[AppCheck] Invalid requests with Cloud Firestore

[svenjacobs]

[REQUIRED] Step 2: Describe your environment

• Android Studio version: Flamingo, 2022.2.1 Patch 2
• Firebase Component: AppCheck, Firestore
• Component version: BOM 32.2.0, AppCheck 17.0.1, Firestore 24.7.0

[REQUIRED] Step 3: Describe the problem

We're trying to set up AppCheck but have about 70% of invalid requests for Firestore. We assume these are requests from Android while iOS works.

• AppCheck is initialized in an AndroidX Startup Initializer so before any Firebase API is called but after Firebase.initialize()
• We're using PlayIntegrityAppCheckProviderFactory in the release build of the app
• Play Integrity API is enabled and I can see in Play Console that 99% of devices meet device integrity
• We're using App Signing and copied the SHA-256 certificate fingerprint from the Play Console into the AppCheck configuration inside the Firebase Console

One thing that is maybe different from a default setup is that we configure the Firebase instance in code, not via google-services.json.

Steps to reproduce:

????

Relevant Code:

Initializing AppCheck:

class FirebaseAppCheckInitializer : Initializer<Unit> {

    @EntryPoint
    @InstallIn(SingletonComponent::class)
    interface FirebaseAppCheckInitializerEntryPoint {

        val firebaseAppCheck: FirebaseAppCheck
    }

    override fun create(context: Context) {
        val entryPoint = EntryPointAccessors.fromApplication<FirebaseAppCheckInitializerEntryPoint>(context)

        entryPoint.firebaseAppCheck.installAppCheckProviderFactory(
            PlayIntegrityAppCheckProviderFactory.getInstance(),
            true,
        )
    }

    override fun dependencies() = emptyList<Class<Initializer<*>>>()
}

Providing FirebaseAppCheck instance via Hilt:

@Module
@InstallIn(SingletonComponent::class)
object FirebaseModule {

    @Provides
    @Singleton
    fun provideFirebaseApp(@ApplicationContext context: Context): FirebaseApp {
        // Values taken from downloaded google-services.json
        val options = FirebaseOptions.Builder()
            .setProjectId("")
            .setApplicationId("")
            .setApiKey("")
            .setDatabaseUrl("")
            .setGcmSenderId("")
            .setStorageBucket("")
            .build()

        return runCatching { Firebase.app }
            .getOrElse { Firebase.initialize(context, options) }
    }

    @Provides
    fun provideFirebaseAppCheck(firebaseApp: FirebaseApp): FirebaseAppCheck =
        Firebase.appCheck(firebaseApp)

    @Provides
    fun provideFirebaseFirestore(firebaseApp: FirebaseApp): FirebaseFirestore = 
        Firebase.firestore(firebaseApp)
}

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[argzdev]

Hi @svenjacobs, thanks for reaching out. I tried a mixture of scenarios either using a google-services.json or with a Firebase instance, it still seems that PlayIntegrityAppCheckProviderFactory won't work. It works when using the DebugAppCheckProviderFactory.getInstance(), so it means that the setup with hilt and initializer is correct. Let me consult with some engineers and see what we can do here.

Tracking internally on: b/293633326

[svenjacobs]

Thanks @argzdev for your feedback. I'm glad you can reproduce this. Looking forward to your findings.

[argzdev]

Hi @svenjacobs, while we were investigating for the past few days, I started receiving verified requests today (without changing any of the SHA256 or Google Play Console settings). Could you check on your side if yours is also working? If so, then this could be due to an outage on Play Integrity side, and AppCheck itself doesn't have any issues.

[svenjacobs]

@argzdev Unfortunately I don't see any improvements of the numbers. We have this problem for months now.

[argzdev]

Hi @svenjacobs, after more further testing, one specific change I did was using a physical device for testing which allowed me to get verified requests with your code setup. In your case, obviously this doesn't apply since you've already have a multitude of requests from a wide range of devices. That said, could you recheck if you have a following checklist complete below:

1. App signing key SHA256 is added to Firebase Console
2. Upload key certificate SHA256 is added to Firebase Console (I'm not sure if this is a requirement, you'll have to check with Play Integrity team)
3. Release keystore SHA256 is added to Firebase Console (This might be the same as your App signing)
4. Debug keystore SHA256 is added to Firebase Console
   • After steps 1 to 4, In my case, a total of 3 SHA256 keys are added to my Firebase Console.
5. In your Google Play Console > Setup > App Signing, under Integrity API, make sure your app is linked with your Google Cloud project
6. Make sure your app is registered in the Firebase Console App Check section

Now, once you've verified everything is correct, and AppCheck is still not working, then this would mean a broken connection between AppCheck and Play Integrity. That said, you'll have to reach out to Play Integrity team since they'll be able to view your project details and configuration from the backend. You can reach out on their link here.

Let me know if this helps. Thanks!

[google-oss-bot]

Hey @svenjacobs. We need more information to resolve this issue but there hasn't been an update in 5 weekdays. I'm marking the issue as stale and if there are no new updates in the next 5 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

[svenjacobs]

1. App signing key SHA256 is added to Firebase Console

✅ That is correct.

2. Upload key certificate SHA256 is added to Firebase Console (I'm not sure if this is a requirement, you'll have to check with Play Integrity team)

✅ I doubt this will change anything because I had it there before but I added it again.

3. Release keystore SHA256 is added to Firebase Console (This might be the same as your App signing)

✅ Yes, it is the same since we use App Signing.

4. Debug keystore SHA256 is added to Firebase Console

❌ Since we only have a release app in the Firebase project, I did not add the debug key certificate.

• After steps 1 to 4, In my case, a total of 3 SHA256 keys are added to my Firebase Console.

✅ I have two: App signing and upload key certificate SHA256

5. In your Google Play Console > Setup > App Signing, under Integrity API, make sure your app is linked with your Google Cloud project

✅ The Cloud project is linked and I see lots of successful Integrity API calls in Play Console

6. Make sure your app is registered in the Firebase Console App Check section

✅ Play Integrity as well as the old SafetyNet are registered / enabled

[argzdev]

Thanks for the extra details, @svenjacobs. In this case, since we've verified that testing your code snippet works with the SDK, then it shows no issue with how the SDK works. Most certainly the issue now is with the connection with the backend, that said there's nothing else we can do on our side. You'll have to reach out to Play Integrity team since they'll be able to view your project details and configuration from the backend. You can reach out on their link here. You may also refer to them this GitHub thread for more context on what we've investigated. Thanks!

[svenjacobs]

Thanks for your support! I contacted the Play Integrity support 🤞🏼