Powered by Soft Space Sdn. Bhd.
201201002345 (975870-D)
www.softspace.com.my

Play Integrity API Enrolment Guide

Play Integrity API Enrolment Guide

Generate Service Account for Google Play Integrity (Apps exclusively distributed outside of Google Play)open in new window

Apps that are distributed outside of Google Play either sideloading or non-Google MDM solution distribution are required to setup and use Google Cloud API. Play Integrity token are encrypted, and need to use Google Cloud API to decrypt and verify. This Service Account credential will be use by Attestation Service call Google Cloud API to decrypt and response for the service, then Attestation Service will continue to process the payload of the token. As this is a network call, from the benchmark we have, it takes up to 1 seconds solely for waiting the response.

  1. Create Service Account in Google Cloud Console.

  2. Enter service account detail, then click "CREATE AND CONTINUE".

  3. Grant "Service Account User" and "Service Usage Consumer" account access.

  4. Click "DONE", it will back to service account listing. Click into the service account that just generated, which is "play-integrity-demo" in this document.

  5. Create a key.

  6. Select JSON format.

  7. A JSON file has been generated and download to your PC.

Export Google Play Integrity Key from Play Store (Apps on Google Play)open in new window

This setup option is for apps that are on Google Play Store. It exports the Google Play Integrity Private key for local token processing, which reduce network processing time compared to Generate Service Account for Google Play Integrity (Apps exclusively distributed outside of Google Play).

  1. Create a new private-public key pair. RSA key size must be 2048 bits by using command, and follow the prompted steps.

    openssl genrsa -aes128 -out private.pem 2048

  2. From the generated private key, generate the public key by using command.

    openssl rsa -in private.pem -pubout > public.pem

  3. Upon generating the private-public key pair, go to Google Play Console portal, and go to App Integrity section of the app.

  4. Select "Change" under App Integrity > Integrity API > Response Encryption section

  5. Select "Manage and download my response encryption keys", and upload the generated public.pem from step 2.

  6. Select "Save Changes" button, and the application’s response encryption key file will be generated and you will be prompted to download the encrypted keys (.enc file).

  7. Decrypt the encrypted keys file, into api_keys.txt file, by using the private key generated from the 1st step, as depicted in the following command.

    openssl rsautil -decrypt -oaep -inkey private.pem -in keys.enc > api_keys.txt

  8. Proceed with encrypting the api_keys.txt, and share it to Soft Space. Refer to Encrypt Service Account Credential File.

Encrypt Service Account Credential File

Option 1- Using SSGPG Tool

  1. Encrypt the file using the tool provided by Soft Space. Run with command prompt OR terminal.

    E.g.: Encrypt JSON file downloaded from Generate Service Account for Google Play Integrity (Apps exclusively distributed outside of Google Play).

    [OS-ARCH]/ssgpg private_key.json

    E.g.: Encrypt api_keys file downloaded from Export Google Play Integrity Key from Play Store (Apps on Google Play).

    [OS-ARCH]/ssgpg api_keys.txt

  2. Share the generated .gpg files with Soft Space.

Option 2 – Using Native PGP Tool

  1. Import softspace-attestation.asc with gpg command in unix environment.

    gpg --import softspace-attestation.asc

  2. Encrypt the file with imported key.

    E.g.: Encrypt JSON file downloaded from Generate Service Account for Google Play Integrity (Apps exclusively distributed outside of Google Play).

    gpg -e -r 37625442578326A0 private_key.json

    E.g.: Encrypt api_keys file downloaded from Export Google Play Integrity Key from Play Store (Apps on Google Play).

    gpg -e -r 37625442578326A0 api_keys.txt

  3. Share the generated .gpg files with Soft Space.

Opt-in to Enable a More Complete Integrity Flag in Play Console

  1. Go to Google Play Console portal, and go to App Integrity section of the app.

  2. Select "Edit" under App Integrity > Integrity API > Response > Device Integrity.

  3. Make sure "MEET_BASIC_INTEGRITY", and "MEET_STRONG_INTEGRITY" are both selected, and click on "Save Changes".

Obtain Project Number for Play Integrity API

The project number is required to call Play Integrity API.