(Migrating to Play Integrity API) Step 2 - Generate the Encryption and Decryption Keys

When your app places a query for integrity check, the playstore servers respond with an encrypted json string of base64 characters. A securely encrypted message cannot be intercepted by, for example, an android clone that intends to present itself as a good device. In this tutorial we shall learn how to generate the encryption and decryption keys so that the response is securely decrypted inside your app!
(Rev. 03-Aug-2022)

Categories | About |     |  


Google Managed Encryption vs Manual Generation of Keys

Let's open the app integrity page as we were discussing in the previous tutorial. Scroll to the Response Encryption section. The default setting is Managed by Google as you are seeing here. Let's understand the difference between managing the keys through google, and through your own steps.

The recommended method for the keys is to allow google to manage your keys. When I was implemeneting the code in my own apps, I tried follow the steps they have suggested, but things got stuck at some practical difficulties specific to my projects. So I abandoned this approach and decided to follow the second option, i.e., the manual option for generating the keys.

This is the reason why I am explaining the steps for generation of keys.

Click on Change. A new page opens! Select the option Manage and download my response encryption keys. There's a form that asks you to upload a pem file. Let's generate the PEM file now!

Video Explanation (see it happen!)

Please watch the following youtube video:

Tools for Generating a PEM file

A PEM file has to be generated by using an open source tool called openssl. The website is https://www.openssl.org/. You will have to obtain the binaries by searching resources on internet. Make sure that you get them from a trusted website.

Copy all the binaries in a suitable folder with read-write permissions. The two screenshots that you see (refer the linked video for screenshots) are for the binaries I obtained from two different sources, and I have collected them on my D drive which has read write permissions.

Generate and Upload the public.pem file

Our next step is to generate a pem file, called, let's say public.pem.

The easiest way is to create a .bat file of any name, say, mybat.bat and containing these two lines -

// for WINDOWS (tested on windows 10) -> 

openssl genrsa -aes128 -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem

// for LINUX/UNIX (this could work) -> 

openssl genrsa -aes128 -out private.pem 2048
openssl rsa -in private.pem -pubout > public.pem

Save this file and execute it. During execution you will be asked to enter the same password or pass phrase many times. This password should be known ONLY to you - keep it any string - but do not keep it too obvious.

If things go fine, then you should be able to see two files - private.pem and public.pem - in the same folder.

Download the Encryption Keys

Now come back to the play console page and upload the public.pem file. Save the upload, and as soon as you save it, a file of extension .enc gets downloaded. Copy this file to the same directory as the openssl.exe.

Create another batch file called, say, mybat2.bat and type this script there. The variable enc_file contains the name of the file that you just downloaded from the playstore.

// tested on windows 10 

// replace by your own file name 

set enc_file=in.hoven.andzoom.enc

openssl rsautl -decrypt -oaep -inkey private.pem -in %enc_file% -out api_keys.txt

During execution you will be asked to enter the same password that you used during the first step. If everything goes fine you will see a file called api_keys.txt. This file looks like this DECRYPTION_KEY=, VERIFICATION_KEY=

VERIFICATION_KEY=MFkwEwYHKoZI....long string...==

Take note of these keys, they will be needed at the time of writing our program in the next step. Thanks!

This Blog Post/Article "(Migrating to Play Integrity API) Step 2 - Generate the Encryption and Decryption Keys" by Parveen is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.