Google Play Games is in open beta.

Integrity protection

Invited developers have access to several features providing integrity protection. The Play Integrity API and Automatic Integrity Protection work across both the Google Play Games and mobile platforms.

Play Integrity API

The Play Integrity API helps protect your games from potentially risky and fraudulent interactions allowing you to respond with appropriate actions to reduce attacks and abuse such as fraud, cheating, and unauthorized access. Your game backend server can receive signals about the distribution channel (licensed/installed from the Play Store), the application package (not tampered with or modified in any way), and the device itself (e.g. not a rooted or compromised device). It is the only Google-supported solution that provides a reliable signal that users are on Google Play Games and not another virtual environment. This helps you do the following:

  • Protect against unauthorized access by ensuring that your APK is distributed and installed by Google Play.
  • Protect against APK tampering by verifying that your game backend server is interacting with your unmodified binary.
  • Ensure your newly published x86 binaries are running on Google Play Games virtual environment, and are not susceptible to exploitation on unsupported surfaces.

The Play Integrity API brings together multiple signals in an encrypted token. It offers positive integrity verdicts for genuine Android devices and virtual environments that pass Google Play integrity checks. We recommend the Play Integrity API to be used during critical game events when the app is running, for example when the user makes an in-app purchase or when your game saves the user's scores. It is not recommended to use the API in a pre-defined manner such as calling the API at a predetermined time.

The API provides maximum flexibility, but requires additional code running on a trusted server. On-device validation is not secure and is not recommended. The complete solution must include a server side component providing a necessary foundation for the integrity check and response validation. We highly recommend that you avoid sending a binary yes/no decision back to the device, and instead fine-tune your application behavior based on the verdict provided by the Play Integrity API.

The Play Integrity API is the successor to both SafetyNet Attestation API (SNAA) and Play App Licencing APIs. SNAA will not work with Google Play Games because SNAA returns only negative signals when verifying the integrity of Google Play Games.

Device Integrity Field

The deviceIntegrity field contains a single value, deviceRecognitionVerdict, that represents how well a device can enforce app integrity. By default, deviceRecognitionVerdict can have one of the following labels:

  • MEETS_DEVICE_INTEGRITY: The app is running on an Android device with Google Play services. The device passes system integrity checks and meets Android compatibility requirements.
  • MEETS_VIRTUAL_INTEGRITY: The app is running in a virtual Android environment with Google Play services, currently limited to Google Play Games. The environment meets core Android compatibility requirements and passes Google Play integrity checks.
  • No labels (for example, a blank value): The app is running on a device that has signs of attack (such as API hooking) or system compromise (such as being rooted), or the app is running on a non-physical device (such as an emulator) that does not pass Google Play integrity checks.

The Play Integrity API uses the deviceRecognitionVerdict label MEETS_VIRTUAL_INTEGRITY to indicate that the game is running on Google Play Games. The following is an example of a passing response from the Play Integrity API:

deviceIntegrity: {
    // "MEETS_VIRTUAL_INTEGRITY" indicates the game is running on Google Play Games
    deviceRecognitionVerdict: ["MEETS_VIRTUAL_INTEGRITY"]
}

Ensure your validation logic is checking for the MEETS_VIRTUAL_INTEGRITY label on Google Play Games.

If you have a cross-platform game also available on mobile, then ensure your validation logic is checking for the MEETS_DEVICE_INTEGRITY label as well.

Please refer to the Play Integrity API documentation for more information.

Automatic Integrity Protection

The Automatic Integrity Protection is a runtime check added by Google Play each time your game is opened. If your game is tampered or not installed by Google Play, automatic integrity protection can prevent it from running. It does not check the device, it is necessary to use Play Integrity API to obtain device integrity status.

The Automatic Integrity Protection helps protect integrity, with the following features:

  • Require installation from Google Play: Adds a check to see if your app was installed from Google Play. If this check fails, the user will be prompted to get your app from Google Play. This recommended feature is on by default, but can be turned off. Turning off this feature disables piracy protection for paid apps.
  • Restrict modification: Adds a check to see if your app is unmodified. If this check fails, the app will not run. This feature is always on and can’t be turned off.
  • Restrict reverse-engineering: Adds obfuscation and other advanced techniques that make it difficult to remove runtime checks. This feature is always on and can’t be turned off.

Automatic Integrity Protection requires the developer to opt-in and requires no code changes or developer work. Protections run whether or not there is a data or internet connection, and there are no server-side components required. Note that the "Require installation from Play" check will periodically require a data connection if the Play Store app on the device has been offline for a prolonged period.

Other Google Play Games considerations

Play offers a collection of integrity products to help protect your game. Please refer to the Play Integrity documentation for more information on the available products. This sections highlights special considerations when using these products with Google Play Games.

Exclude untrustworthy devices from distribution

The Google Play Console has a setting that allows you to prevent your app from being available to install from Google Play on devices that don’t pass integrity checks.

This feature is currently incompatible with Google Play Games and and prevents game distribtion to the platform. Do not enable this exclusion rule in the device catalog.

Play Integrity API

The Play Integrity API uses the deviceRecognitionVerdict label MEETS_VIRTUAL_INTEGRITY to indicate that the game is running on Google Play Games. The following is an example of a passing response from the Play Integrity API:

deviceIntegrity: {
    // "MEETS_DEVICE_INTEGRITY" is one of several possible values.
    deviceRecognitionVerdict: ["MEETS_VIRTUAL_INTEGRITY"]
}

Ensure your validation logic is checking for the MEETS_VIRTUAL_INTEGRITY label.

Please refer to the the Play Integrity API documentation for more information.