Integrity API Setup Guide
Prerequisites
Before you setup Google Play Integrity API with MineSec's SDKs, the following prerequisites should be conducted:
- Play Console (Play Store Developer) account - you'll need to login and manage the application via the Play Console. It is recommended to upload your application (SoftPOS app) to the play console once, this is for Google to sign the application
- Google Cloud Platform (GCP) account - you'll also need to create new or use existing GCP project for the
Google Play Integrity API
1.10.105.11+
How does Google Integrity API works
MineSec uses Play Integrity API (opens in a new tab) as one of the measures to verify the SoftPOS application's authenticity.
Your app must set up for the Play Integrity API beforehand to enable this checking with MineSec's Attestation & Monitoring service (AMS).
The diagram below show a high level sequence of how the SDK & AMS incorporate with the integrity API service:
- SDK start attestation.
- SDK generate the nonce.
- SDK call the Play Integrity API, passing the nonce. (the Play Integrity library would also collect data such as the app package name)
- SDK receive a signed and encrypted verdict (
IntegrityToken
) from the Integrity API. - SDK pass this encrypted verdict to AMS, the AM service is managed by MineSec (on AWS) in DSS/ MPoC compliant environment
- AMS decrypt and verify the verdict.
- AMS process the attest result, based on the integrity verdict & the COTS baseline rules.
- AMS sends the attest result back to the SDK, and the SoftPOS app could carry on further operation like key ops and transactions.
Setup Play Integrity API (via the Play Console)
Navigate to the App Integrity
Go to the Play Console (opens in a new tab) and select your application, navigate to the integrity tab
Open the Play Integrity API Settings
Edit the linked GCP project
Link your existing GCP Project, or create a new GCP project
This GCP project will be managed by customer.
The default integrity API usage is 10k request monthly. If you wish to raise the request limit, please request to Google with the following form:
Edit the Responses' device integrity labels
This is to enable additional device integrity checks labels - MEETS_BASIC_INTEGRITY
, MEETS_STRONG_INTEGRITY
Edit the Classic request response encryption type
Change to “Self-Managed” and upload AMS’s integrity RSA public cert
First please download the .pem
file below:
MineSec's Public for Integrity Key
Or copy it here
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvpUVV+OFaYNq4ncDa5CF
SQOyxpNkkgPtTckZZt1SL4cOX0fEHX4sp3r3tvYKKTXxGW9r7Lgg0Lk3I+dnBbuU
A14BM1W7jnUf4vWuH6/vZDTfWmkEWf9dVHdWRadiw5Hzq5j+/B+5I/wN0KfnhoIe
JuxIDR6O532rtT50lBmEhxkTDhypZs+etWaHzonbJKYzyOXA+yPFZVV9Xen45tpT
Hmz5VUxUeBCdLFrAgJqDcW4A5EhDZatFhc1KnLAsupZFtrNqfFhRGyjk3YaKBTut
OGhX4qlAK6InpHGDTvIf98BElFsbVM7JwfJqNwu8q/cUEZG2zi23mImbd62fNy6q
LwIDAQAB
-----END PUBLIC KEY-----
Then please download your app's encryption keys with MineSec's public as the wrapping
The public key serve as the wrapping key for safely download the decryption key & signing key for the IntegrityToken verdict.
The .enc
file is generated per application. i.e. if you have multiple
applications you’ll need to repeat the steps above per Play Console
application.