Mishaal Rahman / Android Authority
Tl; DR
- Google’s game integrity game API makes it much more difficult for users with rooted phones or personalized ROMs to access certain applications due to improved safety checks.
- The update, now deployed by default in May 2025, applies safety signals supported by the stricter equipment for integrity verdicts on the devices running Android 13 or subsequent version.
- Although this change aims to protect applications from abuse, it has a negative impact on legitimate power users and potentially those on older devices without recent security fixes.
Compared to billions of regular Android users, the number of people who root their Android phones or install personalized ROMs is tiny. Although I would not say that Google is actively hostile to these power users, the efforts of the company to strengthen the safety of Android applications have the unfortunate side effect of having a negative impact on their experience. Google’s latest update on Play Integrity API, for example, allows developers to protect their applications more easily from abusive users while making legitimate power users to use certain applications.
The Play Integrity API is a tool that developers can use to check that incoming interactions and server requests come from an unmatched version of their binary application operating on a real Android device. Many developers use this API to mitigate the abuse of applications that could cause income or loss of data. For example, the API can help prevent users from accessing premium content without paying, or it can help protect sensitive financial data by preventing access to devices that could potentially be compromised.
The problem for power users that root their phones or installs a personalized ROM lies in the “authentic” Android device of Google: one performing an Android version certified by Google Play. This definition intrinsically excludes almost all personalized ROMs, encouraging many personalized ROM users to use hacks to usurp the certified versions. While many people who root their phones do not install a personalized ROM, they unlock the start -up charger as part of the rooting process. This step makes their devices fail the strictest game integrity checks, locking many restoration, medical, game, bank and payment applications, as these types of applications often use strict API assessments.
Previously, the API Play Integrity and its predecessor, the Safetynet certificate API, were not as much a concern for power users, because they could often find easy bypass solutions. However, Google has moved to apply the safety signals supported by the equipment. These are much more difficult to get around because, unlike the simpler past methods, they are rooted in the material itself. Although these hardware -based checks offer more robust security, power users had found a little suspended in the fact that Google did not universally apply their strictest application.
In addition, it was up to the application developers to decide if they wanted the equipment supported by the equipment to be applied. This has given developers the flexibility to restrict the use of their applications as they see fit. For example, banking or payment applications have often done everything possible to verify that the devices have passed signals supported by the equipment, but now these signals are part of the Play Integrity baseline for all API integrators.
In December of last year, Google announced a major update of the API Play Integrity which improves the “basic”, “the device” and “solid” integrity on the devices running Android 13 or later. The “Device” and “Strong” integrity verdicts are the two most rigorous verdicts that applications can receive when calling the API Play Integrity. The “basic” verdict, although less rigorous, is not widely used by developers who are looking for higher security levels.
In the past, only the “strong” integrity verdict used safety signals supported by the equipment. From last December from last year, however, Google made all the verdicts of integrity even more strict: the verdict of integrity “of the device” has been updated to also use the safety signals supported by the equipment, while the “strong” integrity verdict was revised to require a level of safety patch last year. Meanwhile, the “basic” integrity verdict has also been updated to use sustained signals in equipment, although because of its less strict requirements, it even goes over the activated root or the designed start -up charger.
The reasoning indicated by Google for this change was to make the API Integrity Play faster, more reliable and more private for users by reducing the number of signals that must be collected. These modifications also make the API more difficult and more expensive for attackers to bypass.
At the time of the announcement, these updated integrity verdicts were not immediately applied. Google made them opt for the developers, but said that all “[Play Integrity] API integrations would automatically pass the new verdicts in May 2025. ”
Well, it’s now May, and Google keeps its promise. At Google I / O 2025, the company announced that it had overturned the switch and made all stronger integrity verdicts by default. During the “What’s new in Google Play“Session, Raghavendra Hareesh, the leader of the game developer and the monetization of reading at Google, said that the company” deploys stronger verdicts for all developers without work of additional developer required. “”
“The API Play Integrity is an essential tool in any complete security strategy. Helping you defend the experience of your application.
And we continue to develop this Integrity Play API to stay ahead of all the threats that exist. So, today, we deploy stronger verdicts for all developers without additional work for the required developers. This makes it faster, more reliable and more friendly to check if a device is trustworthy. Developers can also check whether a device has recently installed a security update, which is very important for applications that protect sensitive actions. Raghavendra Hareesh, play reading developer and game monetization at Google
This means that powerful users who root their phones or install a personalized ROM can suddenly find that some applications stop working, especially on Android 13 or subsequent version devices. Even users with unsuccessful Android 13+ devices can be confronted with problems if their devices have not received a software update for some time. Indeed, the applications verifying the “solid” integrity verdict require a recent level of security fix to pass.
Mishaal Rahman / Android Authority
Error message in the Pokémon GO application when the device fails its game integrity checks
The complete implementation of Google of security signals supported by Google has been planned for some time. Although powerful users have previously found simple ways to get around previous measures – often by encouraging the game integrity API to rely on more easily usurped software checks – these methods have never been permanent solutions. It was therefore only a matter of time before these users met broken applications.
Soon, easy bypass solutions will probably disappear, leaving users other choices than resorting to shaded leaks Or to restore their devices in stock. Thus, although Google’s main objective with these changes is to improve applications safety for everyone, they nevertheless degrade the experience of these power users.
Thank you to the safety researcher Linuxct For his contributions on this article!
