I've integrated Google Play Integrity API into the SDK we develop according to the documentation in Android Developer. When consuming application is registered in the GooglePlay Store and linked to the Google Cloud project everything works. But when the SDK consumed in application that is not distributed via GooglePlay Store the absolutely same flow return empty integrity verdict (signed and encrypted and I succeed to verify it and decrypt it). In documentation it says:
No labels (a blank value) The app is running on a device that has signs of attack (such as API hooking) or system compromise (such as being rooted), or the app is not running on a physical device (such as an emulator that does not pass Google Play integrity checks).
Now I run this on original Pixel device which meets strong integrity if application is distributed via PlayStore. My difference from documentation is that I have application which is not distributed via PlayStore and has an SDK that uses PlayIntegrity. Is this possible to make this configuration to work ?
I've found an explanation. First of all applications distributed outside GooglePlay do get Integrity response in SDK. My problem was that my device was enrolled in Beta and there was an update waiting to be installed and for this reason Play Integrity doesn't approved my device, thus the response was empty. Updating device to the latest Beta resolved the problem.