Migrating to Play Integrity from SafetyNet (Error getting app check token code:403 on Android)

[fidodido75]

Our app is on react native 0.67.5, and we updated RNFB dependencies to the latest version 17.0.4. We enabled PlayIntegrity within our project on Firebase Console. So we currently have both of the attestation providers.
Within our index.js we replaced the deprecated activate method with the initializeAppCheck. Running on release mode, this is what we get on logcat:

RNFBAppCheck: configureProvider - appName/providerName/debugToken: [DEFAULT]/playIntegrity/(not shown) 
RNFBAppCheck: ProviderFactory::configure - appName/providerName/debugToken: [DEFAULT]/playIntegrity/(not shown)
RNFBAppCheck: Provider::configure with appName/providerName/debugToken: [DEFAULT]/playIntegrity/(not shown)
RNFBAppCheck: ProviderFactory::create - fetching provider for app [DEFAULT]
RNFBAppCheck: getToken appName/forceRefresh: [DEFAULT]/false
RNFBAppCheck: Provider::getToken - delegating to native provider
RNFBAppCheck: getToken appName/forceRefresh: [DEFAULT]/false
RNFBAppCheck: getToken appName/forceRefresh: [DEFAULT]/false
RNFBAppCheck: Provider::getToken - delegating to native provider
RNFBAppCheck: Provider::getToken - delegating to native provider
RNFBAppCheck: RNFB: Unknown error while fetching AppCheck token com.google.firebase.FirebaseException: Error returned from API. code: 403 body: App attestation failed.
RNFBAppCheck: RNFB: Unknown error while fetching AppCheck token com.google.firebase.FirebaseException: Too many attempts.

Our backend is not communicating with the AppCheck API. It's just getting a JWT in the header, then the back-end is making sure the JWT is valid. We have not made any changes in our backend. We currently get the appCheck token:

const appCheckToken = await appCheck().getToken();
  return client.post(
    `${RTA_URL}/app/traces`,
    { id, log },
    {
      headers: {
        'x-rta': signature,
        'X-Firebase-AppCheck': appCheckToken.token,
      },
    },
  );

Any ideas what could be causing this error? Do we need to make any changes to our backend/native code or some other part of our code?

[fidodido75]

It turns out that the app needs to be distributed from Google Play Store for the Play Integrity to work. So, it is all working well.

[mikehardy]

That's fantastic news! Honestly the Play Integrity stuff is pretty new for me as well and I was not aware of this restriction/requirement.

I'll see about adding this to the documentation, thanks for coming back and noting it here