Google Play Integrity API
Qu'est-ce que Google Play Integrity API ?
Google Play Integrity APIGoogle's server-side device-and-app attestation API for Android, the successor to SafetyNet Attestation, used by apps to verify they are running on a genuine, unmodified device with the official, Play-distributed binary.
The Play Integrity API is Google's current device and app attestation service for Android, replacing the deprecated SafetyNet Attestation API. An Android app calls the API at sensitive moments (login, payment, anti-cheat checks) and receives a signed token that the app's backend can verify with Google. The token carries three verdicts: 'device integrity' (was this command issued from an Android device with an intact platform — `MEETS_DEVICE_INTEGRITY`, `MEETS_STRONG_INTEGRITY` for stronger hardware-backed evidence, `MEETS_BASIC_INTEGRITY`), 'app integrity' (was the binary that called the API the one Google Play distributed for the published app), and 'account details' (does this user own the app via Play). Roll-out evolved through 2022–2024 with tiers: 'Classic' free quota, paid 'Standard' for higher volume, and hardware-attested variants that increasingly tie the verdict to KeyMint key attestation. Attacks include Magisk-based root hiders, custom ROMs spoofing device fingerprints, Frida-bypass research, and a constant cat-and-mouse with hardware-attested checks. Use cases include banking, fintech, mobile games, mobile DRM, and any app where backend trust depends on the client environment.
● Exemples
- 01
A banking app calls the Play Integrity API at login, and its backend refuses the session if the verdict lacks `MEETS_STRONG_INTEGRITY`.
- 02
A 2024 advisory documents a Magisk module that defeats Play Integrity device-integrity but cannot satisfy the hardware-backed STRONG variant.
● Questions fréquentes
Qu'est-ce que Google Play Integrity API ?
Google's server-side device-and-app attestation API for Android, the successor to SafetyNet Attestation, used by apps to verify they are running on a genuine, unmodified device with the official, Play-distributed binary. Cette notion relève de la catégorie Sécurité mobile en cybersécurité.
Que signifie Google Play Integrity API ?
Google's server-side device-and-app attestation API for Android, the successor to SafetyNet Attestation, used by apps to verify they are running on a genuine, unmodified device with the official, Play-distributed binary.
Comment fonctionne Google Play Integrity API ?
The Play Integrity API is Google's current device and app attestation service for Android, replacing the deprecated SafetyNet Attestation API. An Android app calls the API at sensitive moments (login, payment, anti-cheat checks) and receives a signed token that the app's backend can verify with Google. The token carries three verdicts: 'device integrity' (was this command issued from an Android device with an intact platform — `MEETS_DEVICE_INTEGRITY`, `MEETS_STRONG_INTEGRITY` for stronger hardware-backed evidence, `MEETS_BASIC_INTEGRITY`), 'app integrity' (was the binary that called the API the one Google Play distributed for the published app), and 'account details' (does this user own the app via Play). Roll-out evolved through 2022–2024 with tiers: 'Classic' free quota, paid 'Standard' for higher volume, and hardware-attested variants that increasingly tie the verdict to KeyMint key attestation. Attacks include Magisk-based root hiders, custom ROMs spoofing device fingerprints, Frida-bypass research, and a constant cat-and-mouse with hardware-attested checks. Use cases include banking, fintech, mobile games, mobile DRM, and any app where backend trust depends on the client environment.
Comment se défendre contre Google Play Integrity API ?
Les défenses contre Google Play Integrity API combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.
Quels sont les autres noms de Google Play Integrity API ?
Noms alternatifs courants : Play Integrity, SafetyNet successor.
● Termes liés
- mobile-security№ 062
Apple App Attest
Apple's iOS / iPadOS / tvOS / watchOS attestation service that lets an app prove to its backend that it is the genuine, App-Store-signed binary running on a real Apple device with Secure Enclave protection.
- mobile-security№ 772
Sécurité des applications mobiles
Pratique consistant a concevoir, developper et tester des applications iOS et Android afin de proteger les donnees utilisateur, empecher la retro-ingenierie et resister a la manipulation en execution.
- mobile-security№ 780
Mobile Root Detection (Android)
Defensive checks an Android app runs to determine whether it is executing on a rooted device — typically by probing for su binaries, Magisk files, busybox, dangerous build properties, or hardware-attested integrity verdicts.
- mobile-security№ 777
Mobile Jailbreak Detection (iOS)
Runtime checks an iOS app performs to determine whether the device has been jailbroken — looking for Cydia/Sileo/Zebra files, suspicious URL schemes, write access outside the sandbox, or App Attest disagreement.
- mobile-security№ 052
Android Keystore System
Android's hardware-backed key container that confines cryptographic key material to a Trusted Execution Environment or StrongBox, exposing keys only by reference and enforcing per-key access policies such as biometric or device-credential gating.
- mobile-security№ 1056
Rooting (Android)
Obtention de privileges superutilisateur (root) sans restriction sur un appareil Android, en contournant les protections du noyau Linux, de SELinux et de la chaine de demarrage verifie.
● Voir aussi
- № 059APK Repackaging