Upload your app for analysis

The Checks API can analyze Android and iOS apps before release so that you have visibility into your app's data collection and sharing behaviors and potential compliance issues before launching your app publicly.

This quickstart shows you how to upload an app using the gcloud CLI and the cURL command.

Prerequisites

Before you begin, make sure you are able to send authorized requests using our Authorization guide.

Prepare your app bundle

Android

Generate an APK or AAB file for your app.

See Build and run your app in the Android documentation for instructions.

iOS

In Xcode, select a provisioning profile for the target app.

Note: Checks re-signs your app with its own provisioning profile and certificate.
From the drop-down menu that appears, click Product > Archive. Select the most recent archive, then click Distribute App.
In the window that appears, click Development > Next.
(Optional) To get a faster build, deselect the Rebuild from Bitcode option, then click Next.

Checks doesn't require thinning or rebuilding your app to run a test so you can safely disable this option.
Click Export, then specify a directory where you want to download your app's IPA file.

Upload your app bundle

Upload your app bundle using the media.upload method.

There are two ways to upload your app:

Binary with metadata

You may include metadata such as the codeReferenceId which links the analysis with a specific commit in your code repository.

Send a multipart POST request with the header X-Goog-Upload-Protocol: multipart where the first body part contains the metadata as JSON and the second body part contains the binary upload:

curl -X POST \
    -H "X-Goog-User-Project: PROJECT_ID" \
    -H "Authorization: Bearer $(gcloud auth application-default print-access-token --scopes=https://www.googleapis.com/auth/checks)" \
    -H "X-Goog-Upload-Protocol: multipart" \
    -F "metadata={\"codeReferenceId\":\"COMMIT_SHA\"}" \
    -F "binary=@BINARY_PATH" \
    "https://checks.googleapis.com/upload/v1alpha/accounts/ACCOUNT_ID/apps/APP_ID/reports:analyzeUpload"

Binary only

Send a regular POST request with the header X-Goog-Upload-Protocol: raw to upload your app without any metadata:

curl -X POST \
    -H "X-Goog-User-Project: PROJECT_ID" \
    -H "Authorization: Bearer $(gcloud auth application-default print-access-token --scopes=https://www.googleapis.com/auth/checks)" \
    -H "X-Goog-Upload-Protocol: raw" \
    -H "Content-Type: application/octet-stream" \
    --data-binary @BINARY_PATH \
    "https://checks.googleapis.com/upload/v1alpha/accounts/ACCOUNT_ID/apps/APP_ID/reports:analyzeUpload"

Once your app has finished uploading, a pending google.longrunning.Operation is returned:

{
  "name": "accounts/ACCOUNT_ID/apps/APP_ID/operations/OPERATION_ID"
}

Check the state of your analysis

You can check the state of your analysis by calling the accounts.apps.operations.get method:

curl -X GET \
    -H "X-Goog-User-Project: PROJECT_ID" \
    -H "Authorization: Bearer $(gcloud auth application-default print-access-token --scopes=https://www.googleapis.com/auth/checks)" \
    "https://checks.googleapis.com/v1alpha/accounts/ACCOUNT_ID/apps/APP_ID/operations/OPERATION_ID"

The following response is returned depending on the state:

Pending

{
  "name": "accounts/ACCOUNT_ID/apps/APP_ID/operations/OPERATION_ID"
}

Complete

{
  "name": "accounts/ACCOUNT_ID/apps/APP_ID/operations/OPERATION_ID",
  "done": true,
  "response": {
    "@type": "type.googleapis.com/google.checks.report.v1alpha.Report",
    "name": "accounts/ACCOUNT_ID/apps/APP_ID/reports/REPORT_ID",
    "resultsUri": "https://checks.google.com/console/dashboard/REPORT_ID?a=APP_ID"
  }
}

Error

{
  "name": "accounts/ACCOUNT_ID/apps/APP_ID/operations/OPERATION_ID",
  "done": true,
  "error": {
    "code": 500,
    "message": "Deadline exceeded.",
    "status": "INTERNAL",
    "details": [
      ...
    ]
  }
}

View your analysis

View your analysis by calling the accounts.apps.reports.get method:

curl -X GET \
    -H "X-Goog-User-Project: PROJECT_ID" \
    -H "Authorization: Bearer $(gcloud auth application-default print-access-token --scopes=https://www.googleapis.com/auth/checks)" \
    "https://checks.googleapis.com/v1alpha/accounts/ACCOUNT_ID/apps/APP_ID/reports/REPORT_ID"

By default, this returns only the report resource name and a URL to view the report in the Checks Console.

To see more data, include a field mask in the request. For example, add the URL query parameter fields=name,resultsUri,checks to include the checks field:

{
  "name": "accounts/ACCOUNT_ID/apps/APP_ID/reports/REPORT_ID",
  "resultsUri": "https://checks.area120.google.com/console/dashboard/REPORT_ID?a=APP_ID",
  "checks": [
    {
      "type": "DATA_MONITORING_NEW_ENDPOINT",
      "severity": "POTENTIAL",
      "state": "FAILED",
      ...
    },
    ...
  ]
}

What's next?

See Query reports to learn how to fetch the results of your analysis.