How To Secure Your Firebase Backend With App Check

Firebase category image

Here is how how to secure your Firebase backend with App Check. I’ll demonstrate the setup with a Flutter app.

Securing your backend saves you a lot of trouble. Think about data loss or a huge bill at the end of the moment. Firebase provides its service App Check to greatly reduce the possibility of an attacker being successful. Here is how how to secure your Firebase backend with App Check.


An In-Depth Firebase Guide For Flutter Developers!

This compendium is a comprehensive guide with many step-by-step guides and code examples. Learn the essentials of Firebase and enhance your apps with cloud services in no time!


💡 Tip

Do you already have a Firebase project? If not, follow my setup article below with all steps in detail!

How does App Check work?

Firebase App Check uses 3rd party attestation providers like DeviceCheck (Apple), Play Integrity (Android), or reCAPTCHA v3 (Web) to ensure that only validated requests will be handled by the backend. Your app calls the attestation provider and receives an attestation that will be sent to the App Check servers. App Check verifies the attestation and returns a token. The token will be attached to every request by your app. If the token expires, the verification process is restarted.

All this happens behind the scenes and except for some initial configuration, you don’t have to do anything. ?

What Firebase services are covered by App Check?

The following services are currently supported by App Check:

  • Realtime Database
  • Cloud Firestore
  • Cloud Storage
  • Cloud Functions (only for callable functions)

In previous articles, I already talked about Cloud Firestore, Cloud Storage, and Cloud Functions. If you integrated one of these services, you can use App Check as well.

App Check is also available to secure your own non-Firebase backend. As this is beyond the scope of this article, interested readers can have a look at the App Check documentation for details.

How to enable an attestation provider?

We will have a look at the attestation provider Play Integrity. The other providers work in a similar way.

Warning

Unfortunately, Play Integrity only works for apps that are distributed via Google Play. If that’s not the case for your app, you cannot use it. The setup will work, but all requests from your app to the backend will fail.

First, open the App Check menu in your Firebase Console.

Screenshot of Firebase Console menu by author
Screenshot of Firebase Console menu by author

Then select the app for which you want to enable App Check by clicking the Register button and selecting an attestation provider.

Screenshot of Firebase App Check app selection by author
Screenshot of Firebase App Check app selection by author

Select Play Integrity as the provider. Then, insert your SHA256 fingerprint key. To generate the key, follow the instructions on this page. You’ll need to execute the command-line program keytool program that is part of the JAVA Runtime Environment. Click the Save button when you are done.

Screenshot of Play Integrity setup in Firebase by author
Screenshot of Play Integrity setup in Firebase by author

Afterward, you’ll see the successful registration of Play Integrity.

Screenshot of completed Play Integrity setup in Firebase by author
Screenshot of completed Play Integrity setup in Firebase by author

💡 Token time to live considerations

* A shorter time interval reduces the time for an attacker to abuse leaked or cracked tokens.
** A shorter time interval requires more frequent App Check token renewals which cost time
*** A shorter time interval requires more frequent attestation provider calls that deplete the free quota faster

How to enforce App Check for specific services

After you added your attestation provider, you need to enforce App Check for your desired services to finally activate it in Firebase. It will take around 15 minutes until the process is finished. Afterward, only apps with proper App Check setup can access your secured backend services.

Go to the APIs tab and select a service, for example, Storage.

Screenshot of APIs tab in Firebase by author
Screenshot of APIs tab in Firebase by author
Screenshot of App Check request overview for Storage in Firebase by author
Screenshot of App Check request overview for Storage in Firebase by author

Click the Enforce button and after around 15 minutes, only registered apps will be able to access your Firebase Storage backend.

Screenshot of enforced Storage API in Firebase by author
Screenshot of enforced Storage API in Firebase by author

That’s it. Your backend is secured!

💡 Tip

Make sure to register all projects of your app with App Check. It doesn’t make sense to just register the Android app because then, your iOS app users won’t be able to access the Firebase backend!

How to set up App Check in a Flutter app?

Follow these few steps to allow a Flutter app to access App Check secure Firebase backend services.

  1. Install the package firebase_app_check.
  2. Add the initialization code in your main() function.

Make sure, FirebaseAppCheck is initialized AFTER Firebase.

And that’s it! Your Firebase App Check dashboard should monitor incoming requests from now on.

I already use Firebase Authentication. Why do I need App Check?

Authentication is to identify users, App Check is to identify apps or devices. Here is a little example of the difference:

Imagine you have created an app with a members area where every user has its only login credentials.

If user A logs in, he/she can just edit user A’s data. If user B logs in, he/she can just edit user B’s data.

But they both can access the backend because the app passed App Check’s validation routine. If App Check denies access, no user can access his or her data.

My app is already published. Can I still integrate App Check?

Publish a new app version with the App Check code included, but don’t enable App Check in Firebase Console yet. You need to give the users time to get the update. Otherwise, you’d be excluding users with an old app version from the moment you enable App Check for the project. You can monitor the adaptation progress in the App Check menu. A high percentage of Verified requests is a good indicator that the users got the update.

Screenshot of Firebase App Check request metrics from Google Firebase
Screenshot of Firebase App Check request metrics from Google Firebase

Come on! Do I really need App Check?

Well, it depends. Is it just a private app you are developing for yourself or a small audience? Then you could probably skip it. But as soon as you start making serious money with your app, you should definitely consider improving your security measures. It can take just one incident to make your Firebase bill go crazy because someone is constantly accessing your resources. Or think about the loss of vital data that cannot be recovered easily. Afterward, you’ll be furious that you didn’t spend 30 minutes to an hour setting up App Check or another security protocol.

Just ask yourself these questions:

  • What is the worst case?
  • What will it cost to recover from the worst case?
  • Will it be cheaper to implement security measures upfront?

Then, you’ll know the answer if you need App Check ?

Conclusion

Better safe than sorry. App Check protects your backend with an additional security layer to minimize the risk of data loss or a huge bill at the end of the month. Consider using it if you value your backend resources and your nerves. In case of an attack, you’ll be glad that you invested one single hour for protection mechanisms.

You can find the complete example source code on my GitHub page.

Additional resources

Here are some additional resources about Firebase in case you want to dive deeper into the topic.

Firebase Cloud Functions

Your all-in-one toolbox to building serverless infrastructures in the cloud. Write once and scale to infinity!

Firebase Cloud Storage

Upload and download user-generated content like on a file system. Firebase Cloud Storage makes file handling simple!

Firebase Remote Config

Real-time feature toggles or A/B testing are typical use cases of Firebase Remote Config. Learn how to implement them now!

Firebase Console

Learn how to manage projects, apps, users, billing plans, and costs with step-by-step guides in the Firebase Console.

Firebase Cloud Firestore

Learn about Firebase Firestore and write mobile apps with the power of a modern and fast NoSQL database.

Firebase Authentication

Implement email/password authentication or use social providers like Google, Microsoft, and Facebook for your apps!

Firebase Hosting

Host your web apps, microservices, dynamic, and static content with this powerful yet simple solution from Firebase!


Leave a Reply

Your email address will not be published. Required fields are marked *