Prevent unauthorized modification and redistribution with automatic protection

Note: The features described on this page are currently only available to select Play partners.

Google Play’s automatic protection is a service that helps you protect your apps and games against integrity abuse in the form of unauthorized modification and redistribution. Automatic protection works in your app without a data connection. It can be turned on with one click in the Play Console, and requires no developer work before testing and no backend server integration.

How it works

Automatic protection adds runtime checks to your app’s code to restrict modification and redistribution, and then makes those checks hard to remove with advanced obfuscation and anti-reverse engineering techniques. If the installer check fails, users will be prompted to get your app on Google Play. If the modification check fails, the app will not run. This helps to keep users safe from harmful content that may appear in modified versions of your app.

Automatic protection is designed with the aim of the following:

  • Prevent unauthorized modification: Automatic protection helps guard your app against modification, making it harder to distribute unofficial copies with altered behavior (such as removing billing, adding ads, changing the ad owner ID, or adding malware).
  • Prevent piracy of paid apps: Automatic protection prevents piracy by prompting users who obtain the unmodified Play version of your app through an unofficial source to purchase it on Google Play. This prompt is optional and can be turned off by unchecking "Require installation from Play" on the automatic integrity protection configuration page.
  • Increase users receiving official updates: Automatic protection can prompt users who sideload the unmodified Play version of your app to add it to their Play library to ensure they can receive the ongoing app updates. This prompt is optional and can be turned off by unchecking "Require installation from Play" on the automatic integrity protection configuration page.
Important: Automatic protection does not guarantee prevention of all cracking, piracy, repackaging, and redistribution. Automatic protection makes these actions more complex and costly, and so reduces the likelihood of them being successful. Google Play will continually strengthen automatic protection so new releases of your app will automatically get the latest and strongest version of protection.

Set up automatic protection

The steps below describe what you need to do to start using automatic protections. Click on a section to expand it.

Prerequisites

If you turn on automatic protection for a particular app, Google Play will automatically add protection when you create each release ready for distribution to devices. Protection requires Google Play to create modified APKs and sign them on your behalf, so you must:

Please be aware of the following constraints:

  • Automatic protection is only supported on Android 6.0 Marshmallow (API level 23) and higher. Android M was released in 2015 and, as of 2023, targeting a midSDKVersion of 23+ will reach over 97% of active Android devices.
  • Automatic protection supports the following ABIs: x86, x86_64, armeabi-v7a, and arm64-v8a. To update your app's targeted ABIs, update the Gradle settings. Other ABIs that are not used by active Android devices can be removed from your targeting without impacting your app's availability.
  • Automatic protection works offline. However, the "Require installation from Play" periodically requires a data connection if the Play Store app on the device has been offline for a prolonged period.
  • If your app is already using Play Licensing, you should turn off "Require installation from Google Play."
  • When uploading your app to internal app sharing, protection is not applied. Take extra care to only share internal app sharing links with trusted team members and do not share unprotected versions externally.
  • Automatic protection is incompatible with code transparency for app bundles because integrity protection involves modifying the code. App bundles uploaded with code transparency when automatic protection is enabled will be rejected.
  • Instant experiences are not protected. The app bundle in your release tracks must not be instant-enabled to get protection. You can simultaneously upload an app bundle to your release track that gets protection and an instant-enabled app bundle to your instant-only track that doesn't get protection.
Step 1: Turn on protection

Create a release as described in Step 1 of Prepare and roll out a release.

You can either turn on protection when creating a release (as described in Step 2 of Prepare and roll out a release) or you can turn on protection the App integrity page (Test and release > App integrity), which contains integrity and signing services that help you ensure that users experience your apps and games in the way you intend.

When preparing your release, you will see a button that either says Get integrity protection or Manage integrity protection. You can then turn integrity protection on by clicking Yes, turn on under "Automatic protection." Google Play will then sign your releases and add integrity protection to restrict tampering and distribution abuse. This means that automatic protection is turned on.

Finish preparing your release and save your changes.

Step 2: Test your protected app

Use each of the test tracks to test the protected app version to ensure there’s no unexpected impact on the user experience or performance.

We recommend including the following actions in your review:

  • Test your game's launch, looking for crash-on-launch and any slow down in startup time.
  • Test moments where your native code (C/C++) calls back out into Java (in your own code or third-party libraries), such as ads, logging, and social integration, authentication, or Android-specific features such as permission handling.

