How it works
Automatic protection can add the following features to your app:
Automatic protection can add a Google Play installer check to your app’s code that happens at runtime when your app is opened. If the installer check fails, users will be prompted to get your app on Google Play.
Benefits: This helps more users to get your official app updates from Google Play.
Note: This feature is only available to select Play partners.
Automatic protection can add runtime checks to your app’s code to detect modification and use advanced obfuscation techniques to prevent the checks from being removed or reverse engineered. If the checks fail, the user will be prompted to get your app on Google Play or the app will not run.
Benefits: When combined with Google Play installer checks, anti-tamper protection prevents attackers from bypassing your distribution or monetization preferences through unauthorized modification, repackaging, redistribution, and piracy.
Note: Anti-tamper protection cannot guarantee prevention of all modification and redistribution. It makes these actions more complex and costly, and so reduces the likelihood of them being successful. Google Play will continually strengthen anti-tamper protection so that new releases will automatically get the latest and strongest version of protection.
Sharing app telemetry, such as anonymized environment and performance data with Google Play helps us improve the resilience and performance of anti-tamper protection. You can opt out of sharing app telemetry by turning off "Share app telemetry with Google" on the Automatic protection settings page (Test and release > App integrity and scroll down to Automatic protection). Learn more about how data is used to develop Google services.
Note: This feature is only available to select Play partners.
Automatic protection can ensure that your app is only made available on Google Play to users on devices that pass device integrity checks and, for apps targeting a minimum API level of 28 or higher, can add device integrity checks and an hardware-backed encryption layer to your app’s runtime anti-tamper protection.
Benefits: Device check ensures that your app is installed by Play on certified Android devices and makes it harder for attackers to run your app in unknown and emulated environments so they can attempt to bypass protective measures.
Note: Device check requires anti-tamper protection to be enabled. For apps with a minimum API level of 28 or higher, the device check adds a hardware-backed encryption layer to your app's anti-tampering defenses. Users may briefly see your Android splash screen when launching your app on a cold start.
Set up
The steps below describe what you need to do to start using automatic protections:
Automatic protection requires Google Play to create modified APKs and sign them on your behalf, so you must:
- Use Play App Signing.
- Publish with Android App Bundles.
Please also be aware of the following:
- Automatic protection requires your app to target a minimum API level of 21 or higher.
- Automatic protection works offline. However, installer checks periodically require a data connection if the Play Store app on the device has been offline for a prolonged period.
- Automatic protection replaces the need to use the Play Licensing library.
- When uploading your app to internal app sharing, protection is not applied. Only share internal app sharing links with trusted team members and do not share unprotected versions externally.
- Automatic protection is incompatible with code transparency for app bundles.
Additional prerequisites for anti-tamper protection
Note: This feature is only available to select Play partners.
To use anti-tamper protection, your app must:
- Target a minimum API level of API level 23 or higher. Targeting a midSDKVersion of 23+ will reach over 99% of active Android devices.
- Target one of the following ABIs: x86, x86_64, armeabi-v7a, and arm64-v8a. To update your app's targeted ABIs, update the Gradle settings. Other ABIs that are not used by active Android devices can be removed from your targeting without impacting your app's availability.
You can either turn on protection when creating a release or by going to the Protected with Play page.
When creating a release, expand the app bundle enhancements section, and next to "Automatic protection" click on Get started. Turn on Automatic protection and click save.
Or go to the Protected with Play page (accessible in the left hand menu on your app dashboard), scroll to Automatic protection, and click Get started. Turn on Automatic protection and click save.
Use each of the test tracks to test the protected app version to ensure there’s no unexpected impact on the user experience or performance.
We recommend including the following actions in your review:
- Test your game's launch, looking for crash-on-launch and any slow down in startup time.
If you find issues during the testing process, you have the option to turn off automatic protection. We recommend that you do not promote unprotected versions to open tracks or production.
To turn off integrity protection for an individual release:
- When preparing your release, expand the app bundle enhancements section and click on the info button next to automatic protection.
- Select Turn off protection for this release.
- Save your changes. The changes will be applied to this release. The next time you upload a release, the release will receive automatic protection again.
When ready, you can roll your release out to a production track in the Play Console, making your protected app available to all Google Play users in your chosen countries.
