Mozilla has added support for Google’s Play Integrity API, known for blocking users of custom ROMs from accessing banking apps, to Firefox for Android.

Per a resolved issue in Mozilla’s public tracker, a new lib-integrity-googleplay library was added to Firefox’s Android codebase. It requests a Play Integrity token which is then passed to Mozilla’s MLPA (Machine Learning Proxy) server.

The token is used to access Firefox’s server-side AI tools, like Smart Window, for rate-limiting purposes, ensuring only unmodified, Play-installed copies of Firefox on Google-certified devices use Mozilla’s1 compute infra.

This is not Ubuntu-related, but it is context for Mozilla’s machinations and intentions under the (now, not-so-)new leadership. Firefox is the default web browser in Ubuntu.

Per documentation for the API, developers can: “…call the Integrity API […] to check that user actions and requests are coming from your unmodified app binary” so the “backend server can decide what to do next to prevent abuse, unauthorized [sic] access, and attacks.”

It does not mean Firefox can no longer be installed or run on non-certified or rooted Android devices, but it might mean that users on non-certified or rooted devices can’t access all AI features in Firefox for Android.

Other device ‘attestation’ APIs are available for Mozilla (and other Android developers) to use which aren’t as restrictive. Mozilla had said it was open to exploring them.

Nonetheless, the appearance of ‘device attestation’ in Firefox’s mobile codebase has raised eyebrows in the FOSS community, including from mobile projects based on the Android Open Source Project (AOSP) codebase, like Lineage OS and GrapheneOS, which omit Play services.

Given that Firefox’s entire USP on Android is that it’s an open-source, privacy-respecting alternative for those avoiding Google (and open-source, privacy-conscious users often run non-stock Android) it’s a move that, short of further explanation, rubs some the wrong way.

Mozilla has become a magnet for criticism in the past year after its new leadership announced a project-wide “rewiring” to AI to find new profit streams. There’s also been increase in sponsored content and commercial integrations through the browser.

Adding a Google-operated verification layer to the codebase, for whatever reasons, won’t dispel the notion that Mozilla is no longer as committed to its founding mission – keeping the web free, open and independent of vested interests – as it once was.

Thanks Dominic

  1. Smart Window is powered by big AI models which don’t run on Mozilla-owned infra. Instead, requests to/from third-party servers are proxied through a Mozilla server. ↩︎