Firebase app check - Play Integrity provider with custom nonce

[helloagain-dev]

Does anyone have any thoughts or experience on how to set a nonce for an app check (Play Integrity provider) intended for a custom backend?
https://android-developers.googleblog.com/2022/05/boost-security-of-your-app-with-nonce.html
https://developer.android.com/google/play/integrity/verdict#java

This is about minimizing the possibility for replay attacks. As we understand it generatePlayIntegrityChallengeResponse.getChallenge() is used by default. (see PlayIntegrityAppCheckProvider.java#L116)

would it be feasible to use a custom nonce from our backend? or get the nonce the generatePlayIntegrityChallengeResponse produces?

[weixifan]

In case anyone is still interested in the answer, the Replay Protection feature (currently in beta) is App Check's solution to this problem. When you want to protect your custom backend using limited-use tokens, instead of managing all the details of the Play Integrity token response, App Check can abstract that away for you. Instead of directly managing and verifying the nonce inside the Play Integrity token result (originating from calling the GeneratePlayIntegrityChallenge method on the App Check backend as you correctly stated), you instead verify the resulting App Check token. This is done in two steps.

1. First, in your Android app, use the Play Integrity provider as you normally would, except use the getLimitedUseAppCheckToken() method rather than the usual getAppCheckToken() method to attest the app and obtain an App Check token. See this document for instructions.
2. Then, in your custom backend, enable Replay Protection for incoming App Check tokens by calling the verifyToken() method with { consume: true }. See this document for instructions.