Device Integrity
This section allows configuration for the new Google Play API introduced after SafetyNet API deprecation in July 2023. For backwards compatibility reasons, the old SafetyNet API key field is still present in Mobile Client Settings, but should not be used unless necessary.
Configuration
On Veridium Manager, the Play Integrity is configured for each integrated Android application. Unlike Google SafetyNet Attestation API, the validation requires setup for decryption and signing keys in order to verify the response that are managed from the Google Play Developer Console.
The following configuration is available for each Android application:
App Package Name (required) - specifies the application package name
Is Enabled (required) - specifies if the Play Integrity should be enforced for the targeted application.
Allowed Device Recognition Verdicts (required) - the list of allowed device recognition verdicts provided by the Google Play Integrity API.
PLAY_RECOGNIZED
- The app and certificate match the versions distributed by Google Play.UNRECOGNIZED_VERSION
- The certificate or package name does not match Google Play records. (required for debug builds or 3rd party distribution channels before release the version on Google Play)UNEVALUATED
- Application integrity was not evaluated. A necessary requirement was missed, such as the device not being trustworthy enough.
Allowed App Recognition Verdicts (required) - the list of allowed device recognition verdicts provided by the Google Play Integrity API:
MEETS_DEVICE_INTEGRITY
- The app is running on an Android device powered by Google Play services. The device passes system integrity checks and meets Android compatibility requirements. (recommended)MEETS_BASIC_INTEGRITY
- The app is running on a device that passes basic system integrity checks. The device may not meet Android compatibility requirements and may not be approved to run Google Play services. For example, the device may be running an unrecognized version of Android, may have an unlocked bootloader, or may not have been certified by the manufacturer.MEETS_STRONG_INTEGRITY
- The app is running on an Android device powered by Google Play services and has a strong guarantee of system integrity such as a hardware-backed proof of boot integrity. The device passes system integrity checks and meets Android compatibility requirements.MEETS_VIRTUAL_INTEGRITY
- The app is running on an Android emulator powered by Google Play services. The emulator passes system integrity checks and meets core Android compatibility requirements.
Decryption Key (required) - The Play Integrity API description key configured in Google Play Developer Console
Verification Key (required) - The Play Integrity API verification key configured in Google Play Developer Console
Token Validity Period (optional) - Allowed validation time window in seconds for the integrity token
If at least 1 configuration is enabled, the SDK will attempt to obtain the integrity token from Play Integrity API. The result will be validated based on the enabled state configuration for the application that acquired the attestation
Default Configuration for Veridium Authenticator
The default configuration will enable automatically the most restrictive protection for the Veridium Authenticator.