Tag Archives: Google Play

Boost the security of your app with the nonce field of the Play Integrity API

Posted by Oscar Rodriguez, Developer Relations Engineer

illustration with a mobile device displaying a security shield with a check mark, flow chart imagery, and Android logo

With the recent launch of the Play Integrity API, more developers are now taking action to protect their games and apps from potentially risky and fraudulent interactions.

In addition to useful signals on the integrity of the app, the integrity of the device, and licensing information, the Play Integrity API features a simple, yet very useful feature called “nonce” that, when correctly used, can further strengthen the existing protections the Play Integrity API offers, as well as mitigate certain types of attacks, such as person-in-the-middle (PITM) tampering attacks, and replay attacks.

In this blog post, we will take a deeper look at what the nonce is, how it works, and how it can be used to further protect your app.

What is a nonce?

In cryptography and security engineering, a nonce (number once) is a number that is used only once in a secure communication. There are many applications for nonces, such as in authentication, encryption and hashing.

In the Play Integrity API, the nonce is an opaque base-64 encoded binary blob that you set before invoking the API integrity check, and it will be returned as-is inside the signed response of the API. Depending on how you create and validate the nonce, it is possible to leverage it to further strengthen the existing protections the Play Integrity API offers, as well as mitigate certain types of attacks, such as person-in-the-middle (PITM) tampering attacks, and replay attacks.

Apart from returning the nonce as-is in the signed response, the Play Integrity API doesn’t perform any processing of the actual nonce data, so as long as it is a valid base-64 value, you can set any arbitrary value. That said, in order to digitally sign the response, the nonce is sent to Google’s servers, so it is very important not to set the nonce to any type of personally identifiable information (PII), such as the user’s name, phone or email address.

Setting the nonce

After having set up your app to use the Play Integrity API, you set the nonce with the setNonce() method, or its appropriate variant, available in the Kotlin, Java, Unity, and Native versions of the API.

Kotlin:

val nonce: String = ...

// Create an instance of a manager.
val integrityManager =
    IntegrityManagerFactory.create(applicationContext)

// Request the integrity token by providing a nonce.
val integrityTokenResponse: Task<IntegrityTokenResponse> =
    integrityManager.requestIntegrityToken(
        IntegrityTokenRequest.builder()
             .setNonce(nonce) // Set the nonce
             .build())

Java:

String nonce = ...

// Create an instance of a manager.
IntegrityManager integrityManager =
    IntegrityManagerFactory.create(getApplicationContext());

// Request the integrity token by providing a nonce.
Task<IntegrityTokenResponse> integrityTokenResponse =
    integrityManager
        .requestIntegrityToken(
            IntegrityTokenRequest.builder()
            .setNonce(nonce) // Set the nonce
            .build());

Unity:

string nonce = ...

// Create an instance of a manager.
var integrityManager = new IntegrityManager();

// Request the integrity token by providing a nonce.
var tokenRequest = new IntegrityTokenRequest(nonce);
var requestIntegrityTokenOperation =
    integrityManager.RequestIntegrityToken(tokenRequest);

Native:

/// Create an IntegrityTokenRequest object.
const char* nonce = ...
IntegrityTokenRequest* request;
IntegrityTokenRequest_create(&request);
IntegrityTokenRequest_setNonce(request, nonce); // Set the nonce
IntegrityTokenResponse* response;
IntegrityErrorCode error_code =
        IntegrityManager_requestIntegrityToken(request, &response);

Verifying the nonce

The response of the Play Integrity API is returned in the form of a JSON Web Token (JWT), whose payload is a plain-text JSON text, in the following format:

{
  requestDetails: { ... }
  appIntegrity: { ... }
  deviceIntegrity: { ... }
  accountDetails: { ... }
}

The nonce can be found inside the requestDetails structure, which is formatted in the following manner:

requestDetails: {
  requestPackageName: "...",
  nonce: "...",
  timestampMillis: ...
}

The value of the nonce field should exactly match the one you previously passed to the API. Furthermore, since the nonce is inside the cryptographically signed response of the Play Integrity API, it is not feasible to alter its value after the response is received. It is by leveraging these properties that it is possible to use the nonce to further protect your app.

Protecting high-value operations

Let us consider the scenario in which a malicious user is interacting with an online game that reports the player score to the game server. In this case, the device is not compromised, but the user can view and modify the network data flow between the game and the server with the help of a proxy server or a VPN, so the malicious user can report a higher score, while the real score is much lower.

Simply calling the Play Integrity API is not sufficient to protect the app in this case: the device is not compromised, and the app is legitimate, so all the checks done by the Play Integrity API will pass.

