YinkoShield
Brief

Knowledge Center / Checkpoint architectures / checkpoint architectures · 2025·11

SafetyNet's deprecation and the migration to Play Integrity

SafetyNet Attestation was Android's first-party device-integrity checkpoint for nearly a decade. Google announced the deprecation in June 2022, added deprecation information to responses in November 2022, ended new developer onboarding on January 31, 2023, and completed full turndown on January 31, 2025. Play Integrity is the successor — the same checkpoint shape with refined verdicts, a new quota model, and operator-supplied request binding via `requestHash`. This page documents the migration: what was preserved, what changed, and what operators learned about checkpoint architectures along the way.

[ safetynet → play integrity · migration timeline ] SafetyNet Attestation ~2014–2022 Play Integrity launches (GA) 2022 deprecated no new clients Jun 2023 shutdown all traffic gone Jan 2025 preserved · Google-signed verdict token · device-integrity signal class · per-call invocation model · server-side verification changed · labels: ctsProfileMatch → MEETS_* · quota model + Standard/Classic split · request-hash binding required · no more freeform "nonce" field migration is mostly mechanical; policy mapping is the main lift SafetyNet was a checkpoint; Play Integrity is the same shape, refined
SafetyNet Attestation was deprecated in June 2023 and decommissioned by January 2025. Play Integrity is the successor — the same checkpoint shape with refined verdicts, a new quota model, and stricter request-hash binding.

1. What SafetyNet was

SafetyNet Attestation was introduced as part of Google Play services in the mid-2010s and provided a per-call API that returned a JWT-signed attestation about the device the calling app was running on. The two load-bearing fields in the response were ctsProfileMatch (the device profile matches a Compatibility Test Suite-passing build) and basicIntegrity (the device is not blatantly compromised) [1].

Operators called SafetyNet from sensitive flows — login, payment confirmation, key-rotation — and treated the signed response as authoritative for an operator-defined freshness window. The verdict token included a server-supplied nonce field, allowing the operator to bind the call to a specific request server-side. At its peak, SafetyNet was the de-facto Android checkpoint for financial-services apps.

2. The deprecation

Google announced SafetyNet Attestation’s deprecation in June 2022 and published the migration timeline shortly after [1]. The headline dates published by Google:

  • June 2022 — deprecation announced; migration to Play Integrity recommended for new integrations.
  • November 2022deprecationInformation field added to SafetyNet responses, surfacing the deprecation status in existing integrations’ response payloads.
  • January 31, 2023 — new developer onboarding ended. No new integrations accepted; existing integrations continued to function with progressive throttling.
  • 2024 — request rates progressively throttled across the year; Play Integrity is the only path for new integrations.
  • January 31, 2025 — SafetyNet Attestation API fully shut down. Calls return error responses; the service is no longer served.

The reason given by Google was straightforward: SafetyNet’s original design predated the Android ecosystem’s investment in hardware-backed key attestation, modern device-profile signals, and the enforcement model that Play Integrity ships with. A ground-up rebuild was easier than retrofitting.

3. What was preserved across the migration

The migration was, for most operators, more mechanical than conceptual. Play Integrity preserves the core SafetyNet shape [2, 3]:

  • A Google-signed verdict token that the relying party verifies server-side using a published key.
  • A device-integrity signal class as the load-bearing output of the call.
  • A per-call invocation model — operators decide where in the flow to call the API and what freshness window to apply.
  • Operator-supplied request binding. SafetyNet had nonce; Play Integrity has requestHash. The semantics are similar: the operator constructs an unpredictable, request-specific value and the API token echoes it back inside the signed payload.

Operators that designed their integration around the shape of SafetyNet — verdict + signed token + per-call freshness — found the Play Integrity port mostly straightforward.

4. What changed

Three changes are worth calling out:

  • Verdict labels. SafetyNet returned booleans (ctsProfileMatch, basicIntegrity) plus, from 2020 onward, an evaluationType field that could include HARDWARE_BACKED — the technical bridge to today’s MEETS_STRONG_INTEGRITY. Play Integrity returns label strings (MEETS_BASIC_INTEGRITY, MEETS_DEVICE_INTEGRITY, MEETS_STRONG_INTEGRITY). MEETS_STRONG_INTEGRITY requires a hardware-backed verdict with a recent security patch level — the formalised version of SafetyNet’s evaluationType: HARDWARE_BACKED signal.
  • Quota model and Standard vs Classic. Play Integrity introduces a per-app daily budget, with “Standard” requests designed for higher-volume calls (with on-device token caching) and “Classic” requests intended for one-shot sensitive operations [3]. SafetyNet’s per-call model did not have an equivalent split.
  • Request-hash binding. Play Integrity’s requestHash is operator-supplied and recommended (not strictly mandatory): Google’s documentation strongly encourages binding the request to operator-meaningful content via this field, and the API echoes whatever the operator supplies into the signed token, but the API does not refuse calls without it. Operators migrating from SafetyNet found that loosely-bound integrations needed tightening to make best use of Play Integrity’s per-request binding.

What did not change: the boundary the checkpoint draws. Both SafetyNet and Play Integrity are point-in-time checkpoints. The runtime trajectory between calls — the topic of the the-play-integrity-gap article — is not what either was designed to sign. The migration moved the checkpoint onto firmer ground; it did not change what the checkpoint covers. Execution Evidence Infrastructure (EEI) — the device-identity infrastructure layer for banking and payments — is the layer that signs the inter-call interval the checkpoint cannot.

5. Cross-references

6. External references

[1] Google. SafetyNet Attestation API deprecation timeline. developer.android.com/training/safetynet/deprecation-timeline. Cited 2025-11-24.

[2] Google. Migrate to Play Integrity API. developer.android.com/google/play/integrity/migrate. Cited 2025-11-24.

[3] Google. Play Integrity API: Overview. developer.android.com/google/play/integrity/overview. Cited 2025-11-24.