App Integrity & Injection
SECURITY › Security
Proving genuine app/device with Play Integrity and blocking injection via parameterised queries.
Interviewers probe whether you understand that client-side trust is impossible: Play Integrity verdicts must be verified on your backend, and tamper/root detection only raises cost, never guarantees safety. They also test the practical hygiene that prevents data breaches: parameterised SQL, input validation, and safe WebView configuration. Expect to defend why obfuscation is defence-in-depth rather than security on its own.
What this covers
- What Play Integrity verifies (app, device, account) and why tokens are decrypted/verified server-side, never on the client
- Reading device integrity verdicts (MEETS_DEVICE_INTEGRITY, MEETS_BASIC_INTEGRITY, MEETS_STRONG_INTEGRITY, MEETS_VIRTUAL_INTEGRITY) and standard vs classic requests
- The hard limits of root/tamper detection and why it is a deterrent, not a guarantee
- Code obfuscation (R8) as defence-in-depth that raises attacker cost but is not security by itself
- Preventing SQL injection with parameterised queries / selectionArgs, and how Room binds parameters and verifies SQL at compile time
- Server-side input validation and safe WebView usage (disable unneeded JS, restrict file access, validate JavaScript bridges)
Study this topic
- App Integrity & Injection explained: the guided lesson
- 14 practice quiz questions
- 9 revision flashcards
- App Integrity & Injection interview questions and answers