0

How to reliably verify, that an entity that is contacting the backend server is really an Android app that was downloaded from the Google Play? I verify inapp purchases with Google API, it has to be something similar?

I need a way to check this from the backend, so the app has to pass in some params that can be then sent from the server to the Google API for verification. Does such thing exist?

All I found on the topic is this "guide": https://developer.android.com/google/play/licensing/server-side-verification which tells "what" to do in general terms, but not exactly "how" and tbh I wouldn't want to implement anything that can be called licensing..

dahuiwong
  • 45
  • 4
  • Does this answer your question? [How to know an application is installed from google play or side-load?](https://stackoverflow.com/questions/10809438/how-to-know-an-application-is-installed-from-google-play-or-side-load) – EraftYps Jun 10 '20 at 21:58
  • The answer suggested above may help, but of course, a malicious client could simply fake it. Think of this another way: why do you care where the user installed the app from? Are you actually trying to catch non-official clients? (remember, someone might upload an unofficial client to Google Play, too...) If so, you should use the [SafetyNet Attestation API](https://developer.android.com/training/safetynet/attestation). – Ryan M Jun 11 '20 at 00:13
  • @RyanM SafetyNet has a limit of 5 requests per minute, which can be worked around, but isn't really ideal. I care about backend usage, because it translates into money loss and I do see client activity from suspicious sources, like for example I moved to use Firebase remote config recently, but still get new installs of older versions with previous live config provider from somewhere. I made the backend protect itself against abuse, but it also does provide free quota for users, so I'd rather give it to legitimate ones. – dahuiwong Jun 11 '20 at 09:41
  • I've never used SafetyNet myself, so I could be _way_ off on this, but I think that "individual app instances" means that each install on a different devices gets its own 5/minute quota. My basis for this guess is that 10000 requests in a day, the default quota, is an average of 6.9 requests per minute, which would exceed the 5/minute limit if it were across the entire install base. – Ryan M Jun 11 '20 at 10:05

0 Answers0