the integrity check by triggering the application;
3. The application calls the Play Integrity API;
4. The Play server will begin evaluating based on a number of signals, including whether the device has been compromised, whether it has passed the certificate authentication test, and verifies the app's authorization. The Play Integrity API will then return the signed and encrypted result to the app, informing the Whether the device and binaries can be trusted;
5. The application then forwards the result returned by the Play Integrity API back to the application server;
6. The application server will check whether the returned ID is the same as the sent ID, analyze and judge the result, and return it to the application;
7. After the application gets the result, if it determines that everything is normal, the user can continue to use it.

All of the above operations will be completed in an instant, and the user will not feel any delay. If you are using the SafetyNet Attestation API, its implementation is similar to the above steps.

Notes

When using the Play Integrity API, note the following:

1. Confirm that the main problem encountered is piracy, such as traffic fraud, cheating, or other problems. Analyze the severity of the problem and the extent of the damage it causes to determine how much effort is needed to reduce the damage;
2. As far as integrity is concerned, there is no one-size-fits-all solution, and the new Play Integrity API cannot solve all problems, it can only be used as one part of an overall security and anti-abuse strategy;
3. It is important to consider the risk of false positives and other usage costs that may be brought to ordinary users. Rather than blocking any risky operation, it is usually better to increase the threshold for user abuse through additional steps;
4. Continuously analyze, listen to user feedback, and continuously update Android and Play supported features, actively adopting industry best practices for anti-abuse.

For more information on the Play Integrity API, go to Play Integrity API page .

We'll be publishing integration guides for apps released on Google Play and other platforms, and we'll share more information on migrating from Safety Device Attestation and Play Licensing to the new API, so stay tuned and look forward to your feedback.

You are welcome here to submit feedback to us, or share your favorite content and found problems. Your feedback is very important to us, thank you for your support!