Google has launched a set of Play Integrity API tools that will help a developer determine whether their Android application was downloaded from the official Play Store or from a third-party source.
Image source: Rubaitul Azad / unsplash.com
The owner of an Android device may, for various reasons, install applications not from Google Play, but from third-party sources; developers may also have many reasons to block such installation. For example, an application not downloaded from Google Play may be missing some resources, code or functions, and the Play Integrity API will help track this. This set of tools allows the developer to “verify that interactions and requests to the server originate from a genuine application binary running on a genuine Android device.” It tries to detect confirmation that the application has been hacked, that it is running in an “untrusted” software environment, and whether Google Play protection is enabled on the device. The SafetyNet Attestation mechanism works in a similar way, but the Play Integrity API has a wider range of capabilities.
A developer can call the Play Integrity API at any time during the application’s execution and receive a set of data called an “integrity verdict.” Depending on the result, any further sequence of actions can be taken. You can block the entire application or call the API only when performing sensitive actions to warn the user that continuing to work may be fraught with threats.
Image source: github.com/linuxct/hydra
At the Google I/O developer conference in May, the company also showed off “remediation” dialogs that offer solutions to integrity issues. So, if the “appLicensingVerdict” query returned the result “UNLICENSED,” it means that the user does not have a license for the application – he did not purchase or install it on Google Play. In this case, you can also call the Play Integrity API, which will display a “GET_LICENSED” window that will help you get the app from the official app store. The existing app will be deleted with all its data, the system will install an “official” instance, the app will be added to the store library, and all further “appLicensingVerdict” requests will return “LICENSED”.
Google intends to strengthen the Play Integrity API and add new features. It is known that this interface is already used in the Tesco and BeyBlade X applications, something similar was seen in the game Diablo Immortal, and there are also calls to it in the Stripe, Uber and TikTok applications. And in the future, its presence promises to expand.