search

herzhenr / spic-android

A Simple Play Integrity Checker which uses Google Play Integrity API to check the Integrity of the Device
MIT License
206 stars 23 forks source link

Schedule tests #4

Open non-bin opened 10 months ago

non-bin commented 10 months ago

Feature request

I'd love to have the app automatically run a test every morning (and maybe through the day too) and send a notification if it fails (option to say if strong is required, or if device integrity is ok)

Maybe only allow this feature with a user API key

herzhenr commented 10 months ago

This is a really cool idea! The Play Integrity API sadly doesn't really use an API Key. You have to create a project in the Google Play Console and upload an APK there. Then Google knows this App belongs to this project and limits the amount of API requests to 10.000. If someone wants to host the app with their own limits you would need an Google Play Developer Account (costs 25€ if I remember correctly), create the project there, upload the APK and then your own rate limiting would apply. But I have plans to rate limit the amount of requests in my app per user and then maybe a request a day in the background would actually work without exceeding the 10.000 requests

non-bin commented 10 months ago

Does that mean to test a version of the app, you have to do it load it through the play store? I was going to say I'd have a look at implementing scheduled tests over Christmas when I have some time, but that would be more hassle than it's worth

herzhenr commented 10 months ago

It was quite some time ago when I created the app but if I remember correctly there only has to be one version of the app available at the google Play Console so Google can map the App to a Play Console Project. I think Google uses something like the package name of the app or something similar which is unique to determine the corresponding Play Console Project and make the Integrity request. If you change some code and build a new version the request still works but in the integrity verdict the field app recognition verdict shows UNRECOGNIZED_VERSION which makes sense as this specific version is unknown to google but the request works as normal. If you are motivated to implement some sort of scheduling over the holidays feel free to do soo! I am very happy about contributions to the project :)