{"id":29560717,"url":"https://github.com/herzhenr/spic-android","last_synced_at":"2025-10-20T02:45:04.143Z","repository":{"id":164813226,"uuid":"588969794","full_name":"herzhenr/spic-android","owner":"herzhenr","description":"A Simple Play Integrity Checker which uses Google Play Integrity API to check the Integrity of the Device","archived":false,"fork":false,"pushed_at":"2024-06-09T20:49:52.000Z","size":927,"stargazers_count":151,"open_issues_count":6,"forks_count":18,"subscribers_count":6,"default_branch":"main","last_synced_at":"2024-06-09T21:56:33.090Z","etag":null,"topics":["android","jetpack-compose","kotlin","playintegrity","safetynet"],"latest_commit_sha":null,"homepage":"","language":"Kotlin","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/herzhenr.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-14T16:37:21.000Z","updated_at":"2024-06-09T20:49:56.000Z","dependencies_parsed_at":"2024-06-09T21:50:19.842Z","dependency_job_id":"599edc9c-67d7-4d64-861b-71d7a675d1a4","html_url":"https://github.com/herzhenr/spic-android","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/herzhenr/spic-android","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/herzhenr%2Fspic-android","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/herzhenr%2Fspic-android/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/herzhenr%2Fspic-android/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/herzhenr%2Fspic-android/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/herzhenr","download_url":"https://codeload.github.com/herzhenr/spic-android/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/herzhenr%2Fspic-android/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265785868,"owners_count":23828165,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","jetpack-compose","kotlin","playintegrity","safetynet"],"created_at":"2025-07-18T15:30:23.721Z","updated_at":"2025-10-20T02:45:04.041Z","avatar_url":"https://github.com/herzhenr.png","language":"Kotlin","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cimg src=\"docs/icon.png\" width=\"96\" align=\"right\" /\u003e\n\n# SPIC - Simple Play Integrity Checker\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://opensource.org/licenses/MIT\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-MIT-green.svg\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://kotlinlang.org\"\u003e\u003cimg src=\"https://img.shields.io/badge/Kotlin-%237F52FF.svg?\u0026logo=kotlin\u0026logoColor=white\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.android.com\"\u003e\u003cimg src=\"https://img.shields.io/badge/Android-3DDC84?\u0026logo=android\u0026logoColor=white\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://play.google.com/store/apps/details?id=com.henrikherzig.playintegritychecker\"\u003e\u003cimg src=\"https://img.shields.io/badge/Google_Play-414141?logo=google-play\u0026logoColor=white\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/herzhenr/spic-android/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/release/herzhenr/spic-android.svg?logo=github\u0026color=blue\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\nSPIC (short for **S**imple **P**lay **I**ntegrity **C**hecker) is a simple Android App that demonstrates the usage of the [PlayIntegrity API](https://developer.android.com/google/play/integrity) as well as the deprecated [SafetyNet Attestation API](https://developer.android.com/training/safetynet/attestation).\n\n[\u003cimg src=\"docs/googlePlay.png\"\n     alt=\"Get it on Google Play\"\n     height=\"80\"\u003e](https://play.google.com/store/apps/details?id=com.henrikherzig.playintegritychecker)\n\n\n# Usage\nThe app sends a request to the Play Integrity API or SafetyNet Attestation API verifies the request locally on the Android Device or on a remote Server using the [Server Implementation](https://github.com/herzhenr/spic-server) (URL can be defined in settings) and shows the result of the verdict to the user. The Raw JSON result can also be viewed and copied to the clipboard.\n\nBefore calling the API to do the attestation a nonce has to be generated which can happen on the device locally (only recommended for testing purposes) or on the server implementation (recommended for production). When using the PlayIntegrity API the verdict check can also be toggled between google and server. The only difference is when using the server the response encryption keys are managed locally on the server and the decryption of the verdict takes place here whereas when using the google option they are managed by google directly and the verdict is decrypted there.\n\nOn the settings page a url to reach the Server Implementation can be set. Toggeling between System/Light/Dark mode of the app can be done here as well. The about page contains some more resources about the used APIs as well as the App itself.\n\n# Disclaimer\nIf you plan on using the Play Integrity / SafetyNet Attestation API in your own app, you should propably use a encrypted connection between the server and the client. Local checks on the Android Devices shouldn't be implemented either. Ideally you should pair this API with another authentication method. Be warned: This implementation is just a proof of concept!\n\n# Screenshots\n\nPlay Integrity Request            |  supports Dark Mode\n:-------------------------:|:-------------------------:\n![play_integrity](docs/playIntegrityLight.png)  |  ![dark_mode](docs/safetyNetJsonDark.png) \n\nSettings Page             |  About Page\n:-------------------------:|:-------------------------:\n![settings](docs/settingsLight.png)  | ![about](docs/aboutLight.png)\n\n# Download\n\n- [Google Play](https://play.google.com/store/apps/details?id=com.henrikherzig.playintegritychecker)\n- [GitHub Releases](https://github.com/herzhenr/spic-android/releases)\n\n# Build\n\n- build the app using AndroidStudio or the `gradlew :app:aR` command\n- if the server functionality is desired, refer to the documentation of the [Server Implementation](https://github.com/herzhenr/spic-server) to set things like environment variables\n\nSome sepcific notes to use the SafetyNet and PlayIntegrity API:\n\n## SafetyNet:\n- Obtain an API Key for the SafetyNet Attestation API from Google follwing the [official documentation](https://developer.android.com/training/safetynet/attestation#obtain-api-key)\n- add it to to `local.properties` as `api_key=...`\n\n## PlayIntegrity:\n- in order to decrypt the integrity verdict locally on the device or the server you have to manage the corresponding decryption and verification keys by yourself. This is only possible if you have a paid Google Developer Account and registered the app bundle in the [Google Play Console](https://play.google.com/console/about/). Navigate to **Release** -\u003e **Setup** -\u003e **AppIntegrity** -\u003e **Response encryption**, click on **Change** and choose **Manage and download my response encryption keys**. Follow the instructions to create a private-public key pair in order to download the encrypted keys.\n- add the keys to `local.properties` as `base64_of_encoded_decryption_key=...` and `base64_of_encoded_verification_key=...`\n\nFinal local.properties file should look like this:\n```\nsdk.dir = YOUR SDK PATH\napi_key = YOUR KEY\nbase64_of_encoded_decryption_key = YOUR DECRYPTION KEY\nbase64_of_encoded_verification_key = YOUR VERIFICATION KEY\n```\n\n# Architecture\nThe app is being developed with the help of Jetpack Compose and makes use of the material 2 design components of google. The following APIs are used:\n- SafetyNet Attestation API \n- Play Integrity API\n# Credits\nSome parts of the app are inspired and contain code of the [YASNAC](https://github.com/RikkaW/YASNAC) app implementation of the SafetyNet Attestation API by RikkaW. Especially the UI of the verdict result are inspired from this app.\nSome other parts of the server implementation (google request for playIntegrity decrypt) are inspired by the app [Play Integrity API Checker](https://github.com/1nikolas/play-integrity-checker-app) by 1nikolas. \n\n\n# License\nMIT License\n\n```\nCopyright (c) 2023 Henrik Herzig\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fherzhenr%2Fspic-android","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fherzhenr%2Fspic-android","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fherzhenr%2Fspic-android/lists"}