How To Secure Your Firebase Backend With App Check

Here is how how to secure your Firebase backend with App Check. I’ll demonstrate the setup with a Flutter app.

Securing your backend saves you a lot of trouble. Think about data loss or a huge bill at the end of the moment. Firebase provides its service App Check to greatly reduce the possibility of an attacker being successful. Here is how how to secure your Firebase backend with App Check.

---

---

How does App Check work?

Firebase App Check uses 3rd party attestation providers like DeviceCheck (Apple), Play Integrity (Android), or reCAPTCHA v3 (Web) to ensure that only validated requests will be handled by the backend. Your app calls the attestation provider and receives an attestation that will be sent to the App Check servers. App Check verifies the attestation and returns a token. The token will be attached to every request by your app. If the token expires, the verification process is restarted.

All this happens behind the scenes and except for some initial configuration, you don’t have to do anything. ?

What Firebase services are covered by App Check?

The following services are currently supported by App Check:

• Realtime Database
• Cloud Firestore
• Cloud Storage
• Cloud Functions (only for callable functions)

In previous articles, I already talked about Cloud Firestore, Cloud Storage, and Cloud Functions. If you integrated one of these services, you can use App Check as well.

App Check is also available to secure your own non-Firebase backend. As this is beyond the scope of this article, interested readers can have a look at the App Check documentation for details.

How to enable an attestation provider?

We will have a look at the attestation provider Play Integrity. The other providers work in a similar way.

First, open the App Check menu in your Firebase Console.

Then select the app for which you want to enable App Check by clicking the Register button and selecting an attestation provider.

Select Play Integrity as the provider. Then, insert your SHA256 fingerprint key. To generate the key, follow the instructions on this page. You’ll need to execute the command-line program keytool program that is part of the JAVA Runtime Environment. Click the Save button when you are done.

Afterward, you’ll see the successful registration of Play Integrity.

💡 Token time to live considerations

* A shorter time interval reduces the time for an attacker to abuse leaked or cracked tokens.
** A shorter time interval requires more frequent App Check token renewals which cost time
*** A shorter time interval requires more frequent attestation provider calls that deplete the free quota faster

How to enforce App Check for specific services

After you added your attestation provider, you need to enforce App Check for your desired services to finally activate it in Firebase. It will take around 15 minutes until the process is finished. Afterward, only apps with proper App Check setup can access your secured backend services.

Go to the APIs tab and select a service, for example, Storage.

Click the Enforce button and after around 15 minutes, only registered apps will be able to access your Firebase Storage backend.

That’s it. Your backend is secured!

How to set up App Check in a Flutter app?

Follow these few steps to allow a Flutter app to access App Check secure Firebase backend services.

1. Install the package firebase_app_check.
2. Add the initialization code in your main() function.

Make sure, FirebaseAppCheck is initialized AFTER Firebase.

And that’s it! Your Firebase App Check dashboard should monitor incoming requests from now on.

I already use Firebase Authentication. Why do I need App Check?

Authentication is to identify users, App Check is to identify apps or devices. Here is a little example of the difference:

Imagine you have created an app with a members area where every user has its own login credentials.

If user A logs in, he/she can just edit user A’s data. If user B logs in, he/she can just edit user B’s data.

But they both can access the backend because the app passed App Check’s validation routine. If App Check denies access, no user can access his or her data.

My app is already published. Can I still integrate App Check?

Publish a new app version with the App Check code included, but don’t enable App Check in Firebase Console yet. You need to give the users time to get the update. Otherwise, you’d be excluding users with an old app version from the moment you enable App Check for the project. You can monitor the adaptation progress in the App Check menu. A high percentage of Verified requests is a good indicator that the users got the update.

Come on! Do I really need App Check?

Well, it depends. Is it just a private app you are developing for yourself or a small audience? Then you could probably skip it. But as soon as you start making serious money with your app, you should definitely consider improving your security measures. It can take just one incident to make your Firebase bill go crazy because someone is constantly accessing your resources. Or think about the loss of vital data that cannot be recovered easily. Afterward, you’ll be furious that you didn’t spend 30 minutes to an hour setting up App Check or another security protocol.

Just ask yourself these questions:

• What is the worst case?
• What will it cost to recover from the worst case?
• Will it be cheaper to implement security measures upfront?

Then, you’ll know the answer if you need App Check ?

Conclusion

Better safe than sorry. App Check protects your backend with an additional security layer to minimize the risk of data loss or a huge bill at the end of the month. Consider using it if you value your backend resources and your nerves. In case of an attack, you’ll be glad that you invested one single hour for protection mechanisms.

You can find the complete example source code on my GitHub page.