What Is the Purpose of Firebase Appcheck

How does Firebase App Check using iOS DeviceCheck work?

How does Firebase App Check using iOS DeviceCheck work?

In short, SDKs will ask the AppCheck SDK for a special AppCheck token when making a request. When App Check is configured to use DeviceCheck, it will generate the requested token with the help of the DeviceCheck framework. Note that DeviceCheck is a framework created by Apple.

I am not understanding what exactly is happening under the hood ...

And here's a little more detail to help clarify things:

The AppCheck SDK uses AppCheckProviders to generate app check tokens. There are 4 types of AppCheckProviders:

1. AppAttestProvider
2. DeviceCheckProvider
3. AppCheckDebugProvider
4. Custom providers that you create as a subclass of AppCheckProvider

For certain Firebase SDKs that support AppCheck enforcement (e.g. Firestore), they will ask the AppCheck SDK for an AppCheck token when sending a request. The AppCheck SDK generates a token using one of the 4 AppCheckProviders listed above. You can customize which provider is used by using AppCheck's AppCheck.setAppCheckProviderFactory(_:) API. I wrote more about it's purpose in this answer.

... I want to make sure it is working correctly

If you're able to see request metrics in the Firebase console, AppCheck is implemented correctly and working. If you've enabled enforcement, you should start to see some enforced requests in the metrics graph.

Could someone explain to me how Device Check works in this scenario with Firebase ...

So when the AppCheck SDK is using the DeviceCheckProvider (this provider is the default one!), the AppCheck SDK will be creating AppCheck tokens with the help of Apple's DeviceCheck framework.

how it (Device Check) is different from iOS App Attest that Firebase also supports?

The answer here can be found in Apple's documentation for DeviceCheck.

In short, the difference is in the two names.

Device Check is useful for verifying that requests are originating from an actual device. For example, let's say you have an iOS app and are using Firebase AppCheck with the DeviceCheckProvider. If you enable enforcement, only requests coming from actual devices should be successful. So if I try to hit your backend API by curl'ing a request from the command line, it should get rejected since there is no token to confirm the request is coming from an actual device. This protects the backend from such abuse.

App Attest is part of the Device Check framework and offers more advanced verification by attesting that the request is coming from a valid instance of your app. To understand why this is useful, consider your iOS app is configured to use Firebase AppCheck with the DeviceCheckProvider. Let's say a hacker recompiles your app onto an actual device. In this case, DeviceCheck's effectiveness diminishes as requests sent from this malicious copy are technically coming from an "actual device" so a valid token will be generated. App Attest's more advanced attestation can attest that the request is coming from a valid instance of your app. In this example, the hacker's copy would not be a valid instance.

At this point, you might be wondering why you would ever use DeviceCheck when you can use the more advanced App Attest and the reason is OS availability: App Attest is only available for iOS 14.0+.

I hope this answered your questions! /p>

Does Firebase App Check discard the need for implementing Security Rules?

While App Check adds an important layer of protection against abuse to your applications, it does not replace Firebase's server-side security rules.

Using App Check drastically reduces the changes of abuse from unauthorized code, but as with any security mechanism that runs a client-side check, there is always a chance that a malicious user can bypass it. From the documentation on How strong is the security provided by App Check?:

App Check relies on the strength of its attestation providers to determine app or device authenticity. It prevents some, but not all, abuse vectors directed towards your backends. Using App Check does not guarantee the elimination of all abuse, but by integrating with App Check, you are taking an important step towards abuse protection for your backend resources.

Security rules on the other hand are evaluated on the server only, and cannot be bypassed by anyone. You can tightly control exactly what data any specific user can access.

By combining App Check and security rules, you can reduce broad abuse quickly, while also retaining fine-grained control over who can access what data.

We had a good discussion about the topic here too: What is the purpose of Firebase AppCheck?

Which one should I use firebase app check or verify id token with Bearer

The two are complementary, not mutually exclusive:

• With a token from Firebase App Check you can check whether call comes from your own application on a genuine device. So it allows you to verify the app.

• With an ID token from Firebase Authentication you can check what user in the application made the call, and determine if that user is authorized to do so.

Ideally you'll want to use App Check to quickly rule out many bad actors, and then use Authentication to ensure each valid user can only access the data they're authorized to.

Do I need a Firebase project to use Firebase App Check?

Do I need a Firebase project to use Firebase App Check?

Yes.

It seems to like there is not Firebase involved. Only other app attestation services.

Firebase is not an attestation provider but it uses others providers and it's a bit easier to integrate those providers using Firebase SDK than directly using them. e.g reCAPTCHA v3 for web apps.

Once you integrate the Firebase App Check SDK in your Flutter app, you'll have to get the App Check token using getToken() and add it in your API request. Then you just need to verify the token in your backend using the Firebase Admin SDK.

---

Related Topics