Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
Android's permission model evolved from install-time (pre-6.0) to runtime (6.0+) to scoped (10+). Modern apps must request dangerous permissions at use-time, with UI prompts. SafetyNet (now Play Integrity API) lets apps attest device integrity — has the device been rooted, is it a stock OEM build, was it tampered. The attestation is cryptographically signed by Google.
Modern Android permission: requestPermissions([ACCESS_FINE_LOCATION]) at use-time. User sees prompt: 'allow once / while using / deny'. App handles each branch. Play Integrity API: integrityManager.requestIntegrityToken() returns a JWT signed by Google asserting device integrity.
Use these three in order. Each builds on the one before.
In one paragraph, explain Android runtime permissions and Play Integrity.
Walk me through what Play Integrity attests, cryptographically.
Design app hardening for a payment app on Android — what defences against rooted devices?