JSPM

@motebit/crypto-play-integrity

1.1.3
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 49
  • Score
    100M100P100Q10908F
  • License Apache-2.0

DEPRECATED & REMOVED — use @motebit/crypto-android-keystore for canonical sovereign-verifiable Android hardware attestation. This 1.1.3 is the final published version; the source has been removed from the motebit monorepo. No further releases will ship.

Package Exports

  • @motebit/crypto-play-integrity

Readme

@motebit/crypto-play-integrity — DEPRECATED & REMOVED

This package is no longer maintained. Use @motebit/crypto-android-keystore for canonical sovereign-verifiable Android hardware attestation. The source has been removed from the motebit monorepo; this published 1.1.3 is the final version. No further releases will ship.

npm i @motebit/crypto-android-keystore

Why deprecated

This package was scaffolded as a sibling of @motebit/crypto-appattest / @motebit/crypto-tpm / @motebit/crypto-webauthn — all of which verify against publicly-pinned trust anchors so any third party can independently reach the same yes/no answer. That sibling shape is structurally wrong for Google Play Integrity:

  • Google publishes no global Play Integrity JWKS. The verification public key is per-app, generated by Play Console for the developer, and never globally published — by Google's deliberate design.
  • Verification is either a network round-trip to Google's API (with the developer's service-account credentials) or local decryption with a per-app private key. Neither path is third-party verifiable.
  • The empty GOOGLE_PLAY_INTEGRITY_JWKS = { keys: [] } this package shipped with at v1.0.0 was the only honest representation of "no public JWKS exists" — but the package's name, description, and place in the canonical-leaf set all imply otherwise. That's the category error the deprecation corrects.

The architecturally-correct Android primitive — public-anchor, third-party-verifiable, no per-deployer secrets — is Android Hardware-Backed Keystore Attestation, shipped at @motebit/crypto-android-keystore since 2026-04-26.

Migration

- import { playIntegrityVerifier } from "@motebit/crypto-play-integrity";
+ import { androidKeystoreVerifier } from "@motebit/crypto-android-keystore";

  const result = await verify(credential, {
    hardwareAttestation: {
-     playIntegrity: playIntegrityVerifier({ expectedPackageName: "com.motebit.mobile" }),
+     androidKeystore: androidKeystoreVerifier({ expectedAttestationApplicationId }),
    },
  });

The claim.platform discriminator changes from "play_integrity" to "android_keystore". The mint side similarly switches from the expo-play-integrity Kotlin module to a KeyStore.getInstance("AndroidKeyStore") flow with setAttestationChallenge(SHA256(canonical body)). See the new package's README for the canonical wiring.

Future scope (intentionally not in this package)

Play Integrity remains a useful operator-mode anti-fraud signal — Google's playProtectVerdict, appAccessRiskVerdict, and licensingVerdict carry meaningful per-deployer risk data. But those signals are not third-party verifiable cryptographic claims, so they don't belong in the permissive-floor crypto-leaf set. If a future motebit deployment wants Play-Integrity-as-anti-fraud, it lands as a relay-side service or an explicitly non-canonical operator-tier package — not here.

License

Apache-2.0 — see LICENSE and NOTICE.