| **Warning:** This document is confidential and access is governed by your non-disclosure agreement with Google.
| **Caution:** The account activity signal has been deprecated and no new apps will be accepted in the EAP. For existing apps in the EAP, account activity will return `UNEVALUATED` from late January 2025 and will be removed completely in May 2025.

Create a more effective and nuanced anti-abuse strategy with Play account
activity, a new signal in the Play Integrity API. Account activity is
represented by levels based on the presence and volume of store activity and the
age of the accounts on the device. When it's evaluated, an account activity
level is returned for the current user session and is not linked to user or
device identifiers.

## What is Play account activity?

The Play Integrity API offers a collection of integrity signals to help app and
game developers detect potentially risky and fraudulent traffic. Developers in
this early access program can add account activity to their API response, which
already contains the device, application, and account license verdicts. If the
device, application, or license verdicts have issues, then account activity will
be unevaluated. If the existing verdicts are issue-free, then account activity
will return a level. The level is determined based on the presence and volume of
store activity and the age of the accounts on the device. The level will help
your app differentiate between likely genuine users and likely non-genuine
traffic (such as accounts being used for fraud, accounts used by automated
traffic, or accounts used in device farms). Your app can use this signal,
alongside others, when protecting high value or sensitive actions.

Apps participating in the early access program (EAP) can receive one of the
following account activity levels for the current user session:

- `UNEVALUATED`: Account activity is not evaluated because the device is not trusted or the user does not have a Play app license.
- `UNUSUAL`: Google Play store activity is unusual for at least one of the user accounts on the device. Google Play recommends checking that this is a real user.
- `UNKNOWN`: Google Play does not have sufficient store activity for the user account on the device. The account may be new, or it may lack activity on Google Play.
- `TYPICAL (BASIC)`: Google Play store activity is typical for the user account or accounts on the device.
- `TYPICAL (STRONG)`: Google Play store activity is typical for the user account or accounts on the device, with harder-to-replicate signals.

## Recommended practices for Play Integrity API account activity

**Use account activity as part of an anti-abuse strategy**

Account activity works best when used alongside other signals as part of your
overall anti-abuse strategy and not as your sole anti-abuse mechanism. Use this
signal and the Play Integrity API in conjunction with other appropriate
[security best practices](https://developer.android.com/topic/security/best-practices) for your app.

**Gather telemetry and understand your audience before taking action**

Before you change functionality based on account activity or other Play
Integrity API verdicts, implement the API without enforcement to understand the
current situation with your existing audience. Once you know what levels your
current install base is returning, you can estimate the impact of any
enforcement you're planning and adjust your anti-abuse strategy accordingly.

**Challenge risky traffic when accessing high value or sensitive features**

Identify high value or sensitive actions in your app or game to protect with the
Play Integrity API instead of denying access to your app or game outright. When
possible, challenge risky traffic before allowing high-value actions to proceed.
For example, when the account activity level is `UNUSUAL`, you could require a
second verification mechanism before the user can complete the action you're
protecting.

**Plan for user support**

When possible, provide useful error messages to the user, and let them know what
they can do to fix it, such as retrying, enabling their Internet connection, or
checking that the Google Play store app is up to date. Account activity
evaluations are periodically updated by Google Play. New store activities can
automatically change a user's level during these periodic updates.

**Follow the existing recommendations for the Play Integrity API**

In addition to the preceding practices, read the [security
considerations](https://developer.android.com/google/play/integrity/overview#security-considerations) for the
Play Integrity API.

## Get early access to Play Integrity API account activity

Follow these steps to start using account activity.

### Step 1: Review these important considerations

- Account activity is in active development and is subject to change.
- Account activity is still confidential. Do not share information about account activity or account activity levels with end users.
- By using account activity you agree to the terms in the [Google Play Developer
  Distribution
  Agreement](https://play.google.com/about/developer-distribution-agreement.html) and the [Play Integrity API Terms of Service](https://developer.android.com/google/play/integrity/terms).
- Developers participating in the early access program are expected to evaluate the account activity signal and provide feedback and information about the outcome of their evaluation to Google Play before altering their enforcement strategy.

### Step 2: Request to join the Play Integrity API account activity EAP

Developers in the Google Play Partner Program for Games automatically have
access to the account activity EAP and can skip to step 3.

Other developers can express interest in joining the early access program by
emailing [integrity-api-eap@google.com](mailto:integrity-api-eap@google.com) with the following information:

- Your package name and developer account ID.
- Confirmation that you have read the recommended practices for account activity.
- How you intend to evaluate account activity and---if you already have an idea---how you expect to use account activity.
- Your expected timeline once you are accepted into the account activity early access program.

At this time, we are only accepting developers that meet high-scale performance
thresholds on Google Play with accounts in good standing.

### Step 3: Turn on account activity in the Integrity API response from the Google Play Console

Once you've been accepted into the early access program, you will see a new
option on the Integrity API page in the Play Console to include account activity
in your Play Integrity API response. When you are ready, turn on account
activity in the Play Console:

1. Sign in to the Play Console.
2. Select the app that will use account activity.
3. In the **Release** section of the left menu, go to **App integrity**.
4. Next to **Play Integrity API** , click **Settings**.
5. In the **Responses** section of the page, next to **Account activity** , click **Turn on**.
6. In the window that appears, click **Turn on**.

