Google Play Integrity API behavioral changes
Description: Play Integrity security updates announced in December 2024 recently took effect. The Play Integrity API has improved its verdicts on Android 13 (API level 33) and later devices, and all apps were automatically transitioned to these new verdicts in May 2025. This means that for devices on Android 13 or later: Apps calling the Play Integrity API must have been installed, or updated, by Google Play. The MEETS_STRONG_INTEGRITY verdict now requires the device to have a security update installed that has been released within the last year. Please see this guide for details on other changes made as part of this transition. Impact: Devices enrolled via QR Code, Zero Touch, and/or NFC may not recognize the management app as having been installed by Google Play. So the management app would no longer be receiving integrity verdicts from the Play Integrity API. Devices that do not have a security update from the last 12 months will no longer receive a MEETS_STRONG_INTEGRITY verdict. Mitigation: We’ve updated the Play Integrity policy to consider verified management apps as having been installed by Google Play regardless of enrollment method. Leveraging the MEETS_DEVICE_INTEGRITY verdict, which does not take into account security patch level, alongside the MEETS_STONG_INTEGRITY verdict can provide a better picture of the device’s current state. Please refer to your EMM for further details on how this may impact your deployment.Some Android 10 devices failing to boot and entering Rescue Party mode
22nd December, 2023 Issue: We have had reports of some Android 10 devices failing to boot and entering Rescue Party mode. Cause: This is caused by an old bug (referred to here as the ‘uninstallation bug’) that was fixed in November 2019 but is still present in devices that haven’t been updated to newer versions of Android. The bug manifests when uninstalling updates to a system app, and the uninstall operation fails or is interrupted. It is not clear what causes the failure, but given the low incidence of the bug it could be due to a race condition. Trigger: Google has been running an operation to recover devices that were affected by another bug (the ‘Play Store bug’), and we believe this operation was the trigger for the uninstallation bug affecting devices now. The recovery operation uninstalled the update to the Play Store, restoring it to the system version and allowing it to self-update to the correct version. During our internal testing and through the initial rollout phases of the recovery operation we saw no incidences of the uninstallation bug occuring. The operation was enabled for remaining devices on December 18th. Mitigation: We received the first reports of devices being affected by the uninstallation bug on the evening of December 19th and the Play Store recovery operation was halted the next morning, removing the trigger. There are no plans to resume the operation. Fix: We have advised device manufacturers to apply the original fix to their builds. Flashing a new system image that includes the patch has been confirmed to recover devices that were stuck in the Rescue Party. As the fix was included in Android 11, flashing the devices to an Android 11 system image should also recover affected devices. Factory resetting affected devices will restore the device to working order. We also recommend that organizations upgrade to newer versions of Android in general.