However, it is possible to leverage the nonce of the Play Integrity API to protect this particular high-value operation of reporting the game score, by encoding the value of the operation inside the nonce. The implementation is as follows:

  1. The user initiates the high-value action.
  2. Your app prepares a message it wants to protect, for example, in JSON format.
  3. Your app calculates a cryptographic hash of the message it wants to protect. For example, with the SHA-256, or the SHA-3-256 hashing algorithms.
  4. Your app calls the Play Integrity API, and calls setNonce() to set the nonce field to the cryptographic hash calculated in the previous step.
  5. Your app sends both the message it wants to protect, and the signed result of the Play Integrity API to your server.
  6. Your app server verifies that the cryptographic hash of the message that it received matches the value of the nonce field in the signed result, and rejects any results that don't match.

The following sequence diagram illustrates these steps:

Implementation diagram for encoding the value of the operation inside the nonce. Steps outlined in the body of the blog.

As long as the original message to protect is sent along with the signed result, and both the server and client use the exact same mechanism for calculating the nonce, this offers a strong guarantee that the message has not been tampered with.

Notice that in this scenario, the security model works under the assumption that the attack is happening in the network, not the device or the app, so it is particularly important to also verify the device and app integrity signals that the Play Integrity API offers as well.

Preventing replay attacks

Let us consider another scenario in which a malicious user is trying to interact with a server-client app protected by the Play Integrity API, but wants to do so with a compromised device, in a way so the server doesn’t detect this.

To do so, the attacker first uses the app with a legitimate device, and gathers the signed response of the Play Integrity API. The attacker then uses the app with the compromised device, intercepts the Play Integrity API call, and instead of performing the integrity checks, it simply returns the previously recorded signed response.

Since the signed response has not been altered in any way, the digital signature will look okay, and the app server may be fooled into thinking it is communicating with a legitimate device. This is called a replay attack.

The first line of defense against such an attack is to verify the timestampMillis field in the signed response. This field contains the timestamp when the response was created, and can be useful in detecting suspiciously old responses, even when the digital signature is verified as authentic.

That said, it is also possible to leverage the nonce in the Play Integrity API, to assign a unique value to each response, and verifying that the response matches the previously set unique value. The implementation is as follows:

  1. The server creates a globally unique value in a way that malicious users cannot predict. For example, a cryptographically-secure random number 128 bits or larger.
  2. Your app calls the Play Integrity API, and sets the nonce field to the unique value received by your app server.
  3. Your app sends the signed result of the Play Integrity API to your server.
  4. Your server verifies that the nonce field in the signed result matches the unique value it previously generated, and rejects any results that don't match.

The following sequence diagram illustrates these steps:

Implementation diagram for assigning a unique value to each response, and verifying that the response matches the previously set unique value. Steps outlined in the body of the blog.

With this implementation, each time the server asks the app to call the Play Integrity API, it does so with a different globally unique value, so as long as this value cannot be predicted by the attacker, it is not possible to reuse a previous response, as the nonce won’t match the expected value.

Combining both protections

While the two mechanisms described above work in very different ways, if an app requires both protections at the same time, it is possible to combine them in a single Play Integrity API call, for example, by appending the results of both protections into a larger base-64 nonce. An implementation that combines both approaches is as follows:

  1. The user initiates the high-value action.
  2. Your app asks the server for a unique value to identify the request
  3. Your app server generates a globally unique value in a way that malicious users cannot predict. For example, you may use a cryptographically-secure random number generator to create such a value. We recommend creating values 128 bits or larger.
  4. Your app server sends the globally unique value to the app.
  5. Your app prepares a message it wants to protect, for example, in JSON format.
  6. Your app calculates a cryptographic hash of the message it wants to protect. For example, with the SHA-256, or the SHA-3-256 hashing algorithms.
  7. Your app creates a string by appending the unique value received from your app server, and the hash of the message it wants to protect.
  8. Your app calls the Play Integrity API, and calls setNonce() to set the nonce field to the string created in the previous step.
  9. Your app sends both the message it wants to protect, and the signed result of the Play Integrity API to your server.
  10. Your app server splits the value of the nonce field, and verifies that the cryptographic hash of the message, as well as the unique value it previously generated match to the expected values, and rejects any results that don't match.

The following sequence diagram illustrates these steps:

implementation diagram for combining both protections. Steps outlined in the body of the blog.

These are some examples of ways you can use the nonce to further protect your app against malicious users. If your app handles sensitive data, or is vulnerable against abuse, we hope you consider taking action to mitigate these threats with the help of the Play Integrity API.

To learn more about using the Play Integrity API and to get started, visit the documentation at g.co/play/integrityapi.

New Google Play SDK Index helps you choose the right SDKs for your app

Posted by Yafit Becher, Product Manager and Ray Brusca, Strategic Partnerships Manager

Phone on a light blue background 

App developers rely on SDKs to integrate key functionality and services for their apps and games. SDKs are essential building blocks, but developers have shared that it can be hard to figure out which SDKs are reliable and safe to use. So helping developers, like you, make informed decisions about SDKs is part of keeping Google Play a safe, trusted space for billions of people.

