HomeGuidesAPI ReferenceChangelog
Log InChangelog
Guides
Changelog
Start typing to search…

Google Play Integration API

Google Play Integrity API is a security measure used to verify device integrity, app integrity, account details and environmental details.

The Aera Secure ID SDK checks integrity during authentication and signing. Setup of Google Play Integrity API requires both setup of code, merchants' Google Play Console and merchants' Google Cloud Console.

📘

Useful links


Integrity API Code setup

Implement the Wallets SDK ConsumerDeviceVerification interface.

Example

// PlayDeviceVerification.kt 
import com.aerahost.aerawalletssdk.external.integrity.ConsumerDeviceVerification
import com.aerahost.aerawalletssdk.external.integrity.IntegrityFunc

class PlayDeviceVerification : ConsumerDeviceVerification { 
  override fun checkForPlay(context: Context): Boolean { 
    return GoogleApiAvailabilityLight.getInstance() 
    	.isGooglePlayServicesAvailable(context) == ConnectionResult.SUCCESS 
  } 

  override fun sendPlayIntegrityRequest( 
    context: Context, nonce: ByteArray, onSuccess: IntegrityFunc<String>, 
    onError: IntegrityFunc<Exception> 
   ){ 
      val integrityManager = IntegrityManagerFactory.create(context) 
      val integrityTokenRequest = IntegrityTokenRequest.builder() 
      .setNonce( 
        Base64.encodeToString( 
        nonce, 
        Base64.URL_SAFE or Base64.NO_WRAP 
      ) 
    ) 
  .build() 

  val task = integrityManager.requestIntegrityToken(integrityTokenRequest) 

  try { 
    val integrityTokenResponse = Tasks.await(task, 15, TimeUnit.SECONDS) 
    onSuccess(integrityTokenResponse.token()) 
  } catch (e: Exception) { 
  	onError(e) 
  }	
}

Google Play Console setup

The merchant will need to follow the Integrity API procedure below in order to setup the checks for their App on the Google Play Console.

Responses from Google backend is encrypted with a cloud based and app-specific encryption key. This key must be shared with Aera securely for Aera to decrypt and verify responses from Google.

Perform this procedure to share your Apps Google Play Integrity response protection key with Aera, and to prepare the App.

Preferably there is an App and corresponding Cloud projects for STAGING and for PRODUCTION. In this case perform this procedure in both environments to ensure correct behavior.

NOTE: The App needs to be distributed from Google Play for Play Integrity to function correctly. One solution is to test a production setup on a version deployed as an "internal version".

Prerequisites

What

Description

Access to Secure ID- and Wallets SDK releases in SharePoint

See

First time SDK installation

Access to Google Play Console for given consumer App

See

Google Play Console

Access to Google Cloud Console for given consumer App

See

Google Cloud Console

Received public key file from Aera. Filename Staging: staging.public.play.aera.pem

Available in SharePoint

Received SHA-256 value of public key file from Aera

Get in touch with Aera if this key is not received

Calculate SHA-256 value of public key file and compare with the received value from Aera.

INFORM AERA IF THESE DO NOT MATCH

Example command: $ shasum -a 256 public.play.aera.pem


Step-by-step Integrity API procedure

  1. Setup the usage of Play Integrity API
    1. Log into Google Cloud Console
    2. Select or create new project
    3. Select "+ Enable APIs and Services"
    4. Search for Play Integrity
    5. Select "Enable"
      1. Increase quotas if needed
    6. Select "Create"
      1. May not be an option, if so, skip this
  2. Connect App to Cloud project and export response encryption key
    1. Log in to Google Play Console
    2. Select App
    3. Choose App Integrity from left side menu
    4. Select "Link Existing Project"
    5. Click "Link cloud project"
    6. Click "Change" button under "Response encryption" → Managed by Google
    7. Change how your responses are encrypted and decrypted
      1. Select "Manage and download my response encryption keys"
      2. Upload the file from Aera: "staging.public.key.aera.pem"
    8. Send resulting file to Aera and indicate for which app this file belongs
      1. Mail to: [email protected]
      2. Staging Subject: PlayIntegritySetupResponseSTAGING
  3. Make changes to integrity responses
    1. In Google Play Console, select "App integrity" in left-side menu
    2. Choose "Settings"
    3. Under "Response" select "Change"
      1. Select Meets Basic Integrity ON
      2. Select Meets Strong Integrity ON
      3. Select Recent Device Activity ON
      4. Select Play Protect verdict ON
      5. Select App access risk ON
      6. Save changes

Integrity responses JSON example

{
	"requestDetails": {
	// ...
	},
	"appIntegrity": {
		"appRecognitionVerdict": "PLAY_RECOGNIZED",
		// ...
	},
		"deviceIntegrity": {
			"deviceRecognitionVerdict": [
			"MEETS_DEVICE_INTEGRITY",
			"MEETS_BASIC_INTEGRITY",
			"MEETS_STRONG_INTEGRITY"
			],
		"recentDeviceActivity": {
		"deviceActivityLevel": "LEVEL_3"
		}
	},
	"accountDetails": {
		"appLicensingVerdict": "LICENSED"
	},
	"environmentDetails": {
		"playProtectVerdict": "NO_ISSUES",
  	"appAccessRiskVerdict": {
        "appsDetected": [
          "KNOWN_INSTALLED",
          "UNKNOWN_INSTALLED",
          "UNKNOWN_CAPTURING"
        ]
     }
	}
}

Updated 2 months ago