SafetyNet Verify Apps API, Google Play Protect at your fingertips

Posted by William Luh, Software Engineer

Google Play Protect, which
includes the Verify Apps security feature, helps keep users safe from harmful
apps. Google Play Protect is available on all Android devices with Google Play
installed and provides users with peace of mind and insights into the state of
their device security.

App developers can get similar security insights into the installed apps
landscape on user devices from the SafetyNet href="https://developer.android.com/training/safetynet/verify-apps.html">Verify
Apps API. This new suite of APIs lets developers determine whether a user's
device is protected by Google Play Protect, encourage users not already using
Google Play Protect to enable it, and identify any known href="https://source.android.com/security/reports/Google_Android_Security_PHA_classifications.pdf">potentially
harmful apps (PHAs) that are installed on the device.

These APIs are especially useful for developers of apps that may be impacted by
installed PHAs on the same device as their app. Determining that Google Play
Protect is enabled with isVerifyAppsEnabled() gives developers
additional assurance that a device is more likely to be clean. If a device
doesn't have Google Play Protect enabled, developers can request that the user
enable Google Play Protect with enableVerifyApps(). With Google
Play Protect enabled, developers can use the listHarmfulApps()
method to determine whether there are any potentially harmful apps installed on
a user's device. This easy-to-use suite of features does not require
API keys and requesting quota.

Enterprise-focused apps in particular may benefit from using the Verify Apps
API. Enterprise apps are designed to safeguard a company's data from the outside
world. These apps often implement strict enforcements, such as ensuring the
mobile device is approved by the enterprise and requiring a strong password for
lockscreens. If any of the criteria are not satisfied, the enterprise may revoke
credentials and remove sensitive data from the device. Having a mechanism to
enforce Google Play Protect and scan for PHAs is another tool to help enterprise
app developers keep enterprise data and devices safe.

For better protection, developers should use the href="https://android-developers.googleblog.com/2017/04/safetynet-attestation-building-block.html">attestation
API along with the new Verify Apps API. Use the attestation API first to
establish that the device has not been modified from a known state. Once the
Android system can be trusted, the results from the Verify Apps API can be
trusted. Existing attestation API users may find additional benefits in using
the Verify Apps API as it may be able to detect on-device PHAs. In general,
using multiple signals for anti-abuse detection is encouraged.

To learn how to use this API in your app, check out the href="https://developer.android.com/training/safetynet/verify-apps.html">developer
docs.