In 2020, we launched Google Play SDK Console to give SDK providers crash reporting, usage statistics, and a way to communicate critical issues to app developers through Google Play Console and Android Studio. Today, we’re taking another step to increase communication and transparency by launching Google Play SDK Index, a new public portal that lists over 100 of the most widely used commercial SDKs, and insights about each one.

Google Play SDK Index shows reliability and safety signals so you can decide if an SDK is right for your business and your users.

Google Play SDK Index shows reliability and safety signals so you can decide if an SDK is right for your business and your users.

You can search for an SDK or look through a category, like Advertising and monetization or Analytics. For each SDK listing, Google Play SDK Index combines usage data from Google Play apps with SDK code detection to provide insights designed to help you decide if an SDK is right for your business and your users. You can see:

  • Which Android app permissions the SDK may request
  • If the SDK provider is committed to ensuring that their SDK’s code follows Google Play policies
  • Version adoption rates
  • Retention metrics, and more

SDK providers can also share key information with you for the SDKs that they registered on Google Play SDK Console, like:

  • Which SDK version is outdated or has critical issues
  • Links to data safety guidance on what data the SDK collects and why, to help you fill out your app’s Data safety form.

No matter where you’re at in your development lifecycle, we hope you find Google Play SDK Index useful in making informed SDK choices. Stay tuned for more updates as we add additional data points, categories, and volume of SDKs..

For more:

What’s new in Google Play

Posted by Alex Musil, Product Management at Google Play

Blue graphic with Google Play logo 

At this year’s Google I/O, we focused on three major ways we can help you continue growing your business on Google Play:

  • Privacy and security initiatives to keep the ecosystem safe for users and developers, like the new Google Play SDK Index
  • Tools to help you improve your app quality across the app lifecycle
  • New ways to help you acquire users and engage with existing ones through features like LiveOps, as well as ways to drive revenue growth with new subscription capabilities

You can check out all the updates in our I/O session, or keep reading for a quick overview of the new features that will help take your business even further.

Privacy and security initiatives to protect developers and users

Over the last few years, we've been working on tools to help make SDKs better and safer for everyone, including SDK providers, app developers, and ultimately, our collective end users.

  • In 2020, we launched Google Play SDK Console, which provides usage statistics, crash reporting, and the ability for SDK providers to communicate to app developers through Play Console and Android Studio. Today, we launched Google Play SDK Index, a new public portal that lists the most widely used commercial SDKs, and provides data and insights about each one.
    The index includes over 100 SDKs with information about which app permissions they use, statistics on the apps that use them, and if the SDK provider is committed to ensuring that their SDK’s code follows Google Play policies. You can use it to inform your decisions about which SDKs and specific versions to use in your app.
Google Play SDK Index shows reliability and safety signals so you can decide if an SDK is right for your business and your users.

Google Play SDK Index shows reliability and safety signals so you can decide if an SDK is right for your business and your users.

  • We’re also protecting the work you put into your apps with Play’s app integrity tools. Play App Signing is used to securely sign millions of apps on Google Play and helps ensure that app updates can be trusted. From now on, Play App Signing will use Google Cloud Key Management to protect signing keys. This means you can review public documentation including the storage specifications and security practices that Google uses to protect your keys. We’ll soon be using Cloud Key Management for all newly generated keys, followed by securely migrating eligible existing keys.
  • Another new feature of Play App Signing rolling out soon is the ability for any app to perform an app signing key rotation. In the event of an incident or just as a security best practice, you’ll be able to trigger an annual key rotation from within Play Console. To maximize security, Google Play Protect will also verify your app updates using rotated keys for older Android releases that don’t support rotation, going all the way back to Android Nougat.
  • We also offer an API that you can use to help protect your app, your IP, and your users from abuse and attacks. The new Play Integrity API is now available to all apps and games to detect fraudulent and risky interactions, such as traffic from modified or pirated app versions and rooted or compromised devices.
  • In addition to protecting users, we also want them to feel safe when downloading apps and games from Google Play. The new Data safety section gives you a way to showcase your approach to privacy and security so that users can confidently download your app. If you haven't yet, please complete your Data safety form by July 20th. Check out our Help Center article for more information.
  • In other data privacy news, we’ve released the first developer preview of the Privacy Sandbox on Android, our initiative to build new technologies that improve user privacy while still enabling effective advertising. Check out our blog post to learn more and join our email newsletter for the latest updates.

More features to help you improve app quality across your app lifecycle

Your app quality affects everything from your ability to engage and retain users to your discoverability and promotability on the Play Store.

  • Android vitals is your definitive source of technical quality metrics on Play. Now, with the new Developer Reporting API, you can access Android vitals metrics and issues data outside of Play Console, including crash and ANR rates, counts, clusters, and stack traces and integrate them into your own tools and workflows.
  • You can also now view Android vitals data at the country level to help you troubleshoot and prioritize by location.
  • And we’ve made it easier to use Android vitals alongside Firebase Crashlytics by aligning issue names and enabling you to see Play Track information in Crashlytics when you link your Play app with your Crashlytics app.

