How does Firebase App Check using iOS DeviceCheck work?
In short, SDKs will ask the AppCheck SDK for a special AppCheck token when making a request. When App Check is configured to use DeviceCheck, it will generate the requested token with the help of the DeviceCheck framework. Note that DeviceCheck is a framework created by Apple.
I am not understanding what exactly is happening under the hood ...
And here's a little more detail to help clarify things:
The AppCheck SDK uses AppCheckProviders to generate app check tokens. There are 4 types of AppCheckProviders:
AppAttestProviderDeviceCheckProviderAppCheckDebugProvider- Custom providers that you create as a subclass of
AppCheckProvider
For certain Firebase SDKs that support AppCheck enforcement (e.g. Firestore), they will ask the AppCheck SDK for an AppCheck token when sending a request. The AppCheck SDK generates a token using one of the 4 AppCheckProviders listed above. You can customize which provider is used by using AppCheck's AppCheck.setAppCheckProviderFactory(_:) API. I wrote more about it's purpose in this answer.
... I want to make sure it is working correctly
If you're able to see request metrics in the Firebase console, AppCheck is implemented correctly and working. If you've enabled enforcement, you should start to see some enforced requests in the metrics graph.
Could someone explain to me how Device Check works in this scenario with Firebase ...
So when the AppCheck SDK is using the DeviceCheckProvider (this provider is the default one!), the AppCheck SDK will be creating AppCheck tokens with the help of Apple's DeviceCheck framework.
how it (Device Check) is different from iOS App Attest that Firebase also supports?
The answer here can be found in Apple's documentation for DeviceCheck.
In short, the difference is in the two names.
Device Check is useful for verifying that requests are originating from an actual device. For example, let's say you have an iOS app and are using Firebase AppCheck with the DeviceCheckProvider. If you enable enforcement, only requests coming from actual devices should be successful. So if I try to hit your backend API by curl'ing a request from the command line, it should get rejected since there is no token to confirm the request is coming from an actual device. This protects the backend from such abuse.
App Attest is part of the Device Check framework and offers more advanced verification by attesting that the request is coming from a valid instance of your app. To understand why this is useful, consider your iOS app is configured to use Firebase AppCheck with the DeviceCheckProvider. Let's say a hacker recompiles your app onto an actual device. In this case, DeviceCheck's effectiveness diminishes as requests sent from this malicious copy are technically coming from an "actual device" so a valid token will be generated. App Attest's more advanced attestation can attest that the request is coming from a valid instance of your app. In this example, the hacker's copy would not be a valid instance.
At this point, you might be wondering why you would ever use DeviceCheck when you can use the more advanced App Attest and the reason is OS availability: App Attest is only available for iOS 14.0+.
I hope this answered your questions!
