Firebase App Check¶

Firebase App Check helps protect your API resources from abuse by preventing unauthorized clients from accessing your Firebase and Google Cloud resources.

Overview¶

App Check verifies that incoming requests are from your authentic app and not from malicious actors. It uses platform-specific attestation providers to verify app authenticity and issues tokens that Firebase services can verify.

Common Issues¶

Core Configuration¶

• Not Enabled for Application - App Check not configured
• Incomplete App Registration - Missing platform registrations
• SDK Not Initialized Before Other Services - Improper SDK initialization order

Service Enforcement¶

• Enforcement Not Enabled for Firestore - Firestore not protected
• Enforcement Not Enabled for Storage - Cloud Storage not protected
• Enforcement Not Enabled for Callable Functions - Cloud Functions not protected
• Enforcement Not Enabled for Realtime Database - RTDB not protected
• Enforcement Not Enabled for AI Logic - AI features not protected

Platform-Specific Issues¶

• App Attest Environment Misconfigured - iOS App Attest setup problems
• Recaptcha Enterprise Key Type Incorrect - Web reCAPTCHA misconfiguration

Token Management¶

• Web Token Auto Refresh Disabled - Token refresh not enabled
• Potential Error Swallowing - Token refresh error handling
• Missing Token Verification - Custom backend not verifying tokens

Advanced Configuration¶

• Outdated Cloud Functions SDK - Using outdated SDK versions
• Replay Protection Not Implemented - Missing replay attack protection

Best Practices¶

1. Enable App Check for all services - Don't leave any Firebase service unprotected
2. Use appropriate attestation providers - Choose the right provider for each platform
3. Implement proper error handling - Handle App Check failures gracefully
4. Monitor App Check metrics - Track token usage and failures
5. Test thoroughly - Verify App Check works across all app scenarios

Supported Platforms¶

• iOS: App Attest (iOS 14+) or DeviceCheck (older versions)
• Android: Play Integrity API (Android 4.1+)
• Web: reCAPTCHA Enterprise or reCAPTCHA v3
• Flutter: Platform-specific attestation providers

Implementation Steps¶

1. Enable App Check in the Firebase console
2. Register your app with the appropriate attestation provider
3. Initialize the App Check SDK in your app
4. Enable enforcement for Firebase services
5. Test and monitor your implementation