Google Play Integrity
| Plan | Platforms | MASVS |
|---|---|---|
| Enterprise | Android | MASVS-RESILIENCE-1, MASVS-RESILIENCE-2 |
Summary
Google Play Integrity helps verify that an Android app instance is running as an authentic app on a device that meets the integrity threshold you configure. AppTego validates the Play Integrity result and applies your response policy when the app or device does not meet the required posture.
Use this control for Android apps distributed through Google Play where app authenticity, device integrity, and anti-abuse posture matter.
What It Protects Against
- Modified or repackaged APK/AAB builds.
- Unofficial app distribution outside your expected Google Play release path.
- Devices that do not meet your configured integrity threshold.
- Emulator, automation, or abuse environments where Play Integrity cannot establish sufficient trust.
How It Works
The protected app requests an integrity verdict from Google Play services. AppTego validates the returned result against your configured package name, Play Console keys, device-integrity threshold, and app-recognition policy. When validation fails, the configured response is applied.
AppTego handles the validation flow. Your team controls the Play Console configuration, thresholds, app identity, rollout environment, and response behavior.
How to Enable the Control
Navigate to Detection & Response from the AppTego portal, and expand the App Integrity And Attestation section. Under this section you will find the Google Play Integrity control. Click Enable Configuration, choose the response action, and save the configuration for the next build or for it to be applied with a live push (if enabled).
API Configuration Example
{
"PlayIntegrityCheck": {
"detection": true,
"action": "alert",
"title": "Google Play Integrity",
"message": "This device could not pass the configured Play Integrity check. Please follow your organization's security guidance before continuing.",
"buttons": ["OK"],
"actions": ["close"],
"redirects": [""]
}
}| Field | Purpose |
|---|---|
detection | Enables the Google Play Integrity response check. |
action | Selects the response style, such as alert, close, log, or warn. |
title / message | User-facing text shown when a response is displayed. |
buttons / actions / redirects | Defines the available response buttons and their outcomes. |
Setup
- Confirm the app is configured for Play Integrity in Google Play Console.
- Collect the required Play Integrity response encryption and verification material from Play Console.
- Open the AppTego Portal.
- Go to App Integrity.
- Create or edit the Android Play Integrity configuration.
- Enter the package name, Google Cloud project number, and Play Console keys.
- Select the minimum device verdict and whether Google Play recognition is required.
- Build a protected Android app and test on physical devices with Google Play services.
Rollout Guidance
| Stage | Recommendation |
|---|---|
| Development | Use Log or a non-blocking Message response while confirming configuration. |
| Staging | Test the device population you expect in production, including managed devices and older supported Android versions. |
| Production | Enforce strict responses only after checking failure rates and support impact. |
| Market planning | Validate whether your users rely on devices or app stores without Google Play services before requiring Play recognition. |
User And App Impact
Play Integrity depends on Google Play services and Play Console configuration. Devices without Google Play services, unofficial app-store installs, rooted devices, modified devices, and app builds outside the expected Play distribution model may fail validation.
Choose response actions carefully for markets or enterprise deployments where Google Play services may not be available.