Beyond Android vitals, there are other new features to help you across the development lifecycle:

  • Reach and devices makes it easier to plan for better quality by providing insights on your user and issue distribution. It now includes revenue and revenue growth metrics for apps that monetize on Play, so you can build revenue-based business cases for quality and reach.
  • We also overhauled the Device catalog to make it easier to understand and use. The Overview page now includes install data, and you can filter by new device attributes like shared libraries. You can also see device variants by RAM and Android version, which lets you quickly identify the most common variant.
  • It is now much easier to test your app on different form factors. You can independently run internal and open testing on many form factors including Android Automotive, and soon, Wear OS.
  • To help you keep users up to date, the In-app Updates API will now let your app users know if there’s an update available within 15 minutes instead of up to 24 hours, including showing your “What’s new” text within the update screen.

To learn more about all these launches, check out our session on app quality.


Marketing and monetization features to help you grow your business

Google Play can help grow your business with new ways to acquire new users, engage your existing ones, and drive revenue growth.

  • Your store listing is often the first thing a prospective user sees about your app. To help you make the right first impression, you can now make up to 50 custom store listings, each with analytics and unique deep links, so you can show different listings to users depending on where they come from.
Listing details page

Developers can now create up to 50 custom store listings, each with analytics and unique deep links.

  • We’ve also made some major improvements to Store Listing Experiments. You’ll now see results more quickly for most experiments, with more transparency and contrul to help you anticipate how long each experiment is likely to need.
  • Deep links are an important tool when trying to improve engagement with your in-app content, so we’re making it easier to keep your deep link setup complete and up-to-date. Soon, we’re launching a new Play Console page dedicated to deep links with all the information and tools related to your app’s deep links in one convenient place.
  • Another helpful tool is LiveOps, a feature that allows you to submit content to be considered for featuring on the Play Store. By surfacing limited-time offers, events, and major updates for your app or game, LiveOps drives 5% more 28-day active users and 4% higher revenue for developers using the feature than those that do not. If you’d like to join our beta program, you can learn more and express your interest here.
  • Since last year, we’ve made some big changes to Play Commerce to help you do business with users with regional payment method preferences, such as cash and prepaid. We’ve expanded our payment method library to include over 300 local payment methods in 70 countries, and added eWallet payment methods such as MerPay in Japan, KCP in Korea, and Mercado Pago in Mexico.
  • We also expanded pricing options with ultra-low price points to help you increase conversions and grow your revenue. Now you can price your products as low as the equivalent of 5 US cents in any market. This will allow you to adjust your prices to better reflect local purchasing power, run locally relevant sales and promotions, and support micro-transactions such as tipping.
  • We launched new subscription capabilities along with a reimagined developer experience, making it easier to sell subscriptions on Google Play. For each subscription, you can now configure multiple base plans and offers. This allows you to sell the subscription in multiple ways and reduces operational costs by removing the need to create and manage an ever-increasing number of SKUs.

    Each base plan in a subscription defines a different billing period and renewal type - e.g a monthly auto-renewing plan, an annual auto-renewing plan, and a 1-month prepaid plan. A base plan can have multiple offers supporting different stages of the subscription lifecycle - e.g. an acquisition offer for limited time free trial, or an upgrade offer to incentivize subscribers to move from a prepaid plan to an auto-renewing plan. Offers are a great way to acquire new subscribers, incentivize upgrades, and retain existing subscribers.

Easily configure your subscription base plans and offers without having to create additional SKUs. [previous configuration (left); new configuration (right)]

For each subscription, you can now configure multiple base plans and offers.

  • New prepaid plans allow you to offer users access for a fixed amount of time. Users can easily extend their access period at any time before plan expiration. Users can purchase these top-ups in your app, or right on the Play Store subscription screen. They make a great option for regions where pay-as-you go is standard.
  • In-App Messaging is a new way to prevent you from losing subscribers due to a declined payment. Simply use the In-App Messaging API to check with Play when a user opens the app. If the user’s payment has been declined, a message will remind them to update their payment information.
    Prevent subscriber loss due to declined payments with the In-App Messaging API.

    Prevent subscriber loss due to declined payments with the In-App Messaging API.

    These features are all available with the latest version of Play Billing Library 5.0. To learn more about these and other tools to help grow your business, check out “Power your Success with new acquisition, engagement and monetization tools.”

    Thank you for continuing to be a part of the thriving Google Play ecosystem. We can’t wait to see what you build next.


    How useful did you find this blog post?

    Google Play logo

New flexible tools to grow your subscription business

Posted by Steve Hartford, Product Manager, Google Play

Illustrated image with light blue background and Google Play iconography

Digital subscriptions continue to be one of the fastest growing ways for developers to monetize on Google Play. As the subscriptions business model evolves, many developers have asked us for more flexibility and less complexity in how they sell subscriptions.

