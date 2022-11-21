The Home of the Security Bloggers Network

The Google SafetyNet API is a service for verifying the trustworthiness of the Android operating system on a given device mobile device. In this article we will look at the security it brings and how that will change as it is replaced by Google’s Play Integrity API.

The advantages and disadvantages of using SafetyNet are summarized below and a more in-depth analysis is available in one of our whitepapers here.

This is all interesting but Google announced in June 2022 that the SafetyNet service would be phased out between June 2023 and June 2024, to be replaced by Google’s Play Integrity API service.

Google Play Integrity is clearly an upgrade of the SafetyNet implementation and the primary purpose of it is to bring Google’s attestation capabilities into line with those of Apple, in the form of the Apple AppAttest system.

However, although there are some enhancements in Play Integrity (for example it supports a wider range of older OS versions compared to SafetyNet), most of the challenges outlined above are still present.

Protecting end-to-end mobile platforms requires a comprehensive layered approach, as detailed in our Mobile Threats whitepaper. The mobile app, device and API all need to be secured and each layer needs to work together. Further, it is important that granular and flexible security policies can be applied and updated over time so that the protection can be tuned to the needs of the business and adjusted based on the activities of bad actors.

Remote attestation is an important component of securing a mobile business – it is significant and both Google and Apple now have services in this area – but it is not an answer on its own. A holistic view, based on an ongoing assessment of the current mobile and API threat landscape, is needed.

If you are considering how to improve the security of your Android platform then Google’s SafetyNet API, now being replaced by Play Integrity, should definitely be in your thoughts. However, you should equip yourself with the necessary information to make the correct decision about if, how and where to use these capabilities.

Specifically, we would suggest that you answer the following questions during your internal discussions:

We have a lot of knowledge and experience in this space and we would be delighted to help you navigate your way to the most effective set of security layers for your use case. Check out our SafetyNet whitepaper and/or contact us today and speak to one of our security experts so we can help: https://approov.io/product/consult



