Glad you raised this as mobile app impact was also on my mind. We are currently trying to identify major dependencies or roadblocks to deploying hcaptcha on some smaller wikis as a trial rollout.

We would therefore need to decide if mobile app usage was required for an MVP, or if it could be avoided for now (maybe by not displaying the CAPTCHA for mobile user agents for now, or continuing to use the old captcha for those clients). If the trial was successful we could add it later.

So I think that's the main decision we need to figure out now, is where it sits on the priority list and a rough idea how hard it would be to do and when it would be needed. We would need to figure this out within Q3.

We have an aspirational goal to do the trial in Q4 but if blockers appear that will likely get pushed back, so it would be good to consider now whether this is one of the blockers

There is some support in hcaptcha for android and ios but i don't know how hard that would be to integrate

https://github.com/hCaptcha/hcaptcha-android-sdk
https://github.com/hCaptcha/HCaptcha-ios-sdk

Just circling back on this, the plan is still to implement (all the dependencies for) a limited-rollout of hcaptcha on a trial basis in Q3, for a rollout of the trial in Q4 and an assessment of how effective it was.

As we would be enabling hcaptcha on some wikis (still TBD), we would need to ensure the mobile clients/web continue to work, in some way. It is not necessarily required that they implement the new hcaptcha, but at least that editing is still possible on mobile clients/mobile web (since the trial could skip enforcement of the new hcaptcha as its a limited test deployment). For full production of deployment of hcaptcha, if approved, it would in future require full mobile support.

Integrating the HCaptcha SDK into the Android app is relatively simple (provided that we have a site key and API key). It increases the total size of our app by ~500KB, which is roughly expected for a third-party SDK of this complexity.
We can be ready for further testing once hCaptcha is deployed on our backend.

In T379190#10462215, @Dbrant wrote:

Integrating the HCaptcha SDK into the Android app is relatively simple (provided that we have a site key and API key). It increases the total size of our app by ~500KB, which is roughly expected for a third-party SDK of this complexity.

Thanks!

We might have to have a look at key management a little

It's unclear at the moment how they'll necessarily be split by domain etc. Might be more of an issue across projects (so not so relevant here, at the moment), rather than across languages.

But there might be some variations for the Chinese domains/users based on hcaptcha's config

Change #1185942 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/ConfirmEdit@master] [WIP] hCaptcha: Implement apiGetAllowedParams

https://gerrit.wikimedia.org/r/1185942

dbrant opened https://github.com/wikimedia/apps-android-wikipedia/pull/5953

tonisevener opened https://github.com/wikimedia/wikipedia-ios/pull/5446

So far so good on integration in iOS - going to pause on this while server-side stuff finishes up. No dramatic increase in the iOS app binary size for this SDK.

Change #1185942 abandoned by Kosta Harlan:

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: Support account API creation

Reason:

Not needed

https://gerrit.wikimedia.org/r/1185942

Closing this task, since the "spike", as such, is complete.
See the Asana report for WE4.2.9 for details, outcomes, and artifacts (and here is the final doc with recommendations).
Once we decide to proceed with further implementation and rollout, we'll create new task(s) for that work.

cooltey closed https://github.com/wikimedia/apps-android-wikipedia/pull/5953

Looks good on 50565-r-2026-01-12 on OnePlus 8 on Android 13, and Pixel 6 on Android 16. Created a number of accounts on Test2.wiki. Everything seems to be working.