To meet those needs, we've reimagined the developer experience for selling subscriptions on Play. Today, we’re launching new subscription capabilities and a new Console UI to help you grow your business. At its foundation, we’ve separated what the subscription benefits are from how you sell the subscription. For each subscription, you can now configure multiple base plans and offers. This allows you to sell your subscription in multiple ways, reducing operational costs by removing the need to create and manage an ever-increasing number of SKUs.

You may have already noticed the change in Play Console as we’ve taken existing subscription SKUs and separated them into subscriptions, base plans, and offers. The new subscriptions configuration behaves as before, with no immediate need to update your apps or backend integrations.

 Example subscription configuration

Example of a subscription configuration

More flexibility to improve reach, conversion, and retention

Each base plan in a subscription defines a different billing period and renewal type. For example, you can create a subscription with a monthly auto-renewing plan, an annual auto-renewing plan, and a 1-month prepaid plan.

Prepaid plans are an entirely new option that provides users with access to benefits for a fixed duration. Users can extend this access by purchasing top-ups in your app, or in the Play Store. Prepaid plans allow you to reach users in regions where pay-as-you-go is standard, including India and Southeast Asia. They can also provide an alternative for users not ready to purchase an auto-renewing subscription.

A base plan can have multiple offers supporting different stages of the subscription lifecycle — whether to acquire new subscribers, incentivize upgrades, or retain existing subscribers. Whenever users could benefit from the value your subscriptions provide, we want to help you reach them with an offer they find worthwhile and convenient.

Offers provide a wide range of pricing and eligibility options. While the base plan contains the price available to all users, offers provide alternate pricing to eligible users. You can make offers that are available everywhere their base plan is available, or you can create offers for specific regions. For example:

  • Acquisition offers allow users to try your subscription for free or at a discounted price
  • Upgrade and crossgrade offers incentivize users to benefit from longer billing periods or higher tiers of service
  • Upgrade offers can also help you move subscribers from a prepaid plan to an auto-renewing plan

If you want even more flexibility, you can create custom offers for which you decide the business logic, such as second-chance free trials, or win-back offers for lapsed subscribers.

Better metrics to understand your business

We’ve improved reporting by updating how metrics are calculated in Play Console. Metrics such as new subscription counts, conversion and retention rates, and cancellations are more consistent and calculated in line with financial metrics. You can now directly compare data between Play Console and the Real Time Developer Notifications API. Additionally, subscription metrics are now cumulative. This means that data reported for previous days won’t change over time.

Get started

Starting today, all these new subscription capabilities are available. To learn more please visit the Help Center. When you’re ready to integrate, check out this guide, documentation, and sample app.

Please let us know how we’re doing and contact us with any issues you may encounter.

How useful did you find this blog post?

Google Play logo

Kicking off Google Play Coffee breaks, with Jimjum Studios

Posted by Leo Olebe, Managing Director, Games Partnerships, Google Play

Today we are launching Google Play Coffee breaks, a new series where members of our partnerships team get together with apps and games companies to exchange tips and personal lessons gained from the industry, as well as insights gained from participating in some of our Play programs. All in enough time to fit into your coffee break!

To kick it all off, I enjoyed a virtual coffee with Nimrod Kimhi, Co-founder & CEO, at Jimjum Studios, a small games company from Israel. They participated in the 2021 edition of the Indie Games Festival, making it into the top 10 finalists, and later took part in the Indie Games Accelerator. We felt it was time for us to check back in on the growth they’ve been achieving.

Watch the full Coffee breaks episode and read my reflections below:

Launching their first game, Froglike: The Frog Roguelike, just one year ago in 2021, the team of five friends have already made an impact on the mobile game ecosystem early on in their business journey.

Nim described how their studio is composed of two brothers, two childhood friends, and a musician who they convinced to get onboard their team. Each has a mix of talents and expertise which compliment each other and fit together. And I think this is one of the most important parts of succeeding in this industry. A great team is able to challenge each other and put new ideas on the table, but also come together and agree on those big decisions that are going to move your business forward.

I really enjoyed catching up with Nim during our first Google Play Coffee breaks. What I found most rewarding was to hear directly from Nim about his experience of the Indie Games Accelerator and Festival. It was actually Jimjum’s chief game designer who initially convinced Nim to sign up for the contest. Despite his initial hesitations of how the competition might interrupt their progress with building the game, Nim says now that the learnings they got from the program saved their team three years worth of mistakes.


Illustration of two people next to a giant clipboard 

Lessons learned in the game industry

The first? Test early. Nim couldn’t have said it better - make the MVP of your product and get feedback from the gaming community as soon as possible. This is even more important with games because you do have that abstract and subjective layer of what it means to be ‘fun’. You must go through that constant loop of feedback from players and iterations of your game, even though it can be tempting to just push forward with your artistic vision.

