Android is changing how Play Integrity works, and the shift is bigger than a routine API tweak. Google says the new verdicts are faster, harder to spoof, and more privacy-friendly, while also pushing more of the trust decision onto hardware-backed signals.
For developers, the practical question is not whether the API exists. It is what changes in the verdict you get, what changes in the cost to attack it, and what you need to adjust before the rollout reaches every integration.
What is changing#
Google says the technology behind the Play Integrity API is being updated on devices running Android 13 and above. Developers who already use the API can opt in to the new verdicts now. All integrations are scheduled to move automatically in May 2025.
The main technical shift is that the improved verdicts will require, and rely more heavily on, hardware-backed security signals through Android Platform Key Attestation. Google’s stated goal is to make bypassing the check significantly harder and more expensive for attackers.
The company also says it will adjust verdicts when it detects security threats across Android SDK versions, including cases with evidence of excessive activity or key compromise. That is notable because it does not require developer action. In other words, some of the policy layer is moving closer to the platform.
Google also claims the transition will reduce the device signals that need to be collected and evaluated on Google servers by about 90%. Its testing indicates verdict latency can improve by up to 80%.
Why it matters#
This is not just about speed. The privacy angle matters because fewer signals need to be collected and processed. If Google can keep the verdict useful while moving less data around, that is a cleaner tradeoff for users and a lower-friction path for apps that depend on the API.
The security angle matters even more. Play Integrity is meant to help apps detect suspicious activity and decide how to respond to abuse such as fraud, bots, cheating, and data theft. Google says apps using Play Integrity features have seen 80% less unauthorized usage on average compared to other apps. That is a platform claim, not a universal law, but it explains why the company is continuing to harden the API.
The new behavior also makes the verdict more specific about trust. Google is updating the optional meets-strong-integrity response so that on Android 13 and above it requires a security update within the last year. For apps with higher security needs, that gives a clearer signal for handling sensitive flows such as money transfers, account recovery, or admin actions.
There is also a change in how verdicts are standardized. Apps installed through Google Play can receive enhanced verdicts with optional signals, including the improved meets-strong-integrity device verdict and a recently launched signal that helps detect apps capable of capturing the screen or controlling the device. That can help apps respond to scams or malicious activity.
For apps installed outside Google Play, and for other API requests, the verdict is narrower. You still get device, account license, and app information, but not the extra security signals.
What developers should do now#
If you already use Play Integrity, the first step is simple: check whether you can opt in to the new verdicts now instead of waiting for the automatic transition.
Then review any code that assumes meets-strong-integrity means the same thing on every Android version. Google says developers can use a device attributes field to adjust behavior based on the user’s Android SDK version. That matters because the legacy definition on Android 12 and lower is not identical to the enhanced definition on Android 13 and higher.
For sensitive features, build a fallback. Google explicitly recommends this when the strong label is not available. That is the right posture for anything that cannot safely hinge on one verdict alone.
A practical reading of the change set looks like this:
- treat
meets-strong-integrityas a higher-confidence signal, not a binary promise - distinguish Android 13+ from older versions when enforcing policy
- expect stronger protection where hardware-backed attestation is available
- do not assume out-of-Play installs will get the same optional security signals
- review fallback paths before the automatic rollout in May 2025
The docs also include example code for the new device attributes field, which should help teams adapt policies without guessing at version behavior.
What not to overclaim#
The update does not make abuse disappear. It makes abuse more expensive and some forms of spoofing less practical. That is a meaningful improvement, but it is not the same as perfect device truth.
It also does not mean every app should use the strongest possible enforcement everywhere. Google’s own guidance points to fallback behavior when the strong label is not present. That is a reminder that trust signals are inputs to policy, not a replacement for it.
Finally, the privacy gain is real only if you read the change carefully. Fewer signals going to Google is an improvement, but developers still need to decide what they collect, what they store, and how much they rely on the verdict for account-level decisions.
Bottom line#
Play Integrity is moving toward a sharper default: faster verdicts, fewer collected signals, stronger hardware-backed checks, and more explicit handling of risky states. For security-sensitive apps, especially in finance, enterprise, and government, that should make policy easier to tune.
For everyone else, the key task is less dramatic: test the new verdicts, check version-specific behavior, and make sure your fallback path is still sane when the strong signal is missing.
The API is becoming more capable. The hard part is still the same: deciding how much trust your app should actually give the device in front of it.