Drawbacks of the Google Play Integrity API for Mobile App Attestation

A protected and secure mobile app is essential to delivering a trusted in-app experience. However, this is not only limited to the client-side of the application. Protecting your mobile app’s APIsis critical to stopping today’s modern attackers who exploit vulnerabilities at the network level. That’s where app attestation becomes an essential part of your mobile app security strategy.

Mobile app attestation is a secure approach to ensure that only your app can connect to your APIs. By adding server-side validation, app developers and security teams can ensure only legitimate apps interact with their APIs - blocking bots or non-genuine apps from interacting with your APIs.

A popular app attestation option - especially for Android developers - is the Google Play Integrity API. While it provides baseline protections and is easily accessible, relying solely on Play Integrity comes with significant trade-offs. Below, we’ll explore the benefits and limitations of Google Play Integrity, and why a more comprehensive approach to app attestation is often necessary.

What is Google Play Integrity API

Prior to the launch of the Play Integrity API, Google originally developed a suite of Android API protections called SafetyNet. SafetyNet provided a range of capabilities, but its most popular use was as a device attestation solution. Developers leveraged its capabilities to assess and provide a verdict on the integrity of a device. However, SafetyNet came with limitations like imprecise signals, lackluster checks against evolving threats, and lack of app license information, all of which led to its eventual deprecation.

Google replaced SafetyNet with the Play Integrity API, which aims to provide stronger protections and deeper insights. At its core, the Play Integrity API provides an integrity verdict for an Android device and the app that is running on that device. This is intended to protect against API abuse and mitigate security risks.

The Play Integrity API protects APIs and prevents risks using three main mechanisms:

• App binary verification: Confirms the app has not been tampered with and matches what is currently on the Google Play Store.
• Genuine install check: Validates that the app was downloaded by a legitimate user (which means it was installed or paid for via the Play Store).
• Device integrity check: Verifies that the app is running on a certified Android device with Google Play Services.

The benefits of Google Play Integrity API

The Play Integrity API has little to no barrier to entry for Android developers and is built to work with the Google Play ecosystem. It also presents a few security enhancements that developers would be remiss to add to their mobile app security strategy. Below are the key benefits of using the Play Integrity API as your app attestation solution.

Free & accessible attestation solution

One reason for the popularity of the Play Integrity API is it’s a free solution that is part of the Google ecosystem. As such, it is easily accessible for any Android developer that wishes to place their app on the Play Store. It’s a quick-fix solution for developers that want to gain confidence that the app interacting with their services is genuine and running on a legitimate Android device.

Improved server-side security & abuse protections

Developers implementing the Play Integrity API will increase the effectiveness of their fraud prevention and risk mitigation strategies. However, this is not so much a feature of the Play Integrity API as it is a benefit of mobile app attestation itself. Nevertheless, the Play Integrity API delivers enhanced malware protection by identifying environments that are vulnerable to malware attacks.

Security signals & insights

One of the reasons SafetyNet was deprecated in favor of the Play Integrity API was because it lacked the insights developers required. Play Integrity delivers more nuanced signals for device integrity than SafetyNet did. It also verifies app licensing, something which was not available in SafetyNet. If developers wish, they can choose to opt-in to more enhanced insights. These may include known malware detections, abuse of app permissions, and identifying screen capturing or app overlays.

Android developer-focused

It’s a logical step for Android app developers to look to Google’s app attestation first, especially when it’s free. Google Play Integrity API is specifically built for Android and Google certified devices. It also is backwards compatible, which means developers that previously used SafetyNet will have an easy migration to the new Play Integrity API.

Why you should think twice about relying solely on Google Play Integrity API

Despite these benefits, Play Integrity is not a comprehensive app attestation solution. It has several limitations that can create security blind spots - especially for larger, more security-sensitive mobile apps.

Quota and scalability limits

For the small or hobby developer, the Play Integrity API is a fantastic solution. But for large-scale applications, scalability of app attestation protections can become quite the challenge. The Play Integrity API enforces a quota of 10,000 online checks per day. Once your quota is reached, the service will stop making additional requests. If a developer wishes to increase their quota, they must make a formal request to Google. For large-scale apps in production with tens of thousands or even millions of users, such a low limit is not remotely sufficient.