I think this is a really important insight to highlight. From my own experiences here at Google Play and in the mobile gaming industry, one of the most exciting parts about growing a games business is handing your game to the players and discovering ideas that you hadn’t considered yourself. It’s about being flexible, rolling with the punches, and being open to the learning journey rather than rigidly sticking to your original blueprint. Learning from others is what is going to take your game from good to great.

The second? Don’t lose the core heart of your game. Nim described how every team should know and agree on their Northstar when designing the game, and stick to it. It is easy to get distracted by all the analytics and feedback - and also just through the noise that is the mobile industry and the commercial pressures of making a game. But I agree with Nim, it is so important to never lose the heart of what you are building, and your passion behind it, in order to create a truly unique experience for your users.


Illustration of two people high fiving 

Success for small Indie studios

After participating in our Indie Games Accelerator, I was interested to hear from Jimjum about the learnings they had gained, and how they were able to use them to build such a solid foundation on Google Play and beyond.

One of the main areas that Nim raised was the need for every game to have a solid marketing strategy. Nim’s key focus is to work on a distribution plan, using channels like online communities to drive awareness of their title. A big part of the strategy is to find key influencers in the field and get them involved with their game. It is also about having a launch phase that allows them to take it step-by-step, rather than one big launch. This meant waiting until they were confident their game was ready, prioritizing certain geographical locations before others, and - of course - testing every step of the way.

As well as a marketing strategy, I’d add that it’s also about being open to the learning journey. Absorb as much knowledge as you can. There are so many others out there who have been down this road before, so learn from their successes and (perhaps more importantly) their mistakes. As you grow, use your unique perspectives and ideas to then share what you know with others and help build that circle of reciprocity.

Finally, in a world of millions of gamers, you can find your audience. It may take longer than you imagine, it may be harder, but they are there.

It was a genuine pleasure to chat to Nim about his experiences. I can’t wait to see Jimjum’s continued growth and new gaming adventures. It is studios like Jimjum that inspire me and my team to keep supporting indies in all ways that we can - whether that’s through programs like the Indie Games Accelerator and the Indie Games Festival (you can sign up now to hear when submissions open for the 2022 editions) or through more resources and tools to help them grow even further.

We are looking forward to continuing to learn from more businesses, and see what you all do next. Stay tuned for the next episode of Coffee Breaks.

Do you have any questions for Jimjum? What are your own tips for other indie studios? Share them in the comments below.

Kicking off Google Play Coffee breaks, with Jimjum Studios

Posted by Leo Olebe, Managing Director, Games Partnerships, Google Play

Today we are launching Google Play Coffee breaks, a new series where members of our partnerships team get together with apps and games companies to exchange tips and personal lessons gained from the industry, as well as insights gained from participating in some of our Play programs. All in enough time to fit into your coffee break!

To kick it all off, I enjoyed a virtual coffee with Nimrod Kimhi, Co-founder & CEO, at Jimjum Studios, a small games company from Israel. They participated in the 2021 edition of the Indie Games Festival, making it into the top 10 finalists, and later took part in the Indie Games Accelerator. We felt it was time for us to check back in on the growth they’ve been achieving.

Watch the full Coffee breaks episode and read my reflections below:

Launching their first game, Froglike: The Frog Roguelike, just one year ago in 2021, the team of five friends have already made an impact on the mobile game ecosystem early on in their business journey.

Nim described how their studio is composed of two brothers, two childhood friends, and a musician who they convinced to get onboard their team. Each has a mix of talents and expertise which compliment each other and fit together. And I think this is one of the most important parts of succeeding in this industry. A great team is able to challenge each other and put new ideas on the table, but also come together and agree on those big decisions that are going to move your business forward.

I really enjoyed catching up with Nim during our first Google Play Coffee breaks. What I found most rewarding was to hear directly from Nim about his experience of the Indie Games Accelerator and Festival. It was actually Jimjum’s chief game designer who initially convinced Nim to sign up for the contest. Despite his initial hesitations of how the competition might interrupt their progress with building the game, Nim says now that the learnings they got from the program saved their team three years worth of mistakes.


Illustration of two people next to a giant clipboard 

Lessons learned in the game industry

The first? Test early. Nim couldn’t have said it better - make the MVP of your product and get feedback from the gaming community as soon as possible. This is even more important with games because you do have that abstract and subjective layer of what it means to be ‘fun’. You must go through that constant loop of feedback from players and iterations of your game, even though it can be tempting to just push forward with your artistic vision.

I think this is a really important insight to highlight. From my own experiences here at Google Play and in the mobile gaming industry, one of the most exciting parts about growing a games business is handing your game to the players and discovering ideas that you hadn’t considered yourself. It’s about being flexible, rolling with the punches, and being open to the learning journey rather than rigidly sticking to your original blueprint. Learning from others is what is going to take your game from good to great.

