Why do we need a migration to the Play Integrity API?
Let's briefly understand the basic purpose behind a migration to the Play Integrity API. We shall be using a very simple and crude language so that explanation is made clearer for a beginner. Finer details could be missing - so reading the documentation would still be necessary. I would be able to lead you till a "working" type of setup which might not pass the strict security guidelines and requirements as suggested by Google. So you will have to fine tune the whole thing as per your needs. As far as my own apps were concerned, my needs weren't very strict - so I'll share whatever I did for my own apps.
I found three broad use cases where Play Security API could be helpful. Play Security API help you determine -
- Whether the app has been installed from your Google Play Store listing or not? This helps you ensure that your users are not running tampered versions of your app.
- Whether the app is licensed, and was purchased by the user from the Play Store - after making payment, or is it a pirated version?
- Whether the device itself is a trusted device or is it a rooted, tampered, or otherwise a device that is not considered safe.
Video Explanation (see it happen!)
Please watch the following youtube video:
Link your App to a Google Cloud Project
Open the app listing on your Google Play Store account.
Then look at the menu on the left side and locate a menu item called "App Integrity" under "Setup" and click it.
You will see two tabs - Integrity API and App Signing. Click on the Integrity API! We shall not be concerned with the App Signing tab.
On this integrity api tab we have a link that asks us to link a google cloud project. At first sight this seems a big task, but its easier.
Click on Link Project to open a page that offers you a list of the projects that you already on the Google Cloud Console. You can link any project. I am not sure why it is required, but you can link any of your projects just for the purposes of fulfilling this requirement.
If you do not have a project already, then you can choose to create one - and follow the required steps. Please do not rush without knowing where you are clicking - some parts of the cloud console are billable - although as of the date of publish of this article, not even a single cent is charged for this. But things could change in the future - which is why some sort of linking is perhaps required.
For my case I created a project, and immediately disabled it. The things still work for me - would like to keep it disabled - for it's better not to enable too many settings on your cloud projects!
Save and return back to the App Integrity page. This has now become a lengthy page and let's see the various items greater detail.
- Usage Tier
- A Standard usage tier allows you upto 10000 integrity verifications per day. It is free as on the date of publishing of this article. This limit can be raised by writing to the support team.
- Google Cloud Project
- This is the cloud project that we have linked just now.
- Response Encryption
- This is the item where we have to generate our encryption and decryption keys. We shall come to this later.
- This tab shows the various types of responses that your app intends to receive from the Integrity API. Device integrity information contains information on the degree of trust of the android device. The default setting lets us know if the device is trusted or not. But we can tweak the setting to include additional information such as whether the device is a google certified device. The account details tag shows information about whether the app is duly licensed and obtained after making payment through the play store. The application integrity is about the app itself - whether it has been installed from the app store, or from a different source. You can read more about these from the documentation.
In the next tutorial we generate the encryption and drcryption keys that will be required at the time of programming. Thanks!
This Blog Post/Article "(Migrating to Play Integrity API) Step 1 - Prepare your App Listing for Play Integrity API" by Parveen is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.