Firebase App Check

Recently, Firebase unveiled App Check, a security function that guards against misuse of backend resources. It is a means to make sure that your program is the one making requests to the backend resources (such as a real-time database or cloud storage), and not some other unidentified or malicious source.

A Dive Deep in Security

By prohibiting unauthorized customers from accessing your backend resources, App Check assists in preventing abuse of your API resources. To safeguard your resources, it integrates with Google Cloud, Firebase, and your own APIs. With App Check, devices running your app will make use of an attestation provider for apps or devices that certifies either one or both of the following:

1. Requests come from your legitimate app.
2. Requests come from a genuine, unaltered gadget.

Point of Using App Check

An attacker may be able to gain an app’s public credentials and access some of its backend resources using public BaaS providers like Firebase. As long as you have appropriately implemented user authentication and Firebase security rules for your app, your users and their data should be safe from such attacks. However, that does not stop an attacker from flooding the backend resources with fictitious requests in an effort to use your backend resources or force you to pay for unjustified billing charges. Every request your app makes to the APIs you specify has this attestation attached to it. Requests from clients without a valid attestation and those coming from apps or platforms you haven’t authorized will both be declined when you enable App Check enforcement.

So how exactly does this system work?

To get an attestation of its validity, an App Check-enabled app first communicates with a platform-specific attestation provider. The following attestation providers are currently supported by Firebase out of the box:

• SafetyNet app for Android
• App Attest for iOS
• reCAPTCHA v3 for Web verification

Though it may seem like a lot, employing Firebase App Check as a developer doesn’t require much work. The backend services and Firebase SDKs handle a lot of the labor-intensive tasks. The majority of the time, all you need to do is modify a small portion of your app’s code and make a few configuration changes in the Firebase console. 

Image #1: The initial Firebase Console

After tapping ‘Register’ reCaptcha support in the Android Application. The below shortcode can be used to sustain this cool new device integrity in your system, it’s easy and mellow to work out! 

And just this way, your Android Application is ready to work on the latest App Check, and leverage all the functionalities!

Image #2: After adding short-code all you have to do is to ‘Save’ the module!

Additionally, you can enable App Check in your application without turning on App Check access control enforcement in the Firebase backend services and then also check your own system against it. This is helpful because enforcing access restrictions using Program Check may damage earlier versions of your app. The Firebase panel gives you precise statistics on the origins of your backend traffic, including the proportion of requests from legitimate clients vs those from out-of-date, unidentified, or potentially malicious clients.

App Check bases its determination of the app or device’s legitimacy on the reliability of its attestation suppliers. It stops some abuse vectors that are directed at your backends, but not all of them. In other words, user authentication and security requirements are not substituted by App Check. Instead, it adds a fresh level of application security to the Firebase security tools and procedures currently in place. Even while using App Check does not ensure that every abuse will be stopped, integrating with it is a crucial step towards protecting your backend resources from exploitation.

Conclusion

As the risk of cyberattacks grows, developers need to be more attentive than ever and put in place security measures that safeguard both app users and the backend resources that are essential to the apps’ continuous operation.