The second? Don’t lose the core heart of your game. Nim described how every team should know and agree on their Northstar when designing the game, and stick to it. It is easy to get distracted by all the analytics and feedback - and also just through the noise that is the mobile industry and the commercial pressures of making a game. But I agree with Nim, it is so important to never lose the heart of what you are building, and your passion behind it, in order to create a truly unique experience for your users.


Illustration of two people high fiving 

Success for small Indie studios

After participating in our Indie Games Accelerator, I was interested to hear from Jimjum about the learnings they had gained, and how they were able to use them to build such a solid foundation on Google Play and beyond.

One of the main areas that Nim raised was the need for every game to have a solid marketing strategy. Nim’s key focus is to work on a distribution plan, using channels like online communities to drive awareness of their title. A big part of the strategy is to find key influencers in the field and get them involved with their game. It is also about having a launch phase that allows them to take it step-by-step, rather than one big launch. This meant waiting until they were confident their game was ready, prioritizing certain geographical locations before others, and - of course - testing every step of the way.

As well as a marketing strategy, I’d add that it’s also about being open to the learning journey. Absorb as much knowledge as you can. There are so many others out there who have been down this road before, so learn from their successes and (perhaps more importantly) their mistakes. As you grow, use your unique perspectives and ideas to then share what you know with others and help build that circle of reciprocity.

Finally, in a world of millions of gamers, you can find your audience. It may take longer than you imagine, it may be harder, but they are there.

It was a genuine pleasure to chat to Nim about his experiences. I can’t wait to see Jimjum’s continued growth and new gaming adventures. It is studios like Jimjum that inspire me and my team to keep supporting indies in all ways that we can - whether that’s through programs like the Indie Games Accelerator and the Indie Games Festival (you can sign up now to hear when submissions open for the 2022 editions) or through more resources and tools to help them grow even further.

We are looking forward to continuing to learn from more businesses, and see what you all do next. Stay tuned for the next episode of Coffee Breaks.

Do you have any questions for Jimjum? What are your own tips for other indie studios? Share them in the comments below.

Get more information about your apps in Google Play

We work hard to keep Google Play a safe, trusted space for people to enjoy the latest Android apps. Today, we’re launching a new feature, the Data safety section, where developers will be required to give people more information about how apps collect, share and secure users’ data. Users will start seeing the Data safety section in Google Play today, and developers are required to complete this section for their apps by July 20th. As app developers update their functionality or change their data handling practices, they will show the latest in the apps’ Data safety section.

A unified view of app safety in Google Play

We heard from users and app developers that displaying the data an app collects, without additional context, is not enough. Users want to know for what purpose their data is being collected and whether the developer is sharing user data with third parties. In addition, users want to understand how app developers are securing user data after an app is downloaded. That’s why we designed the Data safety section to allow developers to clearly mark what data is being collected and for what purpose it's being used. Users can also see whether the app needs this data to function or if this data collection is optional.

Here are the information developers can show in the Data safety section:

  • Whether the developer is collecting data and for what purpose.
  • Whether the developer is sharing data with third parties.
  • The app’s security practices, like encryption of data in transit and whether users can ask for data to be deleted.
  • Whether a qualifying app has committed to following Google Play’s Families Policy to better protect children in the Play store.
  • Whether the developer has validated their security practices against a global security standard (more specifically, the MASVS).
Android phone showing the Data safety section of an app on Google Play

Putting users in control, before and after you download

Giving users more visibility into how apps collect, share and secure their data through the Data safety section is just one way we’re keeping the Android users and ecosystem safe.

We’ve also worked hard to give users control of installed apps through simple permissions features. For example, when an app asks to access “your location”, users can quickly and easily decide whether they want to grant that permission - for one time use, only while using the app, or all the time. For sensitive permissions like camera, microphone, or location data, people can go to the Android Privacy dashboard to review data access by apps.

Apps should help users explore the world, connect with loved ones, do work, learn something new, and more without compromising user safety. The new Data safety section, in addition to Google Play’s existing safety features, gives people the visibility and control they need to enjoy their apps.

To learn more about Google Play’s Data safety section, check out this guide.

Things to know from the 2022 Android App Excellence Summit

Posted by The Google Play Team

Android App Excellence Summit 

Creating a consistent and intuitive user experience is more important than ever to grow your audience and scale your business. To help you, Google Play, Android, and Firebase shared the latest insights and best practices on building high quality Android apps, improving developer productivity, and creating the best possible experience across all Android devices at the 2022 Android App Excellence Summit.

If you missed any sessions, we have you covered! You can watch all the content from the summit on our #AppExcellenceSummit playlist here.

Some highlights include;

Curious for more? Get additional resources of everything we shared at the 2022 Android App Excellence Summit by visiting g.co/android/appexcellence.

