Play Integrity API: Account activity early access program (EAP)

Create a more effective and nuanced anti-abuse strategy with Play account activity, a new signal in the Play Integrity API. Account activity is represented by levels based on the presence and volume of store activity and the age of the accounts on the device. When it’s evaluated, an account activity level is returned for the current user session and is not linked to user or device identifiers.

What is Play account activity?

The Play Integrity API offers a collection of integrity signals to help app and game developers detect potentially risky and fraudulent traffic. Developers in this early access program can add account activity to their API response, which already contains the device, application, and account license verdicts. If the device, application, or license verdicts have issues, then account activity will be unevaluated. If the existing verdicts are issue-free, then account activity will return a level. The level is determined based on the presence and volume of store activity and the age of the accounts on the device. The level will help your app differentiate between likely genuine users and likely non-genuine traffic (such as accounts being used for fraud, accounts used by automated traffic, or accounts used in device farms). Your app can use this signal, alongside others, when protecting high value or sensitive actions.

Apps participating in the early access program (EAP) can receive one of the following account activity levels for the current user session:

  • UNEVALUATED: Account activity is not evaluated because the device is not trusted or the user does not have a Play app license.
  • UNUSUAL: Google Play store activity is unusual for at least one of the user accounts on the device. Google Play recommends checking that this is a real user.
  • UNKNOWN: Google Play does not have sufficient store activity for the user account on the device. The account may be new, or it may lack activity on Google Play.
  • TYPICAL (BASIC): Google Play store activity is typical for the user account or accounts on the device.
  • TYPICAL (STRONG): Google Play store activity is typical for the user account or accounts on the device, with harder-to-replicate signals.

Use account activity as part of an anti-abuse strategy

Account activity works best when used alongside other signals as part of your overall anti-abuse strategy and not as your sole anti-abuse mechanism. Use this signal and the Play Integrity API in conjunction with other appropriate security best practices for your app.

Gather telemetry and understand your audience before taking action

Before you change functionality based on account activity or other Play Integrity API verdicts, implement the API without enforcement to understand the current situation with your existing audience. Once you know what levels your current install base is returning, you can estimate the impact of any enforcement you’re planning and adjust your anti-abuse strategy accordingly.

Challenge risky traffic when accessing high value or sensitive features

Identify high value or sensitive actions in your app or game to protect with the Play Integrity API instead of denying access to your app or game outright. When possible, challenge risky traffic before allowing high-value actions to proceed. For example, when the account activity level is UNUSUAL, you could require a second verification mechanism before the user can complete the action you're protecting.

Plan for user support

When possible, provide useful error messages to the user, and let them know what they can do to fix it, such as retrying, enabling their Internet connection, or checking that the Google Play store app is up to date. Account activity evaluations are periodically updated by Google Play. New store activities can automatically change a user's level during these periodic updates.

Follow the existing recommendations for the Play Integrity API

In addition to the preceding practices, read the security considerations for the Play Integrity API.

Get early access to Play Integrity API account activity

Follow these steps to start using account activity.

Step 1: Review these important considerations

  • Account activity is in active development and is subject to change.
  • Account activity is still confidential. Do not share information about account activity or account activity levels with end users.
  • By using account activity you agree to the terms in the Google Play Developer Distribution Agreement and the Play Integrity API Terms of Service.
  • Developers participating in the early access program are expected to evaluate the account activity signal and provide feedback and information about the outcome of their evaluation to Google Play before altering their enforcement strategy.

Step 2: Request to join the Play Integrity API account activity EAP

Developers in the Google Play Partner Program for Games automatically have access to the account activity EAP and can skip to step 3.

Other developers can express interest in joining the early access program by emailing integrity-api-eap@google.com with the following information:

  • Your package name and developer account ID.
  • Confirmation that you have read the recommended practices for account activity.
  • How you intend to evaluate account activity and—if you already have an idea—how you expect to use account activity.
  • Your expected timeline once you are accepted into the account activity early access program.

At this time, we are only accepting developers that meet high-scale performance thresholds on Google Play with accounts in good standing.

