5

I set up App Check for iOS and Android on Flutter. iOS devices are working fine and able to access my RT Database and Cloud Functions. However, Android devices are blocked. I used the SHA-256 certificate fingerprint generated on Google Play Console. Also, Firebase says my Android app is registered. So, everything looks ok, but it's not.

I don't know what to check at this point because there is no error on my side. The only thing I can see is unverified: invalid requests from App Check request metrics.

This is my Flutter code to activate App Check:

void main() async {
  await Firebase.initializeApp(
    options: DefaultFirebaseOptions.currentPlatform,
  );

  await FirebaseAppCheck.instance.activate();

  runApp(MyApp());
}

This is a log info from Cloud Functions:

Callable request verification passed {"verifications"{"auth":"MISSING","app":"MISSING"}}
Stewie Griffin
  • 4,690
  • 23
  • 42
  • Running on a real device with release build? – user18309290 Aug 06 '22 at 06:08
  • 1
    Yes, it's internal testing. I downloaded the app from the Google Play Store and then tested it. Still all requests denied. – Stewie Griffin Aug 06 '22 at 07:15
  • I have same issue. "Real device", "Release build" and "Closed Testing". I have still not published this app in Google Play to "Production". I am downloading app to real device from Google Play via "Closed Testing" testers. If that's the case, I'd like to continue developing my app without spending any more time on this issue, and if anyone can provide information on this, I'd greatly appreciate it. – CanDroid Aug 06 '22 at 21:28
  • Same for me on real android, release build, google play internal | closed | open testing stage – Anh Nguyen Aug 11 '22 at 11:05

3 Answers3

2

I have solved my problem and I have recently received my first "App Check Verified Request" successfully at my Firebase Cloud Firestore App Check request metrics.

I only added "Play Integrity" until now, because the Firebase documentation (https://firebase.google.com/docs/app-check/android/safetynet-provider) uses the following statement: "Note: The SafetyNet Attestation API is deprecated and has been replaced by the Play Integrity API. Consider enabling App Check with Play Integrity instead. See the deprecation timeline for more information."

To solve the problem, it will be enough to apply the following: Firebase Console -> Project Settings -> App Check -> Apps -> Add SafetyNet as additional Attestation providers.

I have now Play Integrity and SafetyNet both together. Now App Check Requests are working also for "Real device", "Release build" and "Closed Testing" scenario.

I suggest using "Consider enabling App Check with both Play Integrity and SafetyNet." instead of "Consider enabling App Check with Play Integrity instead." on Firebase Documentation.

Thanks for adding such a great service that improves security in any case.

CanDroid
  • 633
  • 6
  • 15
1

So just leaving a comment in case this helps. I had the same issue but made this work after using the SHA-256 under "App Signing key certificate" (It wasn't working until I used Upload key certificate). Hope this helps in any way.

enter image description here

Simme5_Blvd
  • 51
  • 1
  • 6
1

This might be too obvious for most, but you need to enable play integrity in the Google Play console.

To do this, you have to select your app in the play console and then go to the Integrity API tab under Release -> Setup -> App integrity. Here you have to link your project to a Google Cloud project to use play integrity.

That was the only thing I was missing. I hope it might help someone.Google Play console

barbrady
  • 161
  • 9