In our last article, we provided a brief overview of how Firebase App Check works seamlessly with AI Logic to prevent unauthorised API calls to your app. In this article, we’ll cover what App Check really is, how it works and how to integrate it into our android apps for extra security.

What is App Check

App Check is a security service within the Firebase ecosystem that helps safeguard your backend by verifying that requests come from genuine versions of your app and trusted environments. If a request doesn’t come from a trusted source, App Check intercepts and blocks it before it comes in contact with your backend or your security rules.

How it works

Once App Check is enabled in the Firebase console and the SDKs are integrated into your android app, a verification flow is triggered to confirm that requests to your Firebase backend are coming from a legitimate device. When your app starts, it communicates with the attestation provider you have configured, which could be;

• Play integrity (android)

• DeviceCheck/App Attest (iOS)

• reCAPTCHA (web)

The provider performs a series of checks to verify the integrity of your app. This is called Attestation. Once the attestation is generated, it is sent to Firebase’s App Check server. Firebase then validates this attestation using the information you’ve previously registered in your Firebase project (eg the app’s package name or SHA-2 fingerprints). If the attestation is valid, Firebase responds with a short-lived app check token that proves that the request is coming from an authorised app/device (This token has an expiry time). The App Check SDK automatically caches the token in your app. From this point, every time your app makes a request to a protected Firebase service, this token is included in the request headers which then gets verified by the Firebase service before allowing access.

Firebase App Check is free to use in Firebase. You do not have to upgrade your project to use the service. However, pricing varies among different attestation providers.

Step-by-step integration

To integrate Firebase App Check in android, you need to set up your project in the console and add Firebase to your android project. Next, head over to the Google Play Console and add/select your app. At the Play Integrity API settings, link your Firebase project. (It should be the same Firebase project you’ll be using to register your app & you must be the sole owner of the Google Cloud Project)

Once linked, go to the Firebase Console and register your app with App Check using the Play Integrity provider. You will then enter the SHA-256 fingerprint of your app’s signing certificate.

In Android Studio, add the dependency for the App Check library and the BoM in the app-level Gradle file.

dependencies {

    implementation(platform("com.google.firebase:firebase-bom:34.1.0"))

    implementation("com.google.firebase:firebase-appcheck-playintegrity")
}

We have added the Firebase Bill of Materials(BoM) to help make sure all the Firebase libraries in the project use versions that are compatible with each other, instead of manually updating versions for each library.

Next, initialise app check making sure that it runs before any other Firebase SDKs are used.

Firebase.initialize(context = this)
Firebase.appCheck.installAppCheckProviderFactory(
    PlayIntegrityAppCheckProviderFactory.getInstance(),
)

Now that we’ve added the App Check library, requests will be sent to Firebase. But, first, App Check enforcement needs to be turned on in the Firebase Console so that Firebase could verify the incoming tokens.

You can enable App Check for the following Firebase services (Data Connect, AI Logic,Realtime Database, Cloud Firestore, Cloud Storage, Authentication etc)

In conclusion, App Check provides an important layer of security within the Firebase ecosystem that only verified instances of your app can access proteced backend resources. While it’s not a complete form of abuse, enabling App Check significantly reduces the risk of unauthosrised traffic reaching your services. For android developers, integrating it through the Play Integrity API or other providers is a key step towards building ore secure and reliable applications.

Thanks for reading!