Depending on the level of security you ask for Play Integrity, it can be: * is this device rooted,...

well_ackshually • today at 10:57 AM • 1 reply • view on HN

Depending on the level of security you ask for Play Integrity, it can be:

* is this device rooted, is it an unsigned build ?

* Device is signed, but is it part of the blessed signing keys ? is play services untampered with ?

* Additional checks over the lifetime of the device.

You could fully trust the results of Play Integrity on device, but you can also send the returned token to your server, and your server then contacts play integrity to validate that token. So unless you know how to spoof those encrypted tokens, you won't go very far.

https://developer.android.com/google/play/integrity/overview

Replies

jonathanstrange • today at 11:23 AM

So basically an alternative OS can offer a service like Play Integrity and the only problem is that those banks hard-code a dependence on Google's Play Integrity and Google has a monopoly for that service?

This is something that could be addressed at least in the EU by mandating banks to allow alternative services or not use this service at all.

➕ show 1 reply

alt Hacker News

Replies