Customize your store listing when users visit from automatic protection prompts
Automatic protection can prompt users who obtain your app unofficially to get it on Google Play. When users tap on the prompt, they will be redirected to your store listing, where they can tap on the install (or buy or update) button to get your app from Play so that the app is added to the user’s Play library.
You can customize your store listing assets for any visitors who tap on the prompt, including your app’s name, icon, descriptions, and graphic assets. To do so:
- Open Play Console and go to the Protected with Play page (accessible in the left hand menu on your app dashboard).
- Scroll to the "Automatic protection" section.
- Click Manage.
- Scroll to the "Customize store listing" section.
- Click Create listing.
- Follow the instructions on the Create custom store listing page and click Save.
Alternatively, you can create the custom store listings for automatic protection prompts directly from Custom store listings page:
- Open Play Console and go to the Custom store listings page (Grow users > Custom Store Listings).
- Click Create listing, choose whether to create a new listing or duplicate an existing one, and click Next.
- In the "Listing details" section, scroll to Target audience.
- Select By URL and enter "playintegrity" in the text box.
- Fill in all other details and click Save.
playintegrity is a special keyword that’s reserved for integrity deeplinks, so it must be entered exactly and unaltered when setting up the custom store listing.Note: When using the device check, your store listing visibility preference cannot be changed. This is because the store listing visibility preference is managed on your behalf as part of checking that your app is installed and runs exclusively on genuine Android devices that pass device integrity checks. To make changes to store listing visibility, turn off device check.
Download an unprotected Play-signed app version
Recommended practices for anti-tamper protection
Note: This feature is only available to select Play partners.
Customize anti-tamper protection
You can customize anti-tamper protection to enhance your app's defense against tampering, guard against exfiltration of client secrets, and manage protection performance overhead.
Google Play will automatically deliver protected builds across all tracks: internal testing, closed, open, and production. You should test these versions thoroughly as usual. In particular:
- Test your game's launch, looking for crash-on-launch and any slow down in startup time. This is especially important with the device check.
- Test moments where your native code (C/C++) calls back out into Java (in your own code or third-party libraries), such as ads, logging, and social integration, authentication, or Android-specific features such as permission handling.
If you find issues during the testing process, you have the option to revert to a previous version of automatic protection that you may have already used in a previous release or you can turn off automatic protection. We recommend that you do not promote unprotected versions to open tracks or production.
If you upload your app’s build to internal app sharing directly, Google Play will not add protections. This is to allow you to use internal app sharing to upload debug builds and other similar builds.
Automatic protection may not be compatible with other runtime anti-tamper solutions, and trying to use them together may result in user issues. If your app performs other runtime checks, be sure to test your protected app thoroughly for issues before releasing it to open tracks.
If you publish unprotected versions to open tracks, or through other channels outside Google Play, your anti-tamper protection will no longer work. To maintain your app's integrity protection, you should only publish protected versions of your app to open tracks and production.
You may notice an increase in crashes that are a function of your app being protected; this is likely to indicate that automatic protection is working as intended. If an attacker unsuccessfully modifies your app, the runtime check will stop your app from running, predominantly by crashing the app.
Crashes that are not attributed to Google Play do not affect your Android vitals stability metrics. If you’re using other tools to analyze your crashes, such as Crashlytics, and you need a package name to filter by install source, the package name for the Google Play Store is "com.android.vending".
If you're worried about an adverse increase in crashes, you can report them to us with as much detail as possible and the team will investigate. We will respond to your report if we determine that the crashes relate to protection.
A cracked version is a version of your app that still works when it’s been modified or when it’s been installed outside Google Play if you require Google Play installation.
If you’ve identified a cracked version of your app, you can report it to us.
Note: This feature is only available to select Play partners.
Anti-tamper protection and other advanced features provided by automatic protection are available for apps and games that meet our eligibility criteria:
- At least $25,000 USD/month in consumer spend, or at least $20,000 USD in each of the previous six calendar months.
- Or at least 1,000,000 MAU and in a sensitive app category.
- Or be a part of a Google Play program, including Google Play Pass.
Eligibility criteria are subject to change. Partners who qualify for access under our criteria are informed via Play Console notifications and on the Protected with Play page.
If you're worried about an adverse increase in attacks because you no longer qualify for anti-tamper protection, contact developer support and provide as much detail as possible and the team will investigate. We will respond to your report accordingly.
Related content
- Learn about Protected with Play in Play Console.
- Learn about integrity and signing services on the Android developers site.