If you find issues during the testing process, you have the option to revert to a previous version of automatic protection that you may have already used in a previous release or you can turn off automatic protection. We recommend that you do not promote unprotected versions to open tracks or production.

To turn off integrity protection for an individual release:

  1. When preparing your release, click Manage integrity protection.
  2. Under "Automatic protection," select Previous protection or Turn off protection for this release.
  3. Save your changes. The changes will be applied to this release. The next time you upload a release, the release will receive the latest, strongest version of protection again.
Step 3: Promote your app to the production track

When ready, you can roll your release out to a production track in the Play Console, making your protected app available to all Google Play users in your chosen countries.

Customize your store listing when users visit from integrity protection dialogs

Automatic protection can prompt users who obtain your app unofficially to get it on Google Play. When users tap on the dialog, they will be redirected to your store listing, where they can tap on the install (or buy or update) button to get your app from Play so that the app is added to the user’s Play library.

You can customize your store listing assets for any visitors who tap on integrity protection dialogs, including your app’s name, icon, descriptions, and graphic assets. To customize your store listing when users visit from an integrity protection dialog:

  1. Open Play Console and go to the App integrity page (Test and release > App integrity).
  2. Scroll to the "Play Integrity API" section.
  3. Click Settings.
  4. Scroll to the "Customize store listing" section.
  5. Click Create listing.
  6. Follow the instructions on the Create custom store listing page and click Save.

Alternatively, you can create the custom store listings for integrity protection dialogs directly from Custom store listings page:

  1. Open Play Console and go to the Custom store listings page (Grow users > Custom Store Listings).
  2. Click Create listing, choose whether to create a new listing or duplicate an existing one, and click Next.
  3. In the "Listing details" section, scroll to Target audience.
  4. Select By URL and enter ‘playintegrity’ in the text box.
  5. Fill in all other details and click Save.

Tip: The URL parameter ‘playintegrity’ is a special keyword that’s reserved for integrity deeplinks, so it must be entered exactly and unaltered when setting up the custom store listing.

Recommended practices

Do not release unprotected app versions

If you publish unprotected versions to open tracks, or through other channels outside Google Play, your app protection will no longer work. To maintain your app’s integrity protection, you should only publish protected versions of your app to open tracks and production.

Take care when mixing anti-tamper protection solutions

Automatic protection may not be compatible with other runtime anti-tamper solutions, and trying to use them together may result in user issues. If you're already implementing Play Licensing in your app, then you should disable "Require installation from Google Play." If your app performs other runtime checks, be sure to test your protected app thoroughly for issues before releasing it to open tracks.

Test your protected app

Google Play will automatically deliver protected builds across all tracks: internal testing, closed, open, and production. You should test these versions thoroughly as usual.

If you upload your app’s build to internal app sharing directly, Google Play will not add protections. This is to allow you to use internal app sharing to upload debug builds and other similar builds.

When you access an internal app sharing link for a protected app version on app bundle explorer, then the build is shared exactly as it has been processed by Google Play. If that app version was uploaded to a test track and protected, then the internal app sharing link from app bundle explorer will deliver a protected version. You can see the protection status on the Details tab of app bundle explorer.

Monitor crashes

You may notice an increase in crashes that are a function of your app being protected; this is likely to indicate that automatic protection is working as intended. If an attacker unsuccessfully modifies your app, the runtime check will stop your app from running, predominantly by crashing the app.

Crashes that are not attributed to Google Play do not affect your Android vitals stability metrics. If you’re using other tools to analyze your crashes, such as Crashlytics, and you need a package name to filter by install source, the package name for the Google Play Store is "com.android.vending."

If you're worried about an adverse increase in crashes, you can report them to us with as much detail as possible and the team will investigate. We will respond to your report if we determine that the crashes relate to protection.

Report cracked versions of your app

A cracked version is a version of your app that still works when it’s been modified or when it’s been installed outside Google Play if you require Google Play installation.

If you’ve identified a cracked version of your app, you can report it to us.

Improving anti-tamper protection

Sharing app telemetry, such as anonymized environment and performance data, with Google Play helps us improve the resilience and performance of anti-tamper protection. You can opt out of sharing app telemetry by turning off "Share app telemetry with Google" on the Automatic protection settings page (Test and release > App integrity and scroll down to Automatic protection). Learn more about how data is used to develop Google services.

Related content

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
17622968322791420575
true
Search Help Center
true
true
true
true
true
92637
false
false