Firebase App Check (Play Integrity API) fails on certified, non-rooted devices — App attestation failed (403) #7110
Description
We have integrated Firebase App Check on Android using the Play Integrity API provider. Initially, App Check was disabled due to issues with some users, particularly those on GrapheneOS, who were being blocked. We had to support that OS using hardware attestation.
Since then, we re-enabled Firebase App Check, and it works well in most cases. However, we're now encountering situations where legitimate users are blocked with the following error:
Caused by com.google.firebase.FirebaseException: Error returned from API. code: 403 body: App attestation failed.
at com.google.firebase.appcheck.internal.NetworkClient.makeNetworkRequest(NetworkClient.java:190)
at com.google.firebase.appcheck.internal.NetworkClient.exchangeAttestationForAppCheckToken(NetworkClient.java:122)
at com.google.firebase.appcheck.playintegrity.internal.PlayIntegrityAppCheckProvider.lambda$getToken$0(PlayIntegrityAppCheckProvider.java:87)
at com.google.android.gms.tasks.zzz.run(zzz.java:1)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
at com.google.firebase.concurrent.CustomThreadFactory.lambda$newThread$0(CustomThreadFactory.java:47)
at java.lang.Thread.run(Thread.java:1012)
From what we understand, this happens when the Play Integrity attestation fails — usually when the deviceRecognitionVerdict array is empty or does not contain any of the following values:
MEETS_STRONG_INTEGRITYMEETS_DEVICE_INTEGRITYMEETS_BASIC_INTEGRITY
Expected valid example:
deviceIntegrity: {
deviceRecognitionVerdict: ["MEETS_DEVICE_INTEGRITY"]
}On Google Play Console, we have updated the App Integrity API settings to allow at least one of the value above
In most cases, this is expected for unsupported OS, rooted/modified devices, or even when someone attempts to install the app on a Raspberry Pi — and that is fine.
However, we have legitimate users who are blocked despite having compliant devices. For instance:
- Device: Pixel 4a
- Certified by Google Play
- Play Protect OK
- Stock ROM, non-rooted, up-to-date with latest security updates
- Integrity checks via App Integrity Checker app: all levels of device integrity are failing
Our app is fully mobile and there is no alternative access point for users to log in.
At this point:
- Is there any way to unblock these legitimate users?
- Could a factory reset potentially fix this issue?
- Any other ideas or workarounds to resolve this unexpected behavior?
We have other similar cases with Xiaomi devices (Redmi Note 13 Pro 5G, Xiaomi 14T Pro, Xiaomi 13T Pro, ...)
Thanks in advance for your help!