This overview outlines the history and use of Google Play Integrity API and highlights some limitations.
We also compare and contrast Google Play Integrity API with the comprehensive mobile security offered by Approov.
Google provides app attestation and client integrity checks via Play Integrity API. Approov provides an end-to-end mobile app security solution which includes app and device integrity checking.
The History of Google Play Integrity API. SafetyNet attestation API was launched in 2017 as part of Google Play services, in order to provide an API for developers to remotely evaluate whether they were talking to a genuine Android device.
In 2021 Google announced Play Integrity API, consolidating multiple integrity offerings under a single API. At the same time they announced the deprecation of SafetyNet Attestation API. Google expects developers to fully replace Attestation API with the Play Integrity API by the end of January 2024 unless an extension is requested and accepted.
You can call Play Integrity API to check that you're really interfacing with your genuine app binary, installed by Google Play, running on a genuine Android device.
The Integrity API unifies Google Play anti-abuse features with a collection of integrity signals to help Android app and game developers detect potentially risky and fraudulent traffic.
You can use the Play Integrity API to protect your apps and games from risky interactions.
The Integrity API unifies Google Play integrity signals to help app and game developers detect potentially risky and fraudulent traffic.
When a user performs an app or game-defined action, your server instructs the client-side code to invoke the Integrity API. The Google Play server returns an encrypted response with an integrity verdict about whether or not you can trust this device and its binary.
We will see in a later section that there are some limitations in the way that Google Play Integrity API provides app attestation, and as Google also points out, this technique, in order to be effective, must be part of a broader security effort.
If we use, for example, the OWASP MASVS framework in order to assess end-to-end mobile app security, Google Play Integrity API ONLY partially addresses the guidelines in the category MASVS-RESILIENCE which is only one of seven categories in the guidelines.
MASVS-RESILIENCE aims to ensure that the app is running on a trusted platform, prevent tampering at runtime and ensure the integrity of the app's intended functionality.
Now we understand the scope, let's look specifically at the app attestation and device integrity checks provided by Google and compare them with Approov.
Implementation is complicated and subject to errors The Implementation of Play Integrity requires app developers to defend API calls at a function level, meaning nothing is protected out of the box.
Each API request that should be secured, needs to be secured explicitly, which is achieved by using specific play integrity framework methods.
Rate limits & DDOS vulnerabilities Google currently offers a quota of 10,000 API integrity checks per day, if this quota is exceeded the service will no longer work for your app.
Google Play API provides a way to perform app and device attestation checks at runtime for Android apps deployed using Google services.
It has some limitations and only works with Android apps which use Google Services.
Approov Mobile App Protection ensures that all mobile API traffic does indeed come from a genuine and untampered mobile app, running in a safe environment.
This Cyber News was published on securityboulevard.com. Publication date: Wed, 20 Dec 2023 18:43:05 +0000