I've integrated (but not enforced) App Check within an iOS app of mine, and have a number of requests that are apparently invalid - that is, the requests have an invalid App Check token. I am using Apple's App Attest as the Attestation Provider.
The two example reasons given for this occurring are
- "inauthentic client attempting to impersonate your app"
- "from emulated environments"
I don't think 1 is happening, because I have a tiny user base (< 10 active users). I also don't think 2 is happening. I very rarely use emulated environments; I prefer building and testing on a physical device.
From troubleshooting on my own, it seems like the issue has to do with me using a debug build on my physical device vs a release build. I followed the instructions here: https://firebase.google.com/docs/app-check/ios/debug-provider, and the errors have apparently dropped to zero for the last 24 hours.
I have two questions:
- Is this conclusion correct? That is, is it possible that me using a debug build is what was causing all those unverified requests? The two examples given don't mention anything about a physical device, so I'm not sure if this conclusion is right.
- If the answer to 1 is yes, what is the correct workflow setup I should be using? It seems like the debug tokens have the same TTL as the normal App Check tokens (i.e. 1 hour), and manually uploading a token every 1 hour while developing doesn't seem scalable. Is it possible to have the debug tokens have a longer TTL? Or is it possible to upload these tokens through code vs having to manually add via the firebase console?
