Assessing the Security Coverage of the Google Play Integrity API on Android
Resumo
This work evaluates the Google Play Integrity API using experiments across four attack scenarios: compromised environments, APK tampering, dynamic instrumentation, and request replay. The results show that the API correctly flags device and binary modifications but remains ineffective against runtime manipulation and replay attacks. We conclude that Play Integrity is useful as an integrity signal source but must be combined with server-side verification, nonces, and application hardening to provide meaningful protection in real Android applications.
Referências
Ibrahim, M., Imran, A., and Bianchi, A. (2021). Safetynot: on the usage of the safetynet attestation api in android. In Proceedings of the 19th ACM MobiSys.
Kim, S., Jee, K., Park, J., and Shin, J. (2021). SafetyNOT: On the usage pitfalls of android SafetyNet API. IEEE TDSC, 20(1).
Niemi, A., Nayani, V., Moustafa, M., and Ekberg, J.-E. (2023). Platform attestation in consumer devices. ResearchGate.
Ruggia, A., Nisi, D., Dambra, S., Merlo, A., Balzarotti, D., and Aonzo, S. (2024). Unmasking the veiled: A comprehensive analysis of android evasive malware. In Proceedings of the 19th ACM.
Samper, J. and Ferreira, B. (2024). Leveraging remote attestation apis for secure image sharing in messaging apps. IACR Cryptology ePrint Archive.
Steinböck, M., Troost, J., van Beijnum, W., Seredynski, J., Bos, H., Lindorfer, M., and Continella, A. (2025). Sok: Hardening techniques in the mobile ecosystem — are we there yet? In Proceedings of the IEEE EuroS&P.
Zhang, Z., Zhang, Y., and Lin, Z. (2023). On the (in)security of manufacturer-provided remote attestation frameworks in android. In LNCS, volume 14274. Springer.
Kim, S., Jee, K., Park, J., and Shin, J. (2021). SafetyNOT: On the usage pitfalls of android SafetyNet API. IEEE TDSC, 20(1).
Niemi, A., Nayani, V., Moustafa, M., and Ekberg, J.-E. (2023). Platform attestation in consumer devices. ResearchGate.
Ruggia, A., Nisi, D., Dambra, S., Merlo, A., Balzarotti, D., and Aonzo, S. (2024). Unmasking the veiled: A comprehensive analysis of android evasive malware. In Proceedings of the 19th ACM.
Samper, J. and Ferreira, B. (2024). Leveraging remote attestation apis for secure image sharing in messaging apps. IACR Cryptology ePrint Archive.
Steinböck, M., Troost, J., van Beijnum, W., Seredynski, J., Bos, H., Lindorfer, M., and Continella, A. (2025). Sok: Hardening techniques in the mobile ecosystem — are we there yet? In Proceedings of the IEEE EuroS&P.
Zhang, Z., Zhang, Y., and Lin, Z. (2023). On the (in)security of manufacturer-provided remote attestation frameworks in android. In LNCS, volume 14274. Springer.
Publicado
08/12/2025
Como Citar
VARGAS, Francis; GASPAR, Angelo; KREUTZ, Diego; MANSILHA, Rodrigo.
Assessing the Security Coverage of the Google Play Integrity API on Android. In: ESCOLA REGIONAL DE REDES DE COMPUTADORES (ERRC), 22. , 2025, Porto Alegre/RS.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 102-108.
DOI: https://doi.org/10.5753/errc.2025.17825.
