Play Integrity API: App access risk early access program (EAP)

App access risk tells your app if there are other apps running that could be used to capture the screen, display overlays, or control the device. To use app access risk in your app, turn on app access risk in the Integrity API responses section in the Google Play Console and follow the documentation App access risk verdict (beta) on how to read the returned verdict.

The information on this page is only relevant for apps that started to request the app access risk verdict during the first few months of the EAP. These apps will temporarily continue to receive some deprecated fields in the app access risk verdict in addition to the appsDetected field. If your app belongs to this group, see the following section for information on how to migrate to the new verdict format.

Migrate from old app access risk verdict format

Apps that joined the app access risk EAP before the end of April 2024 will temporarily receive three fields in the app access risk verdict, the field appsDetected as described in App access risk verdict (beta) and the two deprecated fields playOrSystemApps and otherApps:

appAccessRiskVerdict: {
    // This field can be INSTALLED, CAPTURING, CONTROLLING or UNEVALUATED.
    playOrSystemApps: "INSTALLED"
    // This field can be NOT_INSTALLED, INSTALLED, CAPTURING, CONTROLLING or UNEVALUATED.
    otherApps: "CAPTURING"
    // This field contains one or more of the eight possible responses.
    appsDetected: ["KNOWN_INSTALLED", "UNKNOWN_INSTALLED", "UNKNOWN_CAPTURING"]
}

When app access risk is unevaluated, these apps will receive the verdict:

appAccessRiskVerdict: {
    playOrSystemApps: "UNEVALUATED"
    otherApps: "UNEVALUATED"
}

To help you migrate from using the fields playOrSystemApps and otherApps to the new field appsDetected, the following table outlines the relation between these fields.

Old field name	Old field value	Corresponding `appsDetected` responses
`playOrSystemApps`	`INSTALLED`	`KNOWN_INSTALLED`
	`CAPTURING`	`KNOWN_INSTALLED, KNOWN_CAPTURING`
	`CONTROLLING`	`KNOWN_INSTALLED, KNOWN_CONTROLLING` The response `KNOWN_CAPTURING` may be returned as well if capturing Play or system apps are running in addition to controlling Play or system apps.
	`UNEVALUATED`	`appsDetected` is not contained in the verdict.
`otherApps`	`NOT_INSTALLED`	None of the `UNKNOWN_` responses are returned.
	`INSTALLED`	`UNKNOWN_INSTALLED`
	`CAPTURING`	`UNKNOWN_INSTALLED, UNKNOWN_CAPTURING`
	`CONTROLLING`	`UNKNOWN_INSTALLED, UNKNOWN_CONTROLLING` The response `UNKNOWN_CAPTURING` may be returned as well if capturing other apps are running in addition to controlling other apps.
	`UNEVALUATED`	`appsDetected` is not contained in the verdict.

Note that running apps that may display overlays were previously not detected by the app access risk signal. Overlays are therefore only flagged in the new appsDetected responses and not in the playOrSystemApps and otherApps fields.

We will contact developers of the affected apps before removing the fields playOrSystemApps and otherApps.