Guidelines
Integrity API Guide

Integrity API Setup Guide

Prerequisites

Before you setup Google Play Integrity API with MineSec's SDKs, the following prerequisites should be conducted:

  • Play Console (Play Store Developer) account - you'll need to login and manage the application via the Play Console. It is recommended to upload your application (SoftPOS app) to the play console once, this is for Google to sign the application
  • Google Cloud Platform (GCP) account - you'll also need to create new or use existing GCP project for the Google Play Integrity API
Supported MineHades SDK version: 1.10.105.11+

How does Google Integrity API works

MineSec uses Play Integrity API (opens in a new tab) as one of the measures to verify the SoftPOS application's authenticity.

Your app must set up for the Play Integrity API beforehand to enable this checking with MineSec's Attestation & Monitoring service (AMS).

The diagram below show a high level sequence of how the SDK & AMS incorporate with the integrity API service:


  1. SDK start attestation.
  2. SDK generate the nonce.
  3. SDK call the Play Integrity API, passing the nonce. (the Play Integrity library would also collect data such as the app package name)
  4. SDK receive a signed and encrypted verdict (IntegrityToken) from the Integrity API.
  5. SDK pass this encrypted verdict to AMS, the AM service is managed by MineSec (on AWS) in DSS/ MPoC compliant environment
  6. AMS decrypt and verify the verdict.
  7. AMS process the attest result, based on the integrity verdict & the COTS baseline rules.
  8. AMS sends the attest result back to the SDK, and the SoftPOS app could carry on further operation like key ops and transactions.

Setup Play Integrity API (via the Play Console)

Navigate to the App Integrity

Go to the Play Console (opens in a new tab) and select your application, navigate to the integrity tab


Play Console

Open the Play Integrity API Settings


Play Console

Edit the linked GCP project


Play Console

Link your existing GCP Project, or create a new GCP project

This GCP project will be managed by customer.

The default integrity API usage is 10k request monthly. If you wish to raise the request limit, please request to Google with the following form:

Play Integrity API Request Form (opens in a new tab)


Play Console

Edit the Responses' device integrity labels

This is to enable additional device integrity checks labels - MEETS_BASIC_INTEGRITY, MEETS_STRONG_INTEGRITY


Play Console

Edit the Classic request response encryption type


Play Console

Change to “Self-Managed” and upload AMS’s integrity RSA public cert

First please download the .pem file below:


MineSec's Public for Integrity Key

Or copy it here

ms_play_integrity_pub.pem
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvpUVV+OFaYNq4ncDa5CF
SQOyxpNkkgPtTckZZt1SL4cOX0fEHX4sp3r3tvYKKTXxGW9r7Lgg0Lk3I+dnBbuU
A14BM1W7jnUf4vWuH6/vZDTfWmkEWf9dVHdWRadiw5Hzq5j+/B+5I/wN0KfnhoIe
JuxIDR6O532rtT50lBmEhxkTDhypZs+etWaHzonbJKYzyOXA+yPFZVV9Xen45tpT
Hmz5VUxUeBCdLFrAgJqDcW4A5EhDZatFhc1KnLAsupZFtrNqfFhRGyjk3YaKBTut
OGhX4qlAK6InpHGDTvIf98BElFsbVM7JwfJqNwu8q/cUEZG2zi23mImbd62fNy6q
LwIDAQAB
-----END PUBLIC KEY-----

Then please download your app's encryption keys with MineSec's public as the wrapping

The public key serve as the wrapping key for safely download the decryption key & signing key for the IntegrityToken verdict.

💡

The .enc file is generated per application. i.e. if you have multiple applications you’ll need to repeat the steps above per Play Console application.