We are committed to empowering the developer ecosystem to build high quality experiences across all Android devices. We greatly appreciate all that joined us during our App Excellence Summit and we’re looking forward to hearing your feedback. Keep in touch with us on Twitter with #AppExcellenceSummit.

Expanding Play’s Target Level API Requirements to Strengthen User Security

Posted by Krish Vitaldevara, Director, Product Management

API Requirements 

Google Play helps our developer community distribute the world's most innovative and trusted apps to billions of people. This is an ongoing process and we're always working on ways to improve app safety across the ecosystem.

In addition to the Google Play features and policies that are central to providing a safe experience for users, each Android OS update brings privacy, security, and user experience improvements. To ensure users realize the full benefits of these advances—and to maintain the trusted experience people expect on Google Play—we collaborate with developers to ensure their apps work seamlessly on newer Android versions.

We currently require new apps and app updates to target an Android API level within one year of the latest major Android OS version release. New apps and app updates that don’t meet this requirement cannot be published on Google Play. For exact timelines, please refer to this Help Center article.

Current target API Level requirements for new apps and app updates

Current target API Level requirements for new apps and app updates


Today, as part of Google Play’s latest policy updates, we are taking additional steps to protect users from installing apps that may not have the latest privacy and security features by expanding our target level API requirements.

Starting on November 1, 2022, existing apps that don’t target an API level within two years of the latest major Android release version will not be available for discovery or installation for new users with devices running Android OS versions higher than apps’ target API level. As new Android OS versions launch in the future, the requirement window will adjust accordingly.

Target API Level requirements for existing apps, starting November 1

Target API Level requirements for existing apps, starting November 1


The rationale behind this is simple. Users with the latest devices or those who are fully caught up on Android updates expect to realize the full potential of all the privacy and security protections Android has to offer. Expanding our target level API requirements will protect users from installing older apps that may not have these protections in place.

The good news is that the vast majority of apps on Google Play already abide by these standards. For other apps, we know this will require additional attention, which is why we are notifying developers well in advance and providing resources for those who need them.

We encourage you to:

  • Review our technical guide on migrating your app to meet Google Play's target API level requirements.
  • Review our Help Center article on the target API level requirements by Android OS.
  • Request an optional 6 month extension if you need more time for migration. The form will be available in your Developer Play Console later this year.

Current users of older apps who have previously installed the app from Google Play will continue to be able to discover, re-install, and use the app on any device running any Android OS version that the app supports.

This strengthened Target Level API policy is just one of the policy updates we announced today to expand user protections and improve user experiences on Google Play. We’ll continue to share updates about this important work that will help raise the bar for app privacy and security across the board, making Google Play and Android a safer place for everyone.

For more resources:

Access Android vitals data through the new Play Developer Reporting API

Posted by Lauren Mytton, Product Manager, Google Play

Hand holding a phone 

Quality is foundational to your game or app’s success on Google Play, and Android vitals in Google Play Console is a great way to track how your app is performing. In fact, over 80% of the top one thousand developers check Android vitals at least once a month to monitor and troubleshoot their technical quality, and many visit daily

While the Android vitals overview in Play Console lets you check your app or game’s quality at a glance, many developers have told us that they want to work with their vitals data outside Play Console, too. Some of your use cases include:

  • Build internal dashboards
  • Join with other datasets for deeper analysis, and
  • Automate troubleshooting and releases

Starting today, these use cases are now possible with the new Play Developer Reporting API.

The Play Developer Reporting API allows developers to work with app-level data from their developer accounts outside Play Console. In this initial launch, you get access to the four core Android vitals stability and battery metrics: crash rate, ANR rate, excessive wake-up rate, and stuck background wake-lock rate, along with crash and ANR issues and stack traces. You can also view anomalies, breakdowns (including new country filters in Vitals), and three years of metric history.


Set up access to the new Play Developer Reporting API from 
the API Access page in Play Console.

Set up access to the new Play Developer Reporting API from the API Access page in Play Console.

Getting started with the API

To enable the API, you must be an owner of your developer account in Play Console. Then you can set up access in minutes from the API Access page in Play Console. Our documentation covers everything you need to know to get started.

Using the API

You can find sample requests in the API documentation, along with a list of available endpoints (for both alpha and beta releases).

Best practices

Once you have enabled the API, you may wish to send some requests manually to get a sense of the API resources and operation before implementing more complex solutions. This can also help you establish query times, which will vary depending on the amount of data being processed. Queries over long time ranges, across many dimensions, and/or against very large apps will take longer to execute.

Most of our metric sets are refreshed once a day. To avoid wasting resources and request quota, we recommend you use the provided methods to check for data freshness and verify that new data is available before issuing a query.

Thank you to all the developers who requested this feature. We hope it helps you continue to improve your apps and games. We hope it helps you continue to improve your apps and games. To learn more about Android vitals and the Play Developer Reporting API, view our session from the Google for Games Developer Summit.

How useful did you find this blog post?

Google Play Logo