The Limitations of Google Play Integrity API (ex SafetyNet)
Approov Mobile Security
Zero-Trust for Mobile Apps and APIs - iOS, Android and HarmonyOS
This overview outlines the history and use of Google Play Integrity API and highlights some limitations. We also compare and contrast Google Play Integrity API with the comprehensive mobile security offered by Approov. The imminent deprecation of Google SafetyNet Attestation API means this is a good time for a comprehensive evaluation of solutions in this space.
Why App Attestation and Device Integrity Checks are Important
There are two fundamental problems with mobile apps: The first is that they can be reverse engineered, even if attempts have been made to obfuscate code. The second is that they run in a client environment which is neither owned nor controlled by the app owner.? This means that unless steps are taken, apps themselves can be analyzed, understood, cloned or copied, and the environments they run in can be hacked, rooted, instrumented and manipulated to interfere with the operation of an app.? Using these attack surfaces, hackers can directly intercept or tamper with data transferred between the app and its servers, intercept or manipulate financial transactions, or simply interfere with or stop the operation of the service.? Manipulated apps can be repackaged and redistributed with malware. Repackaged apps can be turned into automated tools (i.e. bots) to be used to attack APIs and backend servers. Secrets can also be lifted from apps then used in scripts to create bots. Bad actors use these techniques to carry out brute-force attacks, exploiting API vulnerabilities to steal data, or mount DDoS attacks.? So it's no surprise that trying to prevent apps and devices from being tampered with must be at the heart of any security strategy designed to protect mobile apps. However, this is only a fraction of the whole story, as we will soon discover. App and device attestation are an essential piece of the puzzle but not sufficient in themselves. ? Different services are available to provide app attestation. Google provides app attestation and client integrity checks via Play Integrity API. Approov provides an end-to-end mobile app security solution which includes app and device integrity checking. The rest of this paper compares the two solutions.
The History of Google Play Integrity API
SafetyNet attestation API was launched in 2017 as part of Google Play services, in order to provide an API for developers to remotely evaluate whether they were talking to a genuine Android device. Developers, however, found it hard to implement and there were a number of studies that showed how incomplete implementations could be abused. In 2021 Google announced Play Integrity API, consolidating multiple integrity offerings (including the SafetyNet Attestation device verdict) under a single API. At the same time they announced the deprecation of SafetyNet Attestation API (one of the four APIs under the SafetyNet umbrella).? Google expects developers to fully replace Attestation API with the Play Integrity API by the end of January 2024 unless an extension is requested and accepted. SafetyNet Attestation API will be turned off completely in January 2025. This is forcing Android developers using SafetyNet to perform code updates across the board to all apps and to upgrade to the new attestation service.?
What Problem Does Google Play Integrity API Aim to Address
You can call Play Integrity API to check that you’re really interfacing with your genuine app binary, installed by Google Play, running on a genuine Android device. If something is off (for example it’s a tampered or sideloaded app, or it’s an unofficial emulator, or it’s a rooted or compromised device), you can decide what defensive actions to take. The Integrity API unifies Google Play anti-abuse features with a collection of integrity signals to help Android app and game developers detect potentially risky and fraudulent traffic. This traffic could come from modified versions of your app or game, untrustworthy devices, or other untrustworthy environments. By detecting this traffic, you can respond with appropriate action to reduce attacks and abuse such as fraud, cheating, and unauthorized access. You can use the Play Integrity API to protect your apps and games from risky interactions. By identifying these interactions, your app can respond appropriately to reduce the risk of attacks and abuse.
How Does Play Integrity API Work?
The Integrity API unifies Google Play integrity signals to help app and game developers detect potentially risky and fraudulent traffic.? When a user performs an app or game-defined action, your server instructs the client-side code to invoke the Integrity API. The Google Play server returns an encrypted response with an integrity verdict about whether or not you can trust this device and its binary. Your app then forwards that response to your server for verification. Your server can decide what your app or game should do.
The API provides what is called an “integrity verdict” in a response that includes the following information:
There are two types of requests supported by Google: “Classic” requests initiate a full assessment and require interpretation work on behalf of the user - these are recommended for the most sensitive request, and can be slow. The new “standard” requests are faster but delegate some of the decision making to Google Play.
What Problems Does Google Play Integrity API Not Address?
We will see in a later section that there are some limitations in the way that Google Play Integrity API provides app attestation, and as Google also points out, this technique, in order to be effective, must be part of a broader security effort. Google recommends that it is deployed as part of a broader security strategy. If we use, for example, the OWASP MASVS (Mobile Application Security Verification Standard) framework in order to assess end-to-end mobile app security, Google Play Integrity API ONLY partially addresses the guidelines in the category MASVS-RESILIENCE which is only one of seven categories in the guidelines. MASVS-RESILIENCE aims to ensure that the app is running on a trusted platform, prevent tampering at runtime and ensure the integrity of the app’s intended functionality. In particular these are two other things you will need to take care of:
Now we understand the scope, let's look specifically at the app attestation and device integrity checks provided by Google and compare them with Approov.
What are the Limitations of Google Play Integrity API versus Approov?
Google Play API provides a way to perform app and device attestation checks at runtime for Android apps deployed using Google services. It has some limitations and only works with Android apps which use Google Services. As Google SafetyNet Attestation API is deprecated this is a good time to evaluate alternatives. Approov Mobile App Protection ensures that all mobile API traffic does indeed come from a genuine and untampered mobile app, running in a safe environment. Doing this blocks all scripts, bots and modified or repackaged mobile apps from abusing an API. Approov supports any apps running on Android, iOS, WatchOS and HarmonyOS, providing comprehensive and powerful security with easy and consistent management across all supported platforms.