App Server for Google Play Integrity
10 Mar 2023As the SafetyNet Attestation API is deprecated and has been replaced by the Play Integrity API, many mobile solutions will have to migrate to prevent attacks and reduce abuse on their apps.
I had some trouble puting all the pieces together to implement the App Server as described on the official docs, mainly due the lack of information about the correct dependencies in Java.
This StackOverflow post was really helpfull to solve it, then I’ve decided to put it all together in a Spring Boot demo project. Hopefully it will help someone else.
The project has an implementation of the App Server that can decrypt and verify the integrity veredict, both on Google’s servers (through the Google API) and locally, as well as generate nonces. The source code is available on github here.
All the keys and credentials presented on the properties file and unit tests are fake and meant for test and demonstration only.
If you find some problem, have improvement suggestions or this helps you somehow, fell free to open an issue or drop a message.