Google Play Integrity API
What is Google Play Integrity API?
Google Play Integrity APIGoogle's server-side device-and-app attestation API for Android, the successor to SafetyNet Attestation, used by apps to verify they are running on a genuine, unmodified device with the official, Play-distributed binary.
The Play Integrity API is Google's current device and app attestation service for Android, replacing the deprecated SafetyNet Attestation API. An Android app calls the API at sensitive moments (login, payment, anti-cheat checks) and receives a signed token that the app's backend can verify with Google. The token carries three verdicts: 'device integrity' (was this command issued from an Android device with an intact platform — `MEETS_DEVICE_INTEGRITY`, `MEETS_STRONG_INTEGRITY` for stronger hardware-backed evidence, `MEETS_BASIC_INTEGRITY`), 'app integrity' (was the binary that called the API the one Google Play distributed for the published app), and 'account details' (does this user own the app via Play). Roll-out evolved through 2022–2024 with tiers: 'Classic' free quota, paid 'Standard' for higher volume, and hardware-attested variants that increasingly tie the verdict to KeyMint key attestation. Attacks include Magisk-based root hiders, custom ROMs spoofing device fingerprints, Frida-bypass research, and a constant cat-and-mouse with hardware-attested checks. Use cases include banking, fintech, mobile games, mobile DRM, and any app where backend trust depends on the client environment.
● Examples
- 01
A banking app calls the Play Integrity API at login, and its backend refuses the session if the verdict lacks `MEETS_STRONG_INTEGRITY`.
- 02
A 2024 advisory documents a Magisk module that defeats Play Integrity device-integrity but cannot satisfy the hardware-backed STRONG variant.
● Frequently asked questions
What is Google Play Integrity API?
Google's server-side device-and-app attestation API for Android, the successor to SafetyNet Attestation, used by apps to verify they are running on a genuine, unmodified device with the official, Play-distributed binary. It belongs to the Mobile Security category of cybersecurity.
What does Google Play Integrity API mean?
Google's server-side device-and-app attestation API for Android, the successor to SafetyNet Attestation, used by apps to verify they are running on a genuine, unmodified device with the official, Play-distributed binary.
How does Google Play Integrity API work?
The Play Integrity API is Google's current device and app attestation service for Android, replacing the deprecated SafetyNet Attestation API. An Android app calls the API at sensitive moments (login, payment, anti-cheat checks) and receives a signed token that the app's backend can verify with Google. The token carries three verdicts: 'device integrity' (was this command issued from an Android device with an intact platform — `MEETS_DEVICE_INTEGRITY`, `MEETS_STRONG_INTEGRITY` for stronger hardware-backed evidence, `MEETS_BASIC_INTEGRITY`), 'app integrity' (was the binary that called the API the one Google Play distributed for the published app), and 'account details' (does this user own the app via Play). Roll-out evolved through 2022–2024 with tiers: 'Classic' free quota, paid 'Standard' for higher volume, and hardware-attested variants that increasingly tie the verdict to KeyMint key attestation. Attacks include Magisk-based root hiders, custom ROMs spoofing device fingerprints, Frida-bypass research, and a constant cat-and-mouse with hardware-attested checks. Use cases include banking, fintech, mobile games, mobile DRM, and any app where backend trust depends on the client environment.
How do you defend against Google Play Integrity API?
Defences for Google Play Integrity API typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Google Play Integrity API?
Common alternative names include: Play Integrity, SafetyNet successor.
● Related terms
- mobile-security№ 062
Apple App Attest
Apple's iOS / iPadOS / tvOS / watchOS attestation service that lets an app prove to its backend that it is the genuine, App-Store-signed binary running on a real Apple device with Secure Enclave protection.
- mobile-security№ 772
Mobile App Security
The practice of designing, building, and testing iOS and Android applications to protect user data, prevent reverse engineering, and resist runtime tampering.
- mobile-security№ 780
Mobile Root Detection (Android)
Defensive checks an Android app runs to determine whether it is executing on a rooted device — typically by probing for su binaries, Magisk files, busybox, dangerous build properties, or hardware-attested integrity verdicts.
- mobile-security№ 777
Mobile Jailbreak Detection (iOS)
Runtime checks an iOS app performs to determine whether the device has been jailbroken — looking for Cydia/Sileo/Zebra files, suspicious URL schemes, write access outside the sandbox, or App Attest disagreement.
- mobile-security№ 052
Android Keystore System
Android's hardware-backed key container that confines cryptographic key material to a Trusted Execution Environment or StrongBox, exposing keys only by reference and enforcing per-key access policies such as biometric or device-credential gating.
- mobile-security№ 1056
Rooting (Android)
Gaining unrestricted superuser (root) privileges on an Android device, bypassing the protections enforced by the Linux kernel, SELinux, and the Android verified boot chain.
● See also
- № 059APK Repackaging