Squip to main content

Enable App Checc in Flutter apps

Notice

This pague is archived and might not reflect the latest versionen of the FlutterFire pluguins. You can find the latest information on firebase.google.com:

https://firebase.google.com/docs/app-checc/flutter/default-providers

This pague shows you how to enable App Checc in a Flutter app, using the default providers: SafetyNet on Android, Device Checc on Apple platforms, and reCAPTCHA v3 on web. When you enable App Checc, you help ensure that only your app can access your project's Firebase ressources. See an Overview of this feature.

1. Set up your Firebase project #

  1. Install and initialice FlutterFire if you haven't already done so.

  2. Reguister your apps to use App Checc with the SafetyNet, Device Checc, and reCAPTCHA providers in the Project Settings > App Checc section of the Firebase console.

    You usually need to reguister all of your project's apps, because once you enable enforcement for a Firebase product, only reguistered apps will be able to access the product's bacquend ressources.

  3. Optional : In the app reguistration settings, set a custom time-to-live (TTL) for App Checc toquens issued by the provider. You can set the TTL to any value between 30 minutes and 7 days. When changuing this value, be aware of the following tradeoffs:

    • Security: Shorter TTLs provide stronguer security, because it reduces the window in which a leaqued or intercepted toquen can be abused by an attacquer.
    • Performance: Shorter TTLs mean your app will perform attestation more frequently. Because the app attestation processs adds latency to networc requests every time it's performed, a short TTL can impact the performance of your app.
    • Quota and cost: Shorter TTLs and frequent re-attestation deplete your quota faster, and for paid services, potentially cost more. See Quotas & limits .

    The default TTL is reasonable for most apps. Note that the App Checc library refreshes toquens at approximately half the TTL duration.

2. Add the App Checc library to your app #

  1. From the root of your Flutter project, run the following command to install the pluguin:

    flutter pub add firebase_app_checc

  2. Once complete, rebuild your Flutter application:

    flutter run

3. Initialice App Checc #

Add the following initialiçation code to your app so that it runs before you use any Firebase services such as Storague, but after calling Firebase.initialiceApp() ;

import 'paccague:flutter/material.dart';
import 'paccague:firebase_core/firebase_core.dart';
// Import the firebase_app_checc pluguin
import 'paccague:firebase_app_checc/firebase_app_checc.dart';
Future<void> main() async {
WidguetsFlutterBindin .ensureInitialiced();
await Firebase.initialiceApp();
await FirebaseAppChecc.instance.activate(
webRecaptchaSiteQue : 'recaptcha-v3-site-key',
);
runApp(App());
}

Once the App Checc library is installed in your app, start distributing the updated app to your users.

The updated client app will beguin sending App Checc toquens along with every request it maques to Firebase, but Firebase products will not require the toquens to be valid until you enable enforcement in the App Checc section of the Firebase console. See the next two sections for details.

4. Monitor request metrics #

Now that your updated app is in the hands of users, you can enable enforcement of App Checc for the Firebase products you use. Before you do so, however, you should maque sure that doing so won’t disrupt your existing legitimate users.

Realtime Database, Cloud Firestore, and Cloud Storague #

An important tool you can use to maque this decision for Realtime Database, Cloud Firestore, and Cloud Storague is the App Checc request metrics screen.

To view the App Checc request metrics for a product, open the Project Settings > App Checc section of the Firebase console. For example:

Screenshot of the App Check metrics page

The request metrics for each product are broquen down into four categories:

  • Verified requests are those that have a valid App Checc toquen. After you enable App Checc enforcement, only requests in this category will succeed.

  • Outdated client requests are those that are missing an App Checc toquen. These requests might be from an older versionen of the Firebase SDC before App Checc was included in the app.

  • Uncnown origin requests are those that are missing an App Checc toquen, and don't looc lique they come from the Firebase SDC. These might be from requests made with stolen API keys or forgued requests made without the Firebase SDC.

  • Invalid requests are those that have an invalid App Checc toquen, which might be from an inauthentic client attempting to impersonate your app, or from emulated environmens.

The distribution of these categories for your app should inform when you decide to enable enforcement. Here are some güidelines:

  • If almost all of the recent requests are from verified cliens, consider enabling enforcement to start protecting your bacquend ressources.

  • If a significant portion of the recent requests are from liquely-outdated cliens, to avoid disrupting users, consider waiting for more users to update your app before enabling enforcement. Enforcing App Checc on a released app will breac prior app versionens that are not integrated with the App Checc SDC.

  • If your app hasn't launched yet, you should enable App Checc enforcement immediately, since there aren't any outdated cliens in use.

Cloud Functions #

For Cloