Google Play Integrity

2 Google Play Integrity

This topic describes the systematic instruction to Google Play Integrity option.

Go to URL https://console.developers.google.com/
Create a new Project and set name of you project.

Description of the illustration mnandrd13.png
ChooseAPI’s & Services option from side bar.
In API’s & Services → Dashboard → Choose Enable APIS AND SERVICES.

Description of the illustration mnandrd14.png
This will redirect to Library where we need to search Google Play Integrity API..

Description of the illustration mnandrd15-1.png

Description of the illustration mnandrd15-2.png
Click on Google Play Integrity API and enable it.

Description of the illustration mnandrd16.png
If the application usage is high, the quota request form needs to be submitted. Fill quota request form from below site. Also select below options.
https://support.google.com/googleplay/android-developer/contact/piaqr

Description of the illustration mnandrd15-3.png

Description of the illustration mnandrd15-4.png

Description of the illustration mnandrd15-5.png

Description of the illustration mnandrd15-6.png
Quota request - Estimated total queries per day * → The approximate load, Play Integrity API is called once each time the app in opened
Quota request - Estimated peak queries per second → Leave blank
To enable Play Integrity responses follow below steps:
Go to Google Play Console → Side Menu → App Integrity

Description of the illustration mnandrd15-7.png

Click on Settings.

Description of the illustration mnandrd15-8.png

Click on Link project and then link your existing google cloud project. If it is not created then create new and link the same.

Description of the illustration mnandrd15-9.png
Scroll down on the same screen and click on Change Responses.

Description of the illustration mnandrd15-10.png
Enable the Meet basic Integrity & Meets Strong Integrity option and save the changes.

Description of the illustration mnandrd15-11.png
Scroll down on the same screen and click on Edit button of classic requests section.

Description of the illustration mnandrd15-12.png
In the window that appears, select Manage and download my response encryption keys and follow below steps to generate response encryption keys-
1. Create a new private-public key pair. RSA key size must be 2048 bits using below command-
```
openssl genrsa -aes128 -out your_path/private.pem 2048
```
  Then use your password phrase for creating private.pem and also use the same password for verifying the private.pem. Then hit the below command.
```
openssl rsa -in your_path/private.pem -pubout -out your_path/public.pem
```
  Enter the same password which you have used while creating private.pem. These two files will now appear on your mentioned path. Then upload the public.pem file on the window which was appeared after clicking on Manage and download my response encryption keys option.Once you upload the public.pem file it will automatically download your_app_pkg_name.enc file. Then hit below command as,
```
openssl pkeyutl -decrypt -inkey your_path/private.pem -pkeyopt rsa_padding_mode:oaep -in
          your_path/com.demo.xz.enc > your_path/api_keys.txt.
```
  Enter the password for private.pem. It will create api_keys.txt file on your path. It must be consist of VERIFICATION_KEY and DECRYPTION_KEY.
2. Maintain this VERIFICATION_KEY and DECRYPTION_KEY in DIGX_FW_CONFIG_ALL_Btable corresponding to the following keys respectively:
```
PLAY_INTEGRITY_ENCRYPTION_KEY and PLAY_INTEGRITY_DECRYPTION_KEY 
```
  An example query will be:
```
update DIGX_FW_CONFIG_ALL_B 
        set prop_value = 'YOUR_DECRYPTION_KEY' 
        where prop_id =  'PLAY_INTEGRITY_DECRYPTION_KEY';
        update DIGX_FW_CONFIG_ALL_B 
        set prop_value = 'YOUR_ENCRYPTION_KEY' 
        where prop_id = 'PLAY_INTEGRITY_ENCRYPTION_KEY';
```
3. Similarly, Obtain the same keys for authenticator app by using above steps and then maintain those in DIGX_FW_CONFIG_ALL_Btable corresponding to the following keys respectively:
```
PLAY_INTEGRITY_ENCRYPTION_KEY_AUTHENTICATOR
```
  and PLAY_INTEGRITY_DECRYPTION_KEY_AUTHENTICATOR
  
  An example query will be:
```
update DIGX_FW_CONFIG_ALL_B 
set prop_value = 'YOUR_DECRYPTION_KEY' 
where prop_id =  'PLAY_INTEGRITY_DECRYPTION_KEY_AUTHENTICATOR';
update DIGX_FW_CONFIG_ALL_B 
set prop_value = 'YOUR_ENCRYPTION_KEY' 
where prop_id = 'PLAY_INTEGRITY_ENCRYPTION_KEY_AUTHENTICATOR';
```
  Description of the illustration mnandrd15-13.png
Add project number in below property of app.properties
<string name="GOOGLE_CLOUD_PROJECT_NO">@@GOOGLE_CLOUD_PROJECT NO</string>

You will get the project number on google cloud console project

Description of the illustration mnandrd15-14.png
Mention the time in seconds to which app can hit the play integrity api. By default it is 300seconds but you can configure as per the requirement.
Use below property in RootCheckFlags.java(workspace_installer/zigbank/platforms/android/app/src/main/java/com/ofss/digx/mobile/android/) long playIntegrityAPICallTime = your_time_in_seconds;

long playIntegrityAPICallTime = your_time_in_seconds;
Scroll down on the App Integritypage.
Navigate to Store listing visibility.

Click on Settings button.

Description of the illustration mnandrd15-15.png

Select Strong Integrity checks option and Save.

Description of the illustration mnandrd15-16.png

Note:
By enabling this setting your app will not be listed on play store of rooted device