I'm investigating the new Android reCAPTCHA API but I am not really getting what is the point of validating the user token via https://www.google.com/recaptcha/api/siteverify and why this isn't done automatically by the SafetyNet client.
Can someone explain why this is needed, what could happen if I don't do it and why isn't done already by the SafetyNet client?
The reCAPTCHA api on the client side (mobile phone) verifies the user and issues a token that needs to be validated.
Important to note this validation is done on the backend side (not client side) so think of it as a one time token to verify the user on >>your<< backend. reCAPTCHA stops the bots from automating the process as much as it can and one time token stops replay attacks if someone sniffs out a valid token somewhere.
So to summarize, you need to have your own backend that would do the reCAPTCHA token validation.