What is the added value of AppiCrypt over Google App Check (Play Integrity API or former SafetyNet)

[syakymchuk]

App check addresses App Integrity verification problem and indeed ir can reduce risks of App impersonation. But App issuers need to consider the following facts:

• it still has the problem of App check token validity i.e. it is vulnerable to reply attack. See the issue explained here.

• App check quota limits i.e. you can't verify every call to the API. Practically it is used to protect Authentication only or new user enrollment use cases, while #AppiCrypt can be used to protect every API call. Keep in mind that API abuse attacks mostly happen through the Authenticated APIs, i.e. authentication passes Ok, and then the valid auth token is misused. See here.

• Google doesn't commit to App check service, no SLA, response time, nothing. So it is hard to rely on this solution in business critical use-cases. So you should consider twice introducing a single point of failure. AppCheck is fully local solution w/o any external Api dependency

• Google Play services (and App check) are unavailable in many countries and many Android devices are not supported. Only Google-certified devices are covered.

• App check introduces UX latency sometimes over several seconds. While AppiCrypt is within 10-30 ms.

• AppiCrypt provides much higher granularity to audit WHY certain App instance or device is NOK.