[Feature Request]: Enable AppCheck on Production

[adhiamboperes]

Is your feature request related to a problem? Please describe.

As part of the Android NPS survey, we are uploading some of the user responses to Firestore. Firestore by itself does not offer adequate security, and Firebase AppCheck provides a solution that protects our database from malicious abuse by verifying the authenticity of writing apps and devices.

Describe the solution you'd like

The Setup steps for AppCheck from the documentation are as follows:

• [x] Enable the Play Integrity API: In the Google Play Console, select your app.

In the Release section, click Setup > App integrity.

On the Integrity API page, click Link project, then select your Firebase project from the list of Google Cloud projects.

The project you select here must be the same Firebase project as the one in which you register your app.

• [x] Register your apps to use App Check with the Play Integrity provider in the App Check section of the Firebase console.

  • Click on Register and follow the wizard.
  • You will need to provide the SHA-256 fingerprint of your app's signing certificate.
  • Set a custom time-to-live of 7 days(this is the maximum allowed). Note that the App Check library refreshes tokens at approximately half the TTL duration.

• [x] Developer: Add the App Check library to the app Add the Appcheck and play integrity dependencies to the app(gradle and bazel) and initialize app check in the code.

  implementation("com.google.firebase:firebase-appcheck-playintegrity:17.0.1")
  implementation("com.google.firebase:firebase-appcheck-ktx:17.0.1")

Init block

Firebase.initialize(context = this)
Firebase.appCheck.installAppCheckProviderFactory(
    PlayIntegrityAppCheckProviderFactory.getInstance(),
)

Per the documentation, this code needs to run before any other Firebase SDKs.

• [x] Monitor App Check request metrics After adding the App Check SDK to the app, but before enabling App Check enforcement, we should make sure that doing so won't disrupt our existing legitimate users. To view the App Check request metrics for a product, open the App Check section of the Firebase console.

• [ ] Enable App Check enforcement This step will not be enabled from the onset for production apps, because we need to ensure that doing so won't disrupt our existing legitimate users. We will first deploy the app with AppCheck configured so that we can monitor the metrics and be able to see usages from Verified, Outdated clients, Unknown origin and Invalid requests. See here for more information on metrics. Reference.

Once we have a good view of metrics, we can then enforce AppCheck.

To enable enforcement for Firestore:

• Open the App Check section of the Firebase console.
• Expand the metrics view of the product for which you want to enable enforcement.
• Click Enforce and confirm your choice.

Describe alternatives you've considered

N/A

Additional context

Additional Resources:

1. Firebase App Check
2. Play Integrity
3. Securing Firebase
4. Firebase App Check,
5. Attestation with Play Integrity

[seanlip]

@adhiamboperes I've done the first two steps, but I can't see the graphs so I can't do the last one.

This page suggests that there are other steps that need to be followed first (2 and 3). Should I wait for the dev team to do that before proceeding?

[adhiamboperes]

@adhiamboperes I've done the first two steps, but I can't see the graphs so I can't do the last one.

This page suggests that there are other steps that need to be followed first (2 and 3). Should I wait for the dev team to do that before proceeding?

Yes, step 2 and 3 are dev side, and the last step on this issue will be done post-release so I will re-assign you then.