App attest seems to sign the payload of a request with the private key of a key pair.
App check handles different providers than app attest:
- DeviceCheck or App Attest on Apple platforms
- Play Integrity or SafetyNet (deprecated) on Android
- reCAPTCHA v3 or reCAPTCHA Enterprise on web apps
I would like to know:
- Does firebase app check signs the payload on those 3 providers ?
- Where is the private key stored with the recaptcha version ? I can understand a semi secure storage mechanism on mobile, but it's harder to grasp in a browser.
If indeed the payload is signed on all platform, firebase app check doc is a bit vague on the security it provides, it says it prevent some attack vectors but not all.
- What are those attack vectors ?
The payload cannot be tampered with, thanks to the key signature, but
- How is the private key content protected since it is on device ?
If on the other hand the payload is not signed:
- What the heck does it protect against and how ? Recaptcha monitors human behaviors, so maybe it monitors that a request was indeed sent after a click / user input and not via curl by periodically requesting the human / bot score and adding a token to the request ? This is conjecture, this is obscure is all I'm saying.
