App Check
Firebase App Check is a new security feature for protecting the backend services of apps. It blocks traffic that comes from sources other than the registered app, ensuring that usage costs are not incurred for illegitimate usage.
App Check works by using attestation services, which already exist for iOS, Android, and the web. The feature can protect three different types of backends, including Firebase backends like Cloud Firestore, Google API services like Cloud Run, and API endpoints of your own server.
Adding Firebase App Check
To add Firebase App Check to your app:
-
Navigate to the Firebase Console > Build > App Check page.
-
If this is the first time, click the Get started button.
-
Now, you'll see the list of apps you have added to this Firebase project. To register attestation service(s), select the project, click Register, and then select attestation service.
- For Android, you can select Play Integrity and then follow step number 2 and 3 from here.
- For iOS, you can choose from Device Check or App Attest and then follow step number 2 and 3 from here.
- For the Web, select reCAPTCHA v3 or reCAPTCHA Enterprise and then follow steps 2 and 3 from here. Note: To run the app in Run/Test mode, you must register the Web version of the app as well.
- Android
- iOS
- Web
- Ensure that enabling Firebase App Check won't disrupt your existing legitimate users.
- Now, you can select the service you want to secure. Switch to the APIs tab, select the service, and click Enforce button. A popup may open, telling you that once enabled, it will deny all requests that do not have App Check token. Click Enforce again if you are ok. Note that it might take up to 15 minutes to start the enforcement.
- Navigate back to FlutterFlow and open Settings and Integrations > Project Setup > Firebase > scroll down and expand App Check section > switch on Enable App Check toggle.
- You can fill out the optional details such as reCAPTCHA Site Key (you should have it while performing step 3.3) and Run/Test Mode Debug Token. To get the debug token, follow the steps below:
- Navigate to the Firebase Console > Build > App Check > Apps.
- Open the app for which you want to generate the debug token.
- Click three dots icon (i.e., overflow menu icon) and select Manage debug token.
- Click Add debug token.
- Give it a Name and click Generate token.
- Copy the generated token and paste it in FlutterFlow's designated field.
- Click Save.
- You might want to see if it works on a real device or an emulator. To run on a real device, you can set the Android Provider to Play Integrity and to run on an emulator, set it to Debug, and then try checking it by downloading the APK.
- If it doesn't work for Play Integrity, ensure you have enabled the Play Integrity API. See how to do it in step 2 here.
- If it doesn't work for Debug, you can try downloading the code, following the instructions here, and running it locally.
To add the App Check on the app with the non-Firebase (i.e., your self-hosted) backend, follow the instructions here.