Mozilla Embeds Google Play Integrity Check in Firefox Android, Risking Lockout for Custom ROM Users
Mozilla quietly embedded a Google Play Integrity API check into Firefox for Android several months ago, a move that could cut off users running custom operating systems from the browser’s new artificial intelligence features.
The code went live with Firefox 149 and requires the browser to request a verification token From Google before passing it to Mozilla’s machine learning proxy server.
What the Check Actually Does
The system gates access to Firefox’s server-side AI tools, including a feature called Smart Window, which relies on processing power hosted on third-party servers.
Mozilla routes these requests through its own proxy to manage rate limits — the maximum number of calls a server will accept in a given period. To filter out unauthorized traffic, the company chose Google’s attestation system, which confirms whether an app is running as an unmodified binary on a certified device.
Users running custom ROMs — alternative versions of Android, such as GrapheneOS or LineageOS, that strip out Google’s services — typically fail these checks.
The same verification system already appears in banking apps and restrictive mobile games. Its arrival in Firefox draws scrutiny precisely because of what Firefox has long represented to privacy-focused users.
A Tension With Firefox’s Core Appeal
The browser still installs and renders web pages normally on modified devices. Users are not blocked from Firefox itself.
Still, the restriction stings for a specific group. Firefox built a large Android following by positioning itself as a privacy-respecting alternative to Chrome.
Many of its most loyal users run de-Googled operating systems specifically to reduce exposure to big tech data collection. Those same ROMs remove Play Services — meaning the very users who embraced Firefox for its privacy stance now find themselves flagged as untrusted by it.
Developers do have alternative device attestation methods that do not depend entirely on Google’s infrastructure, and requests to explore those options have surfaced in the past.
Mozilla’s decision to integrate the `lib-integrity-googleplay` library suggests the company chose the most available path, embedding a Google-operated verification layer into an app many people use to sidestep Google.
How the Discovery Spread
The integration likely would have gone unnoticed without Security researchers flagging it on Mastodon, where the discussion was later picked up by technology publication OMG Ubuntu.
Several researchers in that thread said the Play Integrity API does not effectively solve the server abuse problem Mozilla appears to be trying to address. Some Firefox users have since filed bug reports asking developers to remove the proprietary check entirely.
No widespread user complaints from custom ROM devices have surfaced yet.
That said, Mozilla has pushed hard into AI integrations as it searches for new revenue streams, and protecting the servers that run those features carries real financial weight. The company reported browser-related revenue of approximately $593 million in fiscal year 2023, according to Mozilla Foundation's publicly filed financial statements, with the bulk tied to search partnership deals that face long-term pressure.
For some privacy-focused users who distrust AI tools as much as they distrust Google, the locked feature set may register as no loss at all.