When you turn on or turn off account activity, any [Play Integrity API test
responses](https://developer.android.com/google/play/integrity/additional-tools#create-tests) that you've set
up in the Play Console will be deleted and you will need to create them again.

### Step 4: Integrate the Integrity API in your app and your app's backend server

If you haven't already done so, follow the documentation to [integrate the Play
Integrity API](https://developer.android.com/google/play/integrity/setup) into your app and your app's
backend server.

### Step 5: Work with account activity

Once enabled, the `accountDetails` field in the [Play Integrity API
payload](https://developer.android.com/google/play/integrity/verdict#returned-payload-format) will contain
the new account activity signal that represents the activity associated with the
user accounts on the device.  

    accountDetails: {
      // Represents the licensing status of the user session.
      // This field can be LICENSED, UNLICENSED, or UNEVALUATED.
      appLicensingVerdict: "LICENSED"

      // Represents the activity level associated with the user accounts on
      // the device of the user session.
      accountActivity: {
         // This field can be UNEVALUATED, UNUSUAL,
         // UNKNOWN, TYPICAL_BASIC, TYPICAL_STRONG
         activityLevel: "UNUSUAL"
      }
    }

`accountActivity` can have the following values:

UNUSUAL
:   Google Play store activity is unusual for at least one of the user accounts on
    the device.

UNKNOWN
:   Google Play does not have sufficient store activity for the user account on
    the device. The account may be new, or it may lack activity on Google Play.

TYPICAL (BASIC)
:   Google Play store activity is typical for the user account or accounts on the
    device.

TYPICAL (STRONG)
:   Google Play store activity is typical for the user account or accounts on the
    device, with harder-to-replicate signals.

UNEVALUATED

:   Account activity is not evaluated because a necessary requirement was missed.

    This could happen for several reasons, including the following:

    - The device is not trustworthy enough.
    - The version of your app installed on the device is unknown to Google Play.
    - The user is not signed in to Google Play.
    - The user does not have the necessary license for accessing the app.

To check that the user accounts on the device have unusual account activity,
verify that the `accountActivity.activityLevel` is as expected, as shown in the
following code snippet:  

### Kotlin

```kotlin
val requestDetails = JSONObject(payload).getJSONObject("accountDetails")
val accountActivity = requestDetails.getJSONObject("accountActivity")
val activityLevel = accountActivity.getString("activityLevel")

if (activityLevel == "UNUSUAL") {
    // One of the accounts is UNUSUAL! Be careful.
}
```

### Java

```java
JSONObject requestDetails =
    new JSONObject(payload).getJSONObject("accountDetails");
JSONObject accountActivity =
    new JSONObject(requestDetails).getJSONObject("accountActivity");
String activityLevel = accountActivity.getString("activityLevel");

if (activityLevel == "UNUSUAL") {
    // One of the accounts is UNUSUAL! Be careful.
}
```

### Step 6: Test your integration with account activity

You can create tests to evaluate how the account activity levels from the Play
Integrity API interact with your app using the available Play Integrity API test
feature. The instructions for using this test feature are available at the [Play
Console help
center](https://support.google.com/googleplay/android-developer/answer/11395166#test_integration).

### Step 7: Provide early access feedback to Google Play

We would like participants in the early access program to provide feedback on
account activity. To provide feedback, email [integrity-api-eap@google.com](mailto:integrity-api-eap@google.com). Our
developer research team will also be in touch to arrange interviews. We're
interested in understanding the following:

- How accurately does the account activity level correlate with known abusive accounts for your app or game?
- Does the audience distribution of account activity and other Play Integrity API verdicts match your expectations?
- What abuse problems are you trying to solve with account activity and other Play Integrity API verdicts?
- What functionality are you planning to change based on account activity and other Play Integrity API verdicts?

## Other Play integrity tools

Consider using these other integrity protection tools as part of your anti-abuse
strategy:

- [Exclude untrustworthy
  devices](https://support.google.com/googleplay/android-developer/answer/11395166#set_up_device_exclusion) from being able to find and install your app on Google Play. This does not prevent users from obtaining and installing your app via other means (such as sideloading).
- [Use automatic integrity
  protection](https://support.google.com/googleplay/android-developer/answer/10183279) to prevent unauthorized modification and redistribution without changes to your code. If you don't currently have access to this feature, contact your partner manager.
- [Request package name protection (early access program)](https://support.google.com/googleplay/android-developer/answer/11586721) to defend against unknown and modified versions of your app, whenever they're installed on Android 11+ devices running Google Play services.

## Related content

- Learn more about the [Play Integrity API](https://developer.android.com/google/play/integrity) on the Android Developers site (documentation)
- [Improve your game's security with Play Integrity
  API](https://www.youtube.com/watch?v=wEsNemtwHyc) (video)
- Boost the security of your app with the [nonce field of the Play Integrity
  API](https://android-developers.googleblog.com/2022/05/boost-security-of-your-app-with-nonce.html) (blog post)