[app_check] Fails with 403 while "In Review" stage on google play console. Internal track is fine.

[codyfilatov]

[READ] Step 1: Are you in the right place?

Was redirected here by flutterfire team.

[REQUIRED] Step 2: Describe your environment

• Android Studio version: 15
• Firebase Component: AppCheck
• Component version: Flutter ^0.3.0+2

[REQUIRED] Step 3: Describe the problem

AppCheck enforced with Firebase Authentication when release build submitted to an Internal track that does not require Play Console review... Then downloaded from the Play Store on a genuine device WORKS. Everything is good. Furthermore on debug build using debug tokens everything WORKS. Great.

However, when submitted to a Closed track on GooglePlay Console for "In Review" the automated bot is clearly receiving an error that it can not pass AppCheck Authentication enforcement. It's failing to be logged in anonymously. Meaning it is not downloaded from the Play Store, and therefore receives the 403 and fails.

Am I suppose to just disable AppCheck enforcement while I have a build In-Review?

• Implement App Check as described by documentation
• Upload aab for any track that requires a review in Google Play Console.
• AppCheck completely fails every interaction in release build.
• Works fine when downloaded from the Play Store as release build on an Internal track (that does not require review).

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[lehcar09]

Hi @codyfilatov, thank you for reaching out. For context, 403 errors usually means that the provided token is invalid, missing, or lacks the necessary permissions.

I suggest checking on the following items that might be causing the 403 issue:

• Check API Key Restrictions: Verify that the API key used for Google Play Integrity is not restricted and has the necessary permissions for the Firebase App Check API.
• SHA-1 Certificate Fingerprint: Ensure the correct SHA-1 certificate fingerprint is configured in the Firebase console.
• App Signing: If using app signing by Google Play, verify that the correct app signing certificate is used.

Based on your description, it seems to me that this is not an SDK related issue. Please do keep in mind that our SDK support team does not have access to the backend or your project details. To get better help, it would be best to reach out to the Firebase support channel instead. We'd need access to your project settings (including projectID, SHA-1 etc) to troubleshoot this type of issue.

[codyfilatov]

Hi @codyfilatov, thank you for reaching out. For context, 403 errors usually means that the provided token is invalid, missing, or lacks the necessary permissions.

I suggest checking on the following items that might be causing the 403 issue:

* Check API Key Restrictions: Verify that the API key used for Google Play Integrity is not restricted and has the necessary permissions for the Firebase App Check API.

* SHA-1 Certificate Fingerprint: Ensure the correct SHA-1 certificate fingerprint is configured in the Firebase console.

* App Signing: If using app signing by Google Play, verify that the correct app signing certificate is used.

Based on your description, it seems to me that this is not an SDK related issue. Please do keep in mind that our SDK support team does not have access to the backend or your project details. To get better help, it would be best to reach out to the Firebase support channel instead. We'd need access to your project settings (including projectID, SHA-1 etc) to troubleshoot this type of issue.

This is not a great response / solution.

The problem statement is extremely clear and is not relevant to my specific case. The problem statement clearly identifies that during In-Review state for Google Play the AppCheck library flat out does not function. Since the automated bot that handles app review does not install the App from Google Play Store, but instead runs the bundle.aab directly. Therefore AppCheck will always return a 403.

The only solution here is to disable enforcement for any AppCheck services until review is completed, then users who install from GooglePlay are subject to AppCheck as usual. That's the bug. It happens for everyone, not just me...

It certainly is an SDK issue, and I've already reached out to Firebase support channel who told me to reach out here... Playing ping pong confusion between support channels seems rather unique to Google's services.

[lehcar09]

Hey @codyfilatov, sorry for the hold up here. Let me consult this issue with our engineers. Could you answer a few questions below for us to further investigate this:

• Do you use other Auth providers? Is the Auth Anonymous Login the only one that’s failing?
• What attestation provider are you using?

I created an MCVE(with Firebase Auth Anonymous Login) and initialize app check in the Application class:

Firebase.initialize(context = this)
        Firebase.appCheck.installAppCheckProviderFactory(
            PlayIntegrityAppCheckProviderFactory.getInstance(),true
        )

By any chance, can you share an MCVE to help us investigate the issue?

[codyfilatov]

Hey @codyfilatov, sorry for the hold up here. Let me consult this issue with our engineers. Could you answer a few questions below for us to further investigate this:

* Do you use other Auth providers? Is the Auth Anonymous Login the only one that’s failing?

* What attestation provider are you using?

I created an MCVE(with Firebase Auth Anonymous Login) and initialize app check in the Application class:

Firebase.initialize(context = this)
        Firebase.appCheck.installAppCheckProviderFactory(
            PlayIntegrityAppCheckProviderFactory.getInstance(),true
        )

By any chance, can you share an MCVE to help us investigate the issue?

I am unable to test this with anything besides anonymous authentication, as this is a production application and it is the first initialized authentication method. This does not happen with apple device check during review. Only during Google Play review.

await Firebase.initializeApp(options: DefaultFirebaseOptions.currentPlatform); await FirebaseAppCheck.instance.activate( androidProvider: AndroidProvider.playIntegrity, webProvider: ReCaptchaV3Provider('recaptcha-v3-site-key'), appleProvider: AppleProvider.deviceCheck );

[lehcar09]

Thank you for that details. I have raised this issue to our engineer and we are coordinating with Play Integrity team. I'll get back to you as soon as I hear back from the team. Thanks!

[lehcar09]

Hey @codyfilatov, the Play Integrity team is requesting some details such as package name to investigate the issue. However, as community support we cannot request and you should not disclose this information. For now, please file an issue here and provide the required information in a secured way to investigate the issue. You can include the issue number b/357670738 for visibility of the issue filed in the Firebase Github SDK team.

[lehcar09]

We'll keep the needs-info tag for now. Don't worry if the issue closes due to stale, we can always reopen this once we have new information. Thanks!

[google-oss-bot]

Hey @codyfilatov. We need more information to resolve this issue but there hasn't been an update in 5 weekdays. I'm marking the issue as stale and if there are no new updates in the next 5 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

[google-oss-bot]

Since there haven't been any recent updates here, I am going to close this issue.

@codyfilatov if you're still experiencing this problem and want to continue the discussion just leave a comment here and we are happy to re-open this.