Step 3: Turn on account activity in the Integrity API response from the Google Play Console

Once you've been accepted into the early access program, you will see a new option on the Integrity API page in the Play Console to include account activity in your Play Integrity API response. When you are ready, turn on account activity in the Play Console:

  1. Sign in to the Play Console.
  2. Select the app that will use account activity.
  3. In the Release section of the left menu, go to App integrity.
  4. Next to Play Integrity API, click Settings.
  5. In the Responses section of the page, next to Account activity, click Turn on.
  6. In the window that appears, click Turn on.

When you turn on or turn off account activity, any Play Integrity API test responses that you've set up in the Play Console will be deleted and you will need to create them again.

Step 4: Integrate the Integrity API in your app and your app’s backend server

If you haven't already done so, follow the documentation to integrate the Play Integrity API into your app and your app's backend server.

Step 5: Work with account activity

Once enabled, the accountDetails field in the Play Integrity API payload will contain the new account activity signal that represents the activity associated with the user accounts on the device.

accountDetails: {
  // Represents the licensing status of the user session.
  // This field can be LICENSED, UNLICENSED, or UNEVALUATED.
  appLicensingVerdict: "LICENSED"

  // Represents the activity level associated with the user accounts on
  // the device of the user session.
  accountActivity: {
     // This field can be UNEVALUATED, UNUSUAL,
     // UNKNOWN, TYPICAL_BASIC, TYPICAL_STRONG
     activityLevel: "UNUSUAL"
  }
}

accountActivity can have the following values:

UNUSUAL
Google Play store activity is unusual for at least one of the user accounts on the device.
UNKNOWN
Google Play does not have sufficient store activity for the user account on the device. The account may be new, or it may lack activity on Google Play.
TYPICAL (BASIC)
Google Play store activity is typical for the user account or accounts on the device.
TYPICAL (STRONG)
Google Play store activity is typical for the user account or accounts on the device, with harder-to-replicate signals.
UNEVALUATED

Account activity is not evaluated because a necessary requirement was missed.

This could happen for several reasons, including the following:

  • The device is not trustworthy enough.
  • The version of your app installed on the device is unknown to Google Play.
  • The user is not signed in to Google Play.
  • The user does not have the necessary license for accessing the app.

To check that the user accounts on the device have unusual account activity, verify that the accountActivity.activityLevel is as expected, as shown in the following code snippet:

Kotlin

val requestDetails = JSONObject(payload).getJSONObject("accountDetails")
val accountActivity = requestDetails.getJSONObject("accountActivity")
val activityLevel = accountActivity.getString("activityLevel")

if (activityLevel == "UNUSUAL") {
    // One of the accounts is UNUSUAL! Be careful.
}

Java

JSONObject requestDetails =
    new JSONObject(payload).getJSONObject("accountDetails");
JSONObject accountActivity =
    new JSONObject(requestDetails).getJSONObject("accountActivity");
String activityLevel = accountActivity.getString("activityLevel");

if (activityLevel == "UNUSUAL") {
    // One of the accounts is UNUSUAL! Be careful.
}

Step 6: Test your integration with account activity

You can create tests to evaluate how the account activity levels from the Play Integrity API interact with your app using the available Play Integrity API test feature. The instructions for using this test feature are available at the Play Console help center.

Step 7: Provide early access feedback to Google Play

We would like participants in the early access program to provide feedback on account activity. To provide feedback, email integrity-api-eap@google.com. Our developer research team will also be in touch to arrange interviews. We’re interested in understanding the following:

  • How accurately does the account activity level correlate with known abusive accounts for your app or game?
  • Does the audience distribution of account activity and other Play Integrity API verdicts match your expectations?
  • What abuse problems are you trying to solve with account activity and other Play Integrity API verdicts?
  • What functionality are you planning to change based on account activity and other Play Integrity API verdicts?

Other Play integrity tools

Consider using these other integrity protection tools as part of your anti-abuse strategy:

  • Exclude untrustworthy devices from being able to find and install your app on Google Play. This does not prevent users from obtaining and installing your app via other means (such as sideloading).
  • Use automatic integrity protection to prevent unauthorized modification and redistribution without changes to your code. If you don’t currently have access to this feature, contact your partner manager.
  • Request package name protection (early access program) to defend against unknown and modified versions of your app, whenever they're installed on Android 11+ devices running Google Play services.