I want to test the integrity judgment with the Google Play Integrity API

Question

I'm trying to introduce an integrity check using the Play Integrity API to my Android application. After implementing it all the way through and testing it from the application that has undergone binary modification referring to the contents here, the value of appRecognitionVerdict in the integrity field of the application in the response is PLAY_RECOGNIZED, which means that it is illegal. It didn't seem to be detected.

What kind of cheating actually causes the Play Integrity API to return a value other than PLAY_RECOGNIZED?

Answer 1

In the documentation, it says that there could be other values for this key:

appRecognitionVerdict can have the following values:

PLAY_RECOGNIZED The app and certificate match the versions distributed by Google Play.

UNRECOGNIZED_VERSION The certificate or package name does not match Google Play records.

UNEVALUATED Application integrity was not evaluated. A necessary requirement was missed, such as the device not being trustworthy enough.

I believe the easiest incorrect result to obtain would be UNRECOGNIZED_VERSION, for testing it I would try to build a version with an unpublished version code (i.e. greater than any version published on the Play Store) or an invalid package name (but maybe building the app would fail with this option). In my own tests, simply building an app that is not published on the Play Store (i.e. built locally) is enough to trigger this verdict.

I do not understand exactly what you mean by the binary modification, I mean what changes you made in the binary. The token verification system is probably more sensitive to some binary changes than others.

You could also try to build your app with a different keystore (if you use a keystore that you have listed a SHA in the Firebase settings, it is likely going to be considered as safe/recognized).