Skip to content

feat(integrity): add Play Integrity API integration#74

Closed
lanthoor wants to merge 1 commit into
mainfrom
feat/play-integrity
Closed

feat(integrity): add Play Integrity API integration#74
lanthoor wants to merge 1 commit into
mainfrom
feat/play-integrity

Conversation

@lanthoor
Copy link
Copy Markdown
Owner

@lanthoor lanthoor commented May 24, 2026
edited
Loading

Summary

  • Hybrid Play Integrity check: backend-verified classic path first, falls back to on-device standard request when offline
  • Blocks app on Red verdict (rooted device / sideloaded APK) with a friendly error screen showing the reason
  • Green/Yellow/Unknown verdicts proceed normally
  • All checks skipped in debug builds (BuildConfig.DEBUG) for frictionless local/AVD testing — zero security risk since Play Store only ships release APKs
  • Secrets priority chain: CI env vars → local.properties → safe defaults (""/0L)

New Files

File Purpose
domain/model/IntegrityVerdict.kt Sealed class: Green / Yellow / Red / Unknown
domain/repository/PlayIntegrityRepository.kt Repository interface
data/repository/PlayIntegrityRepositoryImpl.kt Hybrid path implementation with debug bypass
data/remote/BackendIntegrityApi.kt Retrofit service for backend
data/remote/dto/IntegrityDto.kt Request/response DTOs
di/NetworkModule.kt Hilt module for OkHttp + Retrofit
di/IntegrityModule.kt Hilt module binding repository
ui/viewmodels/IntegrityViewModel.kt HiltViewModel, runs check on init, catches errors
ui/screens/IntegrityBlockScreen.kt Block screen with error details + retry + action guidance

Modified Files

File Change
gradle/libs.versions.toml Added play-integrity, retrofit, okhttp deps
app/build.gradle.kts Dependencies + env/local.properties-based BuildConfig
app/proguard-rules.pro Keep rules for Play Integrity + Retrofit
app/src/main/res/values/strings.xml Block screen strings (title, message, error label, action)
MainActivity.kt IntegrityViewModel wired in, gates UI before initialization
.github/workflows/release.yml Inject INTEGRITY_BACKEND_URL + CLOUD_PROJECT_NUMBER secrets

Configuration

Add to GitHub Actions secrets:

  • INTEGRITY_BACKEND_URL — Cloud Function URL
  • CLOUD_PROJECT_NUMBER — GCP project number

Add to local.properties (dev only, already gitignored):

integrity.backend.url=<your cloud function URL>
cloud.project.number=<your GCP project number>

@lanthoor
feat(integrity): add Play Integrity API integration
16f6cfc 
Hybrid approach: tries backend-verified classic path first, falls
back to on-device standard request when offline. Blocks app on Red
verdict (rooted device / sideloaded APK). Green/yellow/unknown
verdicts proceed normally.

Secrets priority: CI env vars -> local.properties -> safe defaults.
All checks skipped in debug builds for frictionless local/AVD testing.

Requires: GCP Cloud Function backend for token decryption.
@lanthoor lanthoor force-pushed the feat/play-integrity branch from 754357c to 16f6cfc Compare May 24, 2026 06:30
@lanthoor lanthoor closed this May 24, 2026
@lanthoor lanthoor deleted the feat/play-integrity branch May 24, 2026 06:35
@lanthoor lanthoor restored the feat/play-integrity branch May 24, 2026 06:35
@lanthoor lanthoor deleted the feat/play-integrity branch May 24, 2026 06:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lanthoor