Lack of granular insights

The insights available within the Play Integrity API are beneficial, but lack granularity. When a verdict is returned, one of three responses is delivered: Virtual, Basic, and Strong. These responses alone deliver little information to the developer. When false positives appear, as is often the case, this negatively impacts the experience of a user that did nothing wrong by locking them out of their app, while making the developer’s job of diagnosing what is causing the false positive much more difficult.

The client-side policies on which the Play Integrity API performs checks are also not determined by the developer. These are policies, as determined by Google, which give the developer no input. If a developer needs to dig deeper into a verdict, the information isn’t available in the Play Integrity API. There also exists the risks of certain protections that are out of date or not able to defend against the latest threats. This makes it difficult to improve existing protections without issuing an update with significant work involved.

Hostage to the Google Play ecosystem

The Play Integrity API only works on Google-certified Android devices. These are Android devices that have Google Play Services installed and are up-to-date. If a customer uses your application on an outdated device or installs your app outside of the Play Store, it will be automatically flagged by the Play Integrity API. Thus, there is a chance legitimate users will be blocked from using your application. Since the verdicts delivered by the Play Integrity API have little insight, it is difficult to determine when users are prevented from using your app due to being flagged by the Play Integrity API or even which users are being blocked.

Guarantee it’s your app interacting with your APIs

Google Play Integrity API provides a good foundation for app attestation, but it is not foolproof. Gaps exist that can be targeted by attackers that are practicing the latest mobile attack methods. A noticeable lack of actionable insights compounds this problem. Fortunately, there are improved ways to implement and apply app attestation to your security strategy.

Mobile app attestation from Guardsquare protects against API abuse by guaranteeing its your app interacting with your APIs. Its historical insights and granular security policy controls make it easier to review attestation results to build defenses against emerging threats for your Android and iOS apps.

Single platform for Android & iOS

Guardsquare mobile application security products have long supported both Apple and Google ecosystems. Our app attestation solution is no different, with support tailored to your Android and iOS applications. Instead of increasing your tool sprawl with tools of varying levels of insight, you have a single solution to service both your Android and iOS applications.

Both Android and iOS applications receive enhanced security and actionable insights into attestation results, so there’s no worrying about varied levels of security or insights. When you want to compare results between apps, you can easily toggle between dashboards for each app then examine every individual result.

Flexible server-side control & fine-grained security policies

In contrast to the Play Integrity API, Guardsquare purposely designed app attestation to be flexible and dynamic. Policies can be switched on or off as needed, no coding required. The policies also have the ability to be updated in real-time with instant security policy modifications. When a new or emerging threat has been identified, policies can be modified and deployed without initiating a rebuild of your application. Thus, your application’s security remains steadfast while minimizing the risk and impact of sophisticated threats.

Continuous updates against emerging threats

App attestation determines a verdict based on your defined policies, which are triggered by the data collected from the user’s app and device. Guardsquare continually researches and updates the underlying detections independently of your app updates or policy changes, keeping your application up to date and protected against the latest emerging threats. Thus, you can close the gap between you and the iteration speed of attackers, which is becoming increasingly important.

Unrivaled breadth of attestation policies & insight depth

Guardsquare provides comprehensive attestation policies that range from threats to the integrity of your app to ones impacting device integrity. App attestation results within Guardsquare include historical views and granular insights to identify exactly why a given API request failed attestation. The visibility of real-time threats informs how you can adjust current and future policies to continually increase the posture of your mobile app's security.

These insights provide a level of analysis and threat coverage not available within the Play Integrity API. By leveraging these insights, a developer has the context needed to minimize false positives and confidently assess if a user is operating a genuine app version on a secure device.

Don’t settle for one-size-fits-all attestation

As API abuse and mobile threats grow more sophisticated, relying solely on Play Integrity can leave critical gaps in your mobile app security. While the Play Integrity API provides a valuable starting point, it lacks the flexibility, insights, and multi-platform support needed to secure modern mobile applications at scale.

App attestation from Guardsquare provides the fine-grained security controls and deep insights needed to tailor your app’s protection against sophisticated attacks. To learn more about how app attestation can protect your APIs against attacks and abuse, contact Guardsquare today.