search

firebase / flutterfire

🔥 A collection of Firebase plugins for Flutter apps.
https://firebase.google.com/docs/flutter/setup
BSD 3-Clause "New" or "Revised" License
8.7k stars 3.97k forks source link

firebase_app_check: android/build.gradle still references firebase-appcheck-safetynet #13266

Closed markuswahl-2 closed 2 months ago

markuswahl-2 commented 2 months ago

Is there an existing issue for this?

Which plugins are affected?

App Check

Which platforms are affected?

Android

Description

The dependencies section of that file has the following lines:

    // SafetyNet is deprecated and not part of Firebase BOM
    implementation 'com.google.firebase:firebase-appcheck-safetynet:16.1.2'

The consequence is that we get a warning for our app in https://play.google.com/console. The warning is:

com.google.android.gms:play-services-safetynet has added this note for SDK version 18.0.0:

The SafetyNet Attestation API is being discontinued and replaced by the new Play Integrity API. Begin migration as soon as possible to avoid user disruption. The Play Integrity API includes all the integrity signals that SafetyNet Attestation offers and more, like Google Play licensing and better error messaging. Learn more and start migrating at https://developer.android.com/training/safetynet/deprecation-timeline

We have migrated to App Check in our app but still get this warning because firebase_app_check relies on safetynet, that is what we think anyway. Could you confirm this please? Do we need to undertake further action or will there be a release of firebase_app_check before this warning will turn out to be a problem for us? Is there a plan to release a version of firebase_app_check without safetynet?

I found this issue (https://github.com/firebase/flutterfire/issues/12423) but the wontfix-resolution from https://github.com/Lyokone leaves much to be answered:

Hello @canewsin, Play Integrity is already implemented in the AppCheck plugin. SafetyNet will not be removed until the end of support in January 2025.

https://developer.android.com/privacy-and-security/safetynet/deprecation-timeline tells us that our app will receive an error after End of January 2025. Lyonoke tells us that SafetyNet will not be removed until the end of support.

How long is the period between the release of a version of firebase_app_check without safetynet and the end of support?

How long is the period between the release of a version of firebase_app_check without safetynet and the appearance of the error in our app?

Reproducing the issue

Releasing of app in google play store...

Firebase Core version

3.2.0

Flutter Version

3.22.3

Relevant Log Output

No response

Flutter dependencies

No response

Additional context and comments

No response

Lyokone commented 2 months ago

Hello @markuswahl-2, thanks for this detailed post. We are still bridging the API to SafetyNet since some people are still using it. We will remove this API a couple of months before the official shutdown of SafetyNet. On your side, you don't need to do anything different if you have already migrated to Play Integrity. I see that you mentioned

We have migrated to App Check in our app

AppCheck can use both SafetyNet and Play Integrity so be sure that you are actually using Play Integrity. We will totally remove Safety net before the shutdown and if you are not using it, you shouldn't see any downtime on your side.

I hope this clarifies it, feel free to respond if you have any more questions.