Our android app uses firestore as the DB and uses firestore SDK to make the reads and writes. We use firebase app check via safetynet(planning to migrate play integrity) as one of our security measure.
FirebaseApp.initializeApp(this)
val appCheck = FirebaseAppCheck.getInstance()
appCheck.installAppCheckProviderFactory(SafetyNetAppCheckProviderFactory.getInstance())
That's all we do for app check, We do not have any custom attestation and verify flow and we don't have any throttling call logic to firestore since it is all handled by firestore SDK. The issue we see is since our customer base is growing large we often see quota limit exceeding error from app check which leads to PERMISSION_DENIED errors resulting in app unusable state. Before we raise quota increase limit , we wanted to clarify the following questions,
- We see quota for attest, verify requests. Is there any document that clearly explains the use cases for the above quota? Please see the attached screenshot for quota categories.
- Is the app check token is same as JWT , like it has its expiration time once after that it will fetch new token from google play services. Until then it wont request for new token. If so what is the expiration time? Asking this to understand how the quota expires?
- Whether for each install/update or clear storage of android app will it re init the whole process?
