You can use the Play Integrity API to protect your apps and games from risky interactions. By identifying these interactions, your app can respond appropriately to reduce the risk of attacks and abuse.
How it works
The Integrity API unifies Google Play anti-abuse features with a collection of integrity signals to help Android app and game developers detect potentially risky and fraudulent traffic. This traffic could come from modified versions of your app or game, untrustworthy devices, or other untrustworthy environments. By detecting this traffic, you can respond with appropriate action to reduce attacks and abuse such as fraud, cheating, and unauthorized access.
When a user performs an app or game-defined action, your server instructs the client-side code to invoke the Integrity API. The Google Play server returns an encrypted response with an integrity verdict about whether or not you can trust this device and its binary. Your app then forwards that response to your server for verification. Your server can decide what your app or game should do next.
The API provides an integrity verdict in a response that includes the following information:
- Genuine app binary: Determine whether you're interacting with your unmodified binary that Google Play recognizes.
- Genuine Play install: Determine whether the current user account is licensed, which means that the user installed or paid for your app or game on Google Play.
- Genuine Android device: Determine whether your app is running on a genuine Android device powered by Google Play services (or a genuine instance of Google Play Games for PC).
You can also choose to receive additional information about the environment in the integrity verdict:
- Risk from app access: Determine whether other apps are running that could capture the screen, display overlays over your app, or control the device.
- Risk from known malware: Determine whether Google Play Protect is turned on and whether it has found known malware on the device.
Tips:
- You can monitor the status of the Play Integrity API and other Play services using the Google Play status dashboard.
- The Integrity API provides the most value for your app when you follow each of the recommended practices in the documentation on the Android Developers site.
Set up and manage the Play Integrity API
Enable the Integrity API for your app
To enable Integrity API responses for your app, you need to link a Google Cloud project in Play Console. To link your project:
- Open Play Console and go to the App integrity page (Release > App integrity).
- Scroll to the "Play Integrity API" section.
- Choose "Link existing project" and the project you want to link to
- Click Link cloud project.
To start integrating the Integrity API into your app, you need to do the following:
- For Java/Kotlin apps, install the latest available Android library for the Play Integrity API from Google’s Maven Repository.
- For Unity games, install the latest release of Google Play Plugins for Unity. All versions of 2019.x, 2020.x and newer are supported. If you use Unity 2018.x, install 2018.4 or newer. If you use Unity 2017.x, install 2017.4.40 or newer. Unity 5.x and older are not supported.
- For Native apps and games, install the latest Play Core Native SDK.
Now you can follow these steps on the Android Developers site to start using the Play Integrity API in your app or game.
(Optional) Customize Integrity API responses
To learn how to configure API integrity responses, visit the Android Developers site.
To edit your API responses:
- Open Play Console and go to the App integrity page (Release > App integrity).
- Scroll to the "Play Integrity API" section.
- Click Settings.
- Scroll to the "Responses" section.
- Click Edit.
- Select or deselect the checkboxes next to the API responses you want to change.
- Click Save changes.
Important: The changes to API responses take effect immediately after you save them, including when your app is in production. Before you change the set of API responses in your Play Console, make sure your server is prepared to accept those responses.
(Optional) Configure classic request settings
By default, Google manages your response encryption for classic requests. However, you can choose to self-manage your response encryption if you prefer.
Important: Switching your response encryption between managed by Google and self-managed requires code changes on your backend server.
To self-manage your response encryption:
- Open Play Console and go to the App integrity page (Release > App integrity).
- Scroll to the "Play Integrity API" section.
- Click Settings.
- Scroll to the "Classic requests" section. Next to "Response encryption," the status will be "Managed by Google" by default. Click Change.
- Choose "Manage and download my response encryption keys" and click Save changes. Google will generate response encryption keys for you to download and manage. You must update your backend server logic to use the keys to decrypt responses.
- Follow the on-screen instruction to generate a .pem file and upload the .pem file to download your API keys.
- An on-screen message will confirm that your response encryption management has been updated.
- Download your new response encryption keys and update your backend server to decrypt responses with them in production. Return to the Integrity API tab on the App Integrity page to enable Google Play to start using the new response encryption keys instead of the legacy keys. This change is immediate.
If you want to revert from self-managed to Google-managed:
- Open Play Console and go to the App integrity page (Release > App integrity).
- Scroll to the "Play Integrity API" section.
- Click Settings.
- Scroll to the "Classic requests" section. Next to "Response encryption," the status will be "Self-managed" because you have changed it in the past. Click Change.
- Choose "Let Google manage my response encryption (recommended)" and click Save changes. Google will generate and manage your response encryption keys. Your backend server will call Google Play’s server to decrypt responses.
Test your Play Integrity API integration
To test your Integrity API integration, you can set up a list of Gmail accounts and. First, make sure that your testers have access to your release. Publish your app to the internal test track or the track that you intend to test on. Then, follow the instructions for managing testers by email address or using Google Groups so that your testers can access your release.
To set up a test:
- Open Play Console and go to the App integrity page (Release > App integrity).
- Scroll to the “Play Integrity API” section.
- Click Settings.
- Scroll to the "Testing" section.
- Click Create new test.
- Select an email list or create a new one.
- Click Create test.
Customize your store listing when users visit from Integrity API dialogs
You can use an Integrity API remediation dialog to prompt users who have obtained your app unofficially to get your app from Google Play. When users tap on the dialog, they will be redirected to your store listing where they can tap on the install (or buy or update) button so that the app is added to the user’s Play library.
You can customize your store listing assets for any visitors who tap on Integrity API remediation dialogs, including your app’s name, icon, descriptions, and graphic assets.. To customize your store listing when users visit from an Integrity API dialog:
- Open Play Console and go to the App integrity page (Release > App integrity).
- Scroll to the "Play Integrity API" section.
- Click Settings.
- Scroll to the "Customize store listing" section.
- Click Create listing.
- Follow the instructions on the Create custom store listing page and click Save.
Alternatively, you can create custom store listings for Integrity API dialogs directly from the ‘Custom store listings’ page:
- Open Play Console and go to the Custom store listings page (Grow > Custom store listings).
- Click Create listing, choose whether to create a new listing or duplicate an existing one, and click Next.
- Under "Listing details," find the "Target audience" section.
- Select By URL, and type ‘playintegrity’ in the textbox.
- Enter all other details and click Save.
Tip: The URL parameter ‘playintegrity’ is a special keyword that’s reserved for integrity deeplinks so it must be entered exactly when setting up the custom store listing.
Increase your Play Integrity API daily maximum requests
Apps can make up to 10,000 requests per day to the Integrity API by default.
To view the volume of requests your app makes daily:
- Open Play Console and go to the App integrity page (Release > App integrity).
- Scroll to the “Play Integrity API” section.
- View your daily number of requests. To view more data, change the time period, and apply filters, click View Integrity API report.
To view your app’s daily maximum requests:
- Open Play Console and go to the App integrity page (Release > App integrity).
- Scroll to the “Play Integrity API” section.
- Click Settings.
- View your usage tier.
You can request to make more than 10,000 requests per day. To be eligible you must:
- Confirm correct implementation of API logic including retries.
- Publish your app on Google Play in addition to any other distribution channels.
To increase your daily maximum requests, complete this form.