![]() ![]() Avoid caching integrity verdictsĬaching integrity verdicts increases the risk of proxying, which is an attack You should encrypt or hash the dataīefore passing it to the Play Integrity API. Caution: Data that you use for the requestHash and nonce fields is visible Is used to protect against certain types of attacks, such as replay and Follow the guidance onĬlassic API requests have a field called nonce (short for number once), that In this field, you should include aĭigest of all relevant values from your app's request. Standard API requests have a field called requestHash that is used to protectĪgainst tampering and similar attacks. You can see a table with more differences in the classic request considerations. Mitigate against replay and similar attacks Infrequent (one-off check for highest value actions or most sensitive requests) The following table highlights some key differences between the two types ofįrequent (on-demand check for any action or request) Use later, then you should make a standard request instead to reduce the risk of If you are considering making a classic request and caching it to Infrequently as a one-off to check whether a highly sensitive or valuable action Requests because they initiate a fresh assessment and so they should be made Classic requests use more of the user's data and battery than standard Classic requests have higher latency (a few seconds onĪverage) and you are responsible for mitigating the risk of certain types ofĪttacks. Smart on-device caching while delegating protection against certain types ofĬlassic API requests, the original way to request integrity verdicts, alsoĬontinue to be available. High reliability of obtaining a usable verdict. Requests have the lowest latency (a few hundred milliseconds on average) and a Standard API requests are suitable for any app or game and can be made onĭemand to check that any user action or server request is genuine. Of both types of request, the integrity verdict response will be returned in the Whether you make standard requests, classic requests, or a combination Play Integrity API offers two options for requesting and receiving integrity Decide how you'll request integrity verdicts By default, your appĬan make up to 10,000 total requests per day across all installs. ![]() ![]() This API in conjunction with other appropriate security best Your overall anti-abuse strategy and not as your sole anti-abuse mechanism. The Play Integrity API works best when used alongside other signals as part of Recommended practices: Have an anti-abuse strategy Play Integrity API provides the most value for your app when you follow these Problems like abuse and fraud, misuse and cheating, unauthorized access, and Verdicts, then your app's backend server can decide what to do to defend against You can also opt-in to signalsĪbout the environment, such as whether Google Play Protect is turned on and hasįound known malware installed on the device. Google Play, running on a genuine Android device. To check that the action happened in your genuine app binary, installed by When a user performs an action in your app, you can call the Play Integrity API On and whether it has found risky or dangerous apps installed on the device. Free of known malware: Determine whether Google Play Protect is turned.Genuine Android device powered by Google Play services (or a genuine Genuine Android device: Determine whether your app is running on a.Licensed, which means that the user installed or paid for your app or game Genuine Play install: Determine whether the current user account is.Unmodified binary that Google Play recognizes. Genuine app binary: Determine whether you're interacting with your.That helps you determine whether you're interacting with the following: When your app or game is used on an Android device with the Google Play StoreĪnd powered by Google Play services, the Play Integrity API provides a response Respond with appropriate actions to prevent attacks and reduce abuse. Byĭetecting potentially risky and fraudulent interactions, such as from tamperedĪpp versions and untrustworthy environments, your app’s backend server can The Play Integrity API helps you check that interactions and server requests areĬoming from your genuine app binary running on a genuine Android device. The latest library also offers an optional Play remediation dialog that you can trigger when the user is unlicensed for your app. Standard API requests, which are low latency and can be made on demand, are now out of beta. New in November 2023: Play Integrity API now offers a Play Protect verdict which you can turn on in your Google Play Console. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |