I would like to add Firebase AppCheck to my mobile app to protect my backend (not Firebase services). I want to use Google Play Integrity provider (default one).
I know that Firebase AppCheck for Android is a wrapper around Google Play Integrity. It prepares "nonce" and callsrequestIntegrityToken method to fetch "integrity verdicts". But these verdicts are not included in Firebase AppCheck Token which I pass to my custom backend. I read the source code of Firebase Android SDK and Firebase Admin SDK for NodeJS and I saw that Firebase Admin SDK uses https://firebase.google.com/docs/reference/appcheck/rest/v1/projects.apps/exchangePlayIntegrityToken method to exchange "Google Play Integrity token" for Firebase AppCheck Token. And in that place we lost information about "integrity verdicts".
In Google Play Console there are given settings:
Why MEETS_DEVICE_INTEGRITY value cannot be deleted? How these values are considered by Firebase AppCheck? Let's say I checked all values in Google Play Console ("MEETS_STRONG_INTEGRITY", "MEETS_DEVICE_INTEGRITY", "MEETS_BASIC_INTEGRITY") and Google Play Integrity returns only one value: "MEETS_DEVICE_INTEGRITY". How Firebase AppCheck treats this verdicts? Is it valid or not? Does Firebase AppCheck return validated AppCheck Token or not?
