We recently announced that we're strengthening the Play Integrity API verdicts to make them faster, more resilient against attacks, and more private for users along with other security improvements.
Summary of changes
You can find a detailed summary of the changes and the expected impact later in this document. The new verdicts will be available as follows:
New integrations: All new integrations will automatically receive the new verdicts.
Existing integrations until May 2025: Developers with existing integrations can opt-in on the Play Integrity API settings page in the Play Console to receive the new verdicts alongside the legacy verdicts now, giving you time to review and consider making changes to how your app behaves. Before you opt-in, you can see the expected change in the % of devices that return each verdict and a JSON sample of the new verdict. When you opt-in, you will receive two additional fields in the response with the Android SDK version and the legacy verdicts.
Existing integrations after May 2025: The improvements will go live for all integrations, with no developer work required. Apps that opt-in before May 2025 will not receive the temporary field that contains the legacy verdicts.
| What | What's changing | Estimated impact* | Which devices |
|---|---|---|---|
| Changes that impact all developers making Play Integrity API requests | |||
| Device verdict response: meets-device-integrity | Required to have a hardware-backed, positive verified boot verdict | Minimal impact because Play Integrity API already uses hardware-backed security signals on Android 13 or later devices (~0.4%) | Android 13 and later |
| App integrity response: App recognition verdict | No change | Minimal impact, this will mirror the change in the device verdict (~0.4%) | Android 13 and later |
| Account details response: Play license verdict | Requesting app must be installed or updated by Google Play | Minor decrease in licensed responses (~2.5%) | Android 11 and later (this change will roll out gradually) |
| Changes that only impact Play Console developers and Play SDK Console developers using optional features | |||
| Device verdict response: meets-basic-integrity | Required to have Android Platform Key Attestation but the boot state can be verified or unverified | Minor decrease in basic responses (~0.4%) | Android 13 and higher |
| Device verdict response: meets-strong-integrity | Required to have a security update in the last year | Decrease in strong responses (~14.5%) | Android 13 and higher |
| All optional signals | Requesting app must be installed or updated by Google Play | Decrease in % of responses that include optional signals (~7%) | Android 13 and higher |
*All of the estimated impact percentages above are based on averages and different apps may see smaller or larger changes depending on their install base.
Frequently asked questions
Overview
What is the Play Integrity API?
The Play Integrity API helps you assess the trustworthiness of user's app's environment by obtaining information about the device, app, and user, so you can detect and respond to potential abuse and attacks.
What signals does Play Integrity API provide?
The Play Integrity API includes the identity of the requesting app, whether the requesting app was installed by Google Play, and whether the device is a genuine Play Protect Certified Android Device. These signals are provided by default. You can read these signals on your app's backend server and decide whether and how your app should respond. Google Play developers can opt-in to receive additional signals in their Play installs to see even more information.
What is Android Platform Key Attestation?
Android Platform Key Attestation allows apps to verify the state of the device and obtain a strong signal of hardware-backed boot integrity. It depends on a key that's provisioned by Google in the device's hardware-backed keystore. Play Integrity API already uses key attestation to obtain hardware-backed security signals on some devices and will now integrate them more deeply on all devices running Android 13 or later.
Verdict changes
What changes are being made to the Play Integrity API verdicts on Android 13 or later devices?
Play Integrity API will now require hardware-backed security signals for all integrity verdicts:
- The
meets-device-integritydevice recognition verdict is an indication that the device the app is running on is a genuine Play Protect certified Android-powered device. This verdict will require the device bootloader to be locked and the loaded Android OS to be a certified device manufacturer image. - The
meets-strong-integritydevice recognition verdict is an indication of a genuine Play Protect certified Android-powered device with a recent security update. This verdict will requiremeets-device-integrityand for the device to have had a security update in the last year. This condition may change in the future. - The
meets-basic-integritydevice recognition verdict is an indication that the check happened on a physical Android-powered device. The device bootloader can be locked or unlocked, and the boot state can be verified or unverified. It may not be Play Protect certified, in which case Google cannot provide any security, privacy, or app compatibility assurances and cannot guarantee that the device is not acting as a proxy, such as for a virtual instance of Android. This also means that rooted devices are eligible to returnmeets-basic-integrityso long as key attestation is present.
These changes don't impact Play Integrity API on Play Games for PC which will
continue to return meets-virtual-integrity.
Why are the Play Integrity API verdicts being changed on Android 13 or later devices?
Play Integrity API has only been partially using hardware-backed security signals across Android SDK versions. By increasing their integration, Play Integrity API verdicts will be more resilient against attackers, more performant for apps, and more private for users. Once the transition is complete, we expect the following improvements on devices running Android 13 or later:
- Reduction in device signals that need to be collected and evaluated to generate the default verdict on Google servers by ~90%. Optional signals will continue to require additional signals to be collected.
- Improvement in verdict latency by up to 80% for worst-case standard requests and up to 80% for all classic requests to obtain the default verdict. Optional signals can increase the latency.
- Consistent level of reliability and support for all Android form factors with key attestation including mobiles, tablets, foldables, TV, Auto, Wear OS, and ChromeOS.
- A greater differentiation between each device label in the device
recognition verdict:
meets-strong-integrity,meets-device-integrity, andmeets-basic-integrity.
Performance is not expected to change during the opt-in period while Play Integrity API generates old and new integrity verdicts. However, after the new verdicts launch for all developers in May 2025, we expect performance improvements to be seen gradually, while we remove or transition legacy dependencies for all default and optional signals.
The Play Integrity API verdict on Play Games for PC is not being changed and will be the same on Android 12 and earlier as it is on Android 13 and higher.
How can I update my app's backend logic for integrity verdicts to take Android SDK version into account?
If you want to use different logic on your app's backend server based on the Android SDK version, you can use the new device attributes field in the verdict. Here's an example of doing this:
Kotlin
val deviceIntegrity =
JSONObject(payload).getJSONObject("deviceIntegrity")
val sdkVersion =
if (deviceIntegrity.has("deviceAttributes")) {
deviceIntegrity.getJSONObject("deviceAttributes").getInt("sdkVersion")
} else {
0
}
if (sdkVersion >= 30) {
// Provide Android R+ specific experience to the user.
}
Java
JSONObject deviceIntegrity =
new JSONObject(payload).getJSONObject("deviceIntegrity");
int sdkVersion =
deviceIntegrity.has("deviceAttributes")
? deviceIntegrity.getJSONArray("deviceAttributes").getInt("sdkVersion")
: 0;
if (sdkVersion >= 30) {
// Provide Android R+ specific experience to the user.
}
How can I use the old meets-strong-integrity label definition across all Android SDK versions?
You can achieve this by updating your app's backend logic to use
meets-strong-integrity when it's a pre-Android 13 device and
meets-device-integrity when it's an Android 13 or later device using the new
device attributes field in the verdict that contains Android SDK version. Here
is an example of doing this:
Kotlin
val deviceRecognitionVerdict =
if (deviceIntegrity.has("deviceRecognitionVerdict")) {
deviceIntegrity.getJSONArray("deviceRecognitionVerdict").toString()
} else {
""
}
val deviceIntegrityToCheckFor =
sdkVersion < 33 ? "MEETS_STRONG_INTEGRITY" : "MEETS_DEVICE_INTEGRITY";
if (deviceRecognitionVerdict.contains(deviceIntegrityToCheckFor)) {
// Looks good!
}
Java
JSONObject deviceIntegrity =
new JSONObject(payload).getJSONObject("deviceIntegrity");
String deviceRecognitionVerdict =
deviceIntegrity.has("deviceRecognitionVerdict")
? deviceIntegrity.getJSONArray("deviceRecognitionVerdict").toString()
: "";
String deviceIntegrityToCheckFor =
sdkVersion < 33 ? "MEETS_STRONG_INTEGRITY" : "MEETS_DEVICE_INTEGRITY";
if (deviceRecognitionVerdict.contains(deviceIntegrityToCheckFor)) {
// Looks good!
}
Because it's also a hardware-backed signal, the device attributes field is most reliable on devices running Android 13 and higher.
What other verdict changes is Play Integrity API making?
We continually invest in making existing signals in Play Integrity API more reliable and we periodically launch new features to help developers deal with emerging threats and new use cases. Other verdict improvements that we're making include:
- Play licensed response: In order to return a Play licensed response, Play Integrity API now always requires the requesting app to be installed or updated by Google Play. This fixes some edge cases and makes the response easier to interpret for developers. This is live on Android 13 or latter versions.
- Optional signals availability: All optional signals
available to developers using Google Play Console or the Play SDK Console
will now require the requesting app to be installed, or updated, by Google
Play on Android 13 or later. This includes
meets-strong-integrity,meets-basic-integrity, recent device activity, the app access risk verdict, and the Play Protect verdict. All other Play Integrity API requests will be standardized to receive the device check (with themeets-device-integritylabel only), the installer check, and the app integrity check. - Verdict changes for specific devices: Play Integrity API will also start automatically changing device verdicts in more scenarios to protect apps earlier across all Android SDK versions, such as when there is evidence of excessive activity or key compromise. This will include the ability for Play to fallback to other signals to generate temporary device verdicts for users when hardware-backed signals are unavailable. Developers are recommended to use the in-app Play remediation dialogs or to point users to the Play Store app to fix integrity verdict issues. In time, these dialogs will deal with more scenarios and include specific guidance for users telling them what they need to fix based on their specific device or account.
Opting in and out
How do I opt-in to the improved verdict on Android 13 or later devices?
Developers using the Play Console can opt-in on the Play Integrity API settings page.
What will happen to my Play Integrity API response after I opt-in?
Three things will happen when you opt-in:
- The responses in the
deviceRecognitionVerdictfield will immediately start being generated and returned based on the new verdict evaluation requirements on Android 13 or later devices. On devices running Android 12 and lower, thedeviceRecognitionVerdictwill be generated using the historical verdict evaluation. - You will receive a new field,
deviceAttributes, that contains the Android SDK version on the device. - You will receive a new field,
legacyDeviceRecognitionVerdict, that contains the device integrity responses based on the historical verdict evaluation requirements regardless of Android SDK version.
When the verdict changes roll out for all integrations in May 2025, any apps
that opted in will stop receiving the legacyDeviceRecognitionVerdict field.
How do I report issues with integrity verdicts?
To report issues with responses from Play Integrity API, whether the issue is with the historical verdicts or the new ones, following the instructions on the support page.
Can I opt out after I've opted in?
Yes, you can opt out on the Play Integrity API settings page.
Availability
What does Play Integrity API require to work?
Play Integrity API requires that Google Play Store and Google Play services be installed on a device, this includes Android devices and Google Play Games for PC. Classic requests require Android 4.4 (API level 19) or later and standard requests require Android 5.0 (API level 21) or later. On devices running Android 13 (API level 33) and later, the Play Integrity API will now have the same level of reliability and support across all Android form factors with key attestation including mobiles, tablets, foldables, TV, Auto, Wear OS, and ChromeOS.
Why does Play Integrity API have different verdicts for different devices?
Play Integrity API provides multiple device verdicts to accommodate developers with different use cases and risk tolerances and to make it possible to have a tiered enforcement strategy. For example, when the app and device is more trusted, a developer might streamline their user verification steps; whereas, when a device is unknown, the developer might require additional user verification before performing protected or sensitive actions. This can be an effective way to reduce abuse and attacks.
What is a Play Protect certified Android-powered device?
A Play Protect certified Android-powered device (also known as a GMS Android
device) is a device running predictable software that has passed hundreds of
Google's compatibility tests, adheres to the Android security and permissions
model, and that shipped with the Google Play Protect suite of anti-malware
features. When Play Integrity API is able to verify that a device is a Play
Protect certified Android-powered device, it will return the
meets-device-integrity response in the device recognition verdict.
What is a meets-basic-integrity device?
Play Integrity API also returns an optional response in the device verdict,
meets-basic-integrity. If a device only returns the meets-basic-integrity
verdict without meets-device-integrity or meets-strong-integrity, it means
the Android OS cannot be verifiedm but key attestation is present. This
indicates that the check happened on a physical Android-powered device, but
Google cannot make assurances about the device's security, privacy, or app
compatibility and cannot guarantee that the device is not acting as a proxy,
such as for a virtual instance of Android. Depending on developers' use cases
and risk tolerances, they can decide how they want their app to run on these
devices.
Can any developer use the Play Integrity API?
Yes, any Android developer can make Play Integrity API requests to receive the default integrity verdicts. Usage is capped at 10K requests per day regardless of distribution channel. Developers publishing their apps on Google Play in addition to any other distribution channels can also request to increase their daily quota.
Can any developer use Android Platform Key Attestation?
Yes, any Android developer can use Android Platform Key Attestation to obtain a key attestation record, which they can verify with the public certificate of Google's attestation root key. Play Integrity API brings developers the benefits of key attestation and additional features without all the complexity of having to integrate with key attestation themselves.
Enforcement
How do developers use the Play Integrity API verdicts?
It's up to developers to decide whether and how to use the Play Integrity API verdicts. Some developers collect the signals for internal anti-abuse analysis, while other developers will make decisions about how their app behaves based on the verdict. For example, developers could decide to require that less trusted devices perform additional user verification steps while creating an account; or they could decide that less trusted devices should play together on the same multiplayer server.
Does Play Integrity API block users or devices?
No, the Play Integrity API does not block access to any functionality itself. It is an optional developer service that provides signals and developers choose how to act on those signals.
What should users do if their device is failing Play Integrity API device checks?
Users can go to the Play Store app on their device, open the Settings menu, scroll down to About, and then look under Play Protect certification. If there is something wrong with their device's Play Protect certification, there will be a button that users can press to try to fix the issue. This will refresh the device's certification status and provide specific guidance on what needs to be fixed.