Firebase App Check
App Check helps protect your app backends from abuse by preventing unauthorized clients from accessing your backend resources. It works with both Google services (including Firebase and Google Cloud services) and your own backends to keep your resources safe.
With App Check, devices running your app will use an app or device attestation provider that attests to one or both of the following:
- Requests originate from your authentic app
- Requests originate from an authentic, untampered device
This attestation is attached to every request your app makes to the APIs you specify. When you enable App Check enforcement, requests from clients without a valid attestation will be rejected, as will any request originating from an app or platform you haven't authorized.
App Check has built-in support for using the following services as attestation providers:
- DeviceCheck or App Attest on Apple platforms
- Play Integrity or SafetyNet (deprecated) on Android
- reCAPTCHA Enterprise on web apps.
If these are insufficient for your needs, you can also implement your own service that uses either a third-party attestation provider or your own attestation techniques.
App Check works with the following Google services:
Supported Google services |
---|
Realtime Database |
Cloud Firestore |
Cloud Storage |
Cloud Functions (callable functions) |
Authentication (beta; requires upgrade to Firebase Authentication with Identity Platform) |
Google Identity for iOS (beta) |
Vertex AI in Firebase (Preview) |
You can also use App Check to protect your non-Google backend resources.
How does it work?
When you enable App Check for a service and include the client SDK in your app, the following happens periodically:
- Your app interacts with the provider of your choice to obtain an attestation of the app or device's authenticity (or both, depending on the provider).
- The attestation is sent to the App Check server, which verifies the validity of the attestation using parameters registered with the app, and returns to your app an App Check token with an expiration time. This token might retain some information about the attestation material it verified.
- The App Check client SDK caches the token in your app, ready to be sent along with any requests your app makes to protected services.
A service protected by App Check only accepts requests accompanied by a current, valid App Check token.
How strong is the security provided by App Check?
App Check relies on the strength of its attestation providers to determine app or device authenticity. It prevents some, but not all, abuse vectors directed towards your backends. Using App Check does not guarantee the elimination of all abuse, but by integrating with App Check, you are taking an important step towards abuse protection for your backend resources.
How is App Check related to Firebase Authentication?
App Check and Firebase Authentication are complementary parts of your app security story. Firebase Authentication provides user authentication, which protects your users, whereas App Check provides attestation of app or device authenticity, which protects you, the developer. App Check guards access to your Google backend resources and custom backends by requiring API calls to contain a valid App Check token. These two concepts work together to help secure your app.
Quotas & limits
Your use of App Check is subject to the quotas and limits of the attestation providers you use.
DeviceCheck and App Attest access is subject to any quotas or limitations set by Apple.
Play Integrity has a daily quota of 10,000 calls for its Standard API usage tier. For information on raising your usage tier, see the Play Integrity documentation.
SafetyNet has a daily quota of 10,000 calls. For information on requesting a quota increase, see the SafetyNet documentation.
reCAPTCHA Enterprise is no-cost for 10,000 assessments each month, and has a cost beyond that. See reCAPTCHA pricing.
Get started
Ready to get started?
Apple platforms
Android
Web
Flutter
C++
Unity
Learn how to implement a custom App Check provider
Learn how to use App Check to protect your non-Google backend resources
Select your platform: