Closed arturmaslov closed 1 year ago
I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
Thanks for reaching out, @arturmaslov. Before I bring this up to our engineering team for discussion, can you clarify what you mean by "without manual token input"?
Currently with DebugAppCheckProviderFactory we need to add generated firebase token from logcat into firebase console (at AppCheck - Apps - Manage debug tokens) to pass AppCheck.
Thanks for clarifying, @arturmaslov. I wasn't able to try the old version of safetynet
before so I'm not sure, but was this process something that was not needed before when using DebugAppCheckProviderFactory
? I wonder if there's a way we can automate this process. Let me ask our engineers.
We don't need any manual process when using safetynet. That's the issue here, because it's being discontinued and we lose this automation. PlayIntegrity doesn't suit us because we won't publish our develop builds on play store for appcheck to pass.
Got it, thanks for answering all the questions @neone35. I'll let you know if we have updates from our engineers.
I am facing the same issues with the migration, safetynet would validate test devices (not emulators), so we never felt the need to even install the debug library on staging environment. I think the issue would be mitigated by providing the option to set a fixed debug token like is permitted on the iOS version of the library. It has been asked here
Any updates on this? @argzdev
Sorry, @arturmaslov. Our engineers are still taking a look into it. We'll reply back here once we have updates to share. Thanks for following up!
Hi @arturmaslov -- thanks for filing this issue. Please see the "Test your Play Integrity API integration" section in this support documentation for instructions on how to allowlist the emails of your testers so that they will receive the correct integrity response.
@rosalyntan but will builds from firebase work after adding this tester list to play integrity?
@arturmaslov Can you clarify what you mean by "builds from Firebase"? Per the linked documentation, you should publish your app to the internal test track or the track that you intend to test on.
We've added our app to console with package.develop and created internal testing for it before. What we didn't know is that we need to enable play integrity for internal testing separately. We expected it'd work out of the box for both published and internal apps. And that was the reason why check failed?
So as our testers accept invitation to test our internal develop app with play integrity for testing enabled, firebase builds should work the same as they worked with safetynet, because now package.develop is on play store with internal testing enabled?
@rosalyntan can you please confirm or deny my theory
We've just enabled play integrity testing and made release build uploaded to play console with this code and we still can't pass AppCheck.
private fun setCheckProviders(firebaseAppCheck: FirebaseAppCheck) {
if (BuildConfig.DEBUG) {
firebaseAppCheck.installAppCheckProviderFactory(DebugAppCheckProviderFactory.getInstance())
} else {
firebaseAppCheck.installAppCheckProviderFactory(PlayIntegrityAppCheckProviderFactory.getInstance())
}
}
And finally it seems to work:
App signing key certificate
SHA-256 from Play Console to our Firebase at AppCheck - Apps - Play Integrity. Licensed Play-recognized app
at Play console - App integrity - New testNow we'll test these cases:
App signing key certificate
at Firebase and with Unlicensed Play-recognized app
optionApp signing key certificate
at Firebase and without New test at Play console
Also, we'll check if firebase appcheck dependencies can work without play services dependencies to decrease our app weight.So turns out these additional cases don't work and we must make sure two first steps are intact for play integrity appcheck to work.
[READ] Step 1: Are you in the right place?
[REQUIRED] Step 2: Describe your environment
[REQUIRED] Step 3: Describe the problem
We're having issues at our company after migrating AppCheck from SafetyNet to PlayIntegrity provider. Before migration our testers been able to run app built from firebase using SafetyNet without manual token input as we (developers) do with DebugProvider. We tried to upload our develop app into play console internal testing, but that didn't help. We've used same SHA keys which were generated at play console. So, it seems that play integrity appcheck currently works only with production app which must be published on play store.
Is this intended logic and are there any solutions for apps outside play store which are not yet published to pass AppCheck without manual token input? That's very inconvenient for our testers. It's major problem for us as safetynet gets discontinued in June 2023. Here are some additional issues regarding this topic on stackoverflow: https://stackoverflow.com/questions/72631258/android-app-check-play-integrity-not-work https://stackoverflow.com/questions/74992711/google-play-integrity-api-invalid-app-check-token-error-after-adding-app-to-fi
Steps to reproduce:
pc_0 - Firebase Database connection was forcefully killed by the server. Will not attempt reconnect. Reason: Invalid appcheck token
private fun setCheckProviders(firebaseAppCheck: FirebaseAppCheck) { if (BuildConfig.DEBUG) { firebaseAppCheck.installAppCheckProviderFactory(DebugAppCheckProviderFactory.getInstance()) } else { firebaseAppCheck.installAppCheckProviderFactory(SafetyNetAppCheckProviderFactory.getInstance()) } }
private fun setCheckProviders(firebaseAppCheck: FirebaseAppCheck) { if (BuildConfig.DEBUG) { firebaseAppCheck.installAppCheckProviderFactory(DebugAppCheckProviderFactory.getInstance()) } else { firebaseAppCheck.installAppCheckProviderFactory(PlayIntegrityAppCheckProviderFactory.getInstance()) } }
private fun setCheckProviders(firebaseAppCheck: FirebaseAppCheck) { if (BuildConfig.DEBUG) { firebaseAppCheck.installAppCheckProviderFactory(DebugAppCheckProviderFactory.getInstance()) } else { // it's release if (BuildConfig.FLAVOR_env.isDevEnv() || BuildConfig.FLAVOR_env.isUatEnv()) firebaseAppCheck.installAppCheckProviderFactory(SafetyNetAppCheckProviderFactory.getInstance()) else firebaseAppCheck.installAppCheckProviderFactory(PlayIntegrityAppCheckProviderFactory.getInstance()) } }