Android SafetyNet Integrity Checks

E.g. McDonald's android app, at this moment. It doesn't launch on devices which fail Safety Net checks, i.e. modified firmware

If your app relies on server-side functionality to work, you should look into the SafetyNet Attestation API to see if you can block cracked apps from working by having the server refuse to talk to an app if it can't prove it was installed from google's app store.

That's really on the app. Google provides a flag to the app if they detect tampering, the app chooses to limit functionality.

That sounds really good. What are the downsides? How does it fare in terms of PlayIntegrity and SafetyNet etc?

Many random apps do e.g. McDonald's app, and not just root but SafetyNet checks, which is way more strict than just root thing

how does this interact with Google's push to sign all apps?

Applications are signed by Signal, so Google can't make fake ones.

That's right, the transparency signature is not checked during installation. If you think somebody at Google might be out to get you and has all those powers and resources, there are many ways other than serving bespoke bundles, even with good old APK. Since they control the store and the system software that goes with it, they could download and save the original APK to give you some false sense of security, but apply a patch before extraction or code compilation. Or they could just crack

What's the point if you can't verify what they upload to play store / app store anyway? They can publish as code anything but that doesn't mean you run it.

The main issue to me seems to be sideloading apps, playstore apps seem to be protected. Sideloaded apps could be anything since its the app key that is compromised.