firebase
Firebase App Check (Play Integrity API) fails on certified, non-rooted devices — App attestation failed (403)
We have integrated Firebase App Check on Android using the Play Integrity API provider. Initially, App Check was disabled due to issues with some users, particularly those on GrapheneOS, who were being blocked. We had to support that OS using hardware attestation.
Since then, we re-enabled Firebase App Check, and it works well in most cases. However, we're now encountering situations where legitimate users are blocked with the following error:
Caused by com.google.firebase.FirebaseException: Error returned from API. code: 403 body: App attestation failed.
at com.google.firebase.appcheck.internal.NetworkClient.makeNetworkRequest(NetworkClient.java:190)
at com.google.firebase.appcheck.internal.NetworkClient.exchangeAttestationForAppCheckToken(NetworkClient.java:122)
at com.google.firebase.appcheck.playintegrity.internal.PlayIntegrityAppCheckProvider.lambda$getToken$0(PlayIntegrityAppCheckProvider.java:87)
at com.google.android.gms.tasks.zzz.run(zzz.java:1)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
at com.google.firebase.concurrent.CustomThreadFactory.lambda$newThread$0(CustomThreadFactory.java:47)
at java.lang.Thread.run(Thread.java:1012)
From what we understand, this happens when the Play Integrity attestation fails — usually when the deviceRecognitionVerdict array is empty or does not contain any of the following values:
MEETS_STRONG_INTEGRITYMEETS_DEVICE_INTEGRITYMEETS_BASIC_INTEGRITY
Expected valid example:
deviceIntegrity: {
deviceRecognitionVerdict: ["MEETS_DEVICE_INTEGRITY"]
}
On Google Play Console, we have updated the App Integrity API settings to allow at least one of the value above
In most cases, this is expected for unsupported OS, rooted/modified devices, or even when someone attempts to install the app on a Raspberry Pi — and that is fine.
However, we have legitimate users who are blocked despite having compliant devices. For instance:
- Device: Pixel 4a
- Certified by Google Play
- Play Protect OK
- Stock ROM, non-rooted, up-to-date with latest security updates
- Integrity checks via App Integrity Checker app: all levels of device integrity are failing
Our app is fully mobile and there is no alternative access point for users to log in.
At this point:
- Is there any way to unblock these legitimate users?
- Could a factory reset potentially fix this issue?
- Any other ideas or workarounds to resolve this unexpected behavior?
We have other similar cases with Xiaomi devices (Redmi Note 13 Pro 5G, Xiaomi 14T Pro, Xiaomi 13T Pro, ...)
Thanks in advance for your help!
I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
addr1q8axj2lspdf4g4an7syhlalm94wm8x8rzn9yc2zz2mhsrsvh36yf0uulhl5chhpl5s9upw9gsfrye6p8pnvgph2pdagqyj9wfx Your de3?plant?/<kjdr4?
We've seen ongoing issues with the Play Integrity API generally since the move to HW-backed attestation responses on Android 13+ earlier this year.
Customers devices will randomly fail all device verdicts without being modified (both old and new devices, we've seen it on a Pixel 8) and sometimes devices with unlocked bootloaders and root will randomly pass all 3 verdicts (such as my own Pixel 9 Pro XL, which I run with Magisk for root access).
It's seemingly random, and on most occassions a reboot will kick whatever is confusing Play Integrity into working properly again, but this doesn't always work.
We have our own backend for App Check which our apps use so that we can monitor these responses and determine what to allow and block ourselves. In our case, we only care about non-device verdicts (app licensing, recognised version), but Google has decided not to evaluate these when a device doesn't meet basic integrity, so it impacts us nonetheless.
