What is Google Play Integrity
What is X-PLAY-INTEGRITY
How to Integrate Google Play Integrity
Implemention steps of integration of Google play integrity
What is Google Play Integrity
Google Play Integrity is a security service for Android apps and games that helps developers detect and prevent risky, fraudulent, or abusive behavior coming from unauthorized versions of their apps, untrustworthy devices, or tampered app environments.
What does the Play Integrity API do?
Detects if the request comes from the official, unmodified app binary
Checks if the app is installed through Google Play (genuine install/license)
Verifies the app is running on a real, Play Protect-certified Android device
When your app performs a sensitive action (like logging in or making a payment), it requests an integrity verdict from Google servers. This verdict is cryptographically signed, returned to your backend, and lets you know whether you can trust this action or session. If not, you can block access or limit functionality.
What threats does it help block?
Cloned, modified, or tampered versions of your app (piracy/cracks/mods)
Bots, automation, or tools trying to cheat or attack your systems
Usage from emulators, rooted, or untrustworthy devices
Fraudulent installs or illegitimate purchases
Attacks on sensitive or financial transactions
Why is it important?
Reduces fraud and abuse: Apps that use Play Integrity have seen up to 80% less unauthorized usage than those without it.
Protects user data and business revenue: By allowing access only from genuine environments, you shield both your backend and your users.
Meets security requirements: Financial apps, games, and any business handling personal or payment data increasingly require such measures.
How does Play Integrity verdict work?
Returns results like PLAY_RECOGNIZED (official app & device), or flags like UNEVALUATED, making it hard for attackers to bypass using custom ROMs or emulators.
Can be tailored to require even higher assurance levels—like recent security updates (strong integrity)—especially for high-security apps.
In essence, Google Play Integrity is the backbone of modern mobile app anti-abuse and anti-tamper strategy, ensuring only authentic, trusted users get full app functionality, and helping developers spot, block, or adapt to threats.
What is X-PLAY-INTEGRITY?
X-PLAY-INTEGRITY is a custom HTTP header commonly used in mobile app backend communication. It carries the Play Integrity token, a cryptographically signed string generated by the Google Play Integrity API. This token serves as proof that a request originated from an authentic app binary, installed via Google Play, running on a Play Protect-certified Android device.
Why Use X-PLAY-INTEGRITY?
API Security: Helps prevent fake, modified, or unauthorized apps from accessing your backend APIs.
Fraud & Abuse Prevention: Blocks requests from tampered apps, emulators, or rooted devices.
Trust Establishment: Allows your backend to verify the integrity of the app/device making API calls
How to Integrate Google Play Integrity
Setup on Google Play Console and Cloud
Enable the Play Integrity API for your app in the Google Play Console.
Link your app to a Google Cloud project where the API usage will be tracked.
Download your service account credentials (play-integrity.json) for server-side verification
Android App Integration
Add the Play Integrity API dependency to your Android project.
In the app, request an integrity token whenever the user performs a sensitive action (e.g., login, payment, data access).
Generate a secure random nonce.
Call the Play Integrity API to receive a token
val token = integrityManager.requestIntegrityToken(request)
Send the Token via X-PLAY-INTEGRITY Header
Each sensitive API request to your backend should add the Play Integrity token as the X-PLAY-INTEGRITY header.
Example:
POST /api/your-endpoint HTTP/1.1
Host: your-backend.com
Authorization: Bearer {jwt-or-api-token}
X-PLAY-INTEGRITY: {integrity_token_here}
Backend Verification
On the server, extract the X-PLAY-INTEGRITY header.
Use your backend's Google service account credentials to call Google's verification API (decodeIntegrityToken) and obtain the decoded verdict.
Validate:
The token is authentic and untampered.
The app recognition verdict is PLAY_RECOGNIZED.
The app and device match your expected values.
Implemention steps of integration of Google play integrity
========Setup on Google Play Console and Cloud======
when play integrity is not setup it is written
integrity not started
By enabling Play Integrity API responses in the Google Play Console, you will gain access to additional configuration options, testing features, and API reporting. This option is only available to apps distributed on Google Play. Navigate to Release > App integrity. Under Play Integrity API select Link a Cloud project. Choose the Cloud project you want to link to your app and this will enable Play Integrity API responses. You can now integrate the Play Integrity API into your app.
Step1 click link cloud project
step2:click link project
now it is written integration started
enable play-integrity-setup
Link your app to a Google Cloud project where the API usage will be tracked
https://www.youtube.com/watch?v=aewc3rYocWY
Step-by-Step: How to Get $apiKey (Play Integrity Server API Key)
Create a Service Account in Google Cloud Platform
Go to Google Cloud Console
Select or create the project that matches your Android app in Google Play Console.
In the left menu, go to IAM & admin > Service accounts
Click Create Service Account
Provide a name, then Create and continue
Grant the service account the role "Play Integrity API User"
Download the Service Account JSON Key
After creating the account, click on it in the list.
Go to the Keys tab.
Choose Add Key > Create new key > JSON
Download the JSON key file (keep this file secure!).
Place this file somewhere secure on your server, such as storage/app/play-integrity-service-account.json or follow Google’s recommended paths ([reference]).
Grant API Access to Play Integrity API
In your Google Cloud project, enable the Play Integrity API (search for it in the APIs & Services Library).
Make sure your app in the Play Console is linked to this cloud project ([reference]).
Set Environment Variable or Laravel Config
You do not copy a single string token into your .env, instead, you reference the downloaded JSON key file for authentication.
In your .env:
GOOGLE_APPLICATION_CREDENTIALS=/path/to/your/play-integrity-service-account.json
PLAY_INTEGRITY_PACKAGE_NAME=com.yourcompany.yourapp
In config/services.php (example):
'play_integrity' => [
'json_credentials' => env('GOOGLE_APPLICATION_CREDENTIALS'),
'package_name' => env('PLAY_INTEGRITY_PACKAGE_NAME'),
],
error
8): Failed to get Play Integrity token: PlatformException(INTEGRITY_ERROR, -1: Integrity API error (-1): Integrity API is not available.
I/flutter ( 4308): Integrity API is not enabled, or the Play Store version might be old.
I/flutter ( 4308): Recommended actions:
I/flutter ( 4308): 1) Make sure that Integrity API is enabled in Google Play Console.
I/flutter ( 4308): 2) Ask the user to update Play Store.
I/flutter ( 4308): (https://developer.android.com/google/play/integrity/reference/com/google/android/play/core/integrity/model/IntegrityErrorCode.html#API_NOT_AVAILABLE)., null, null)
Solution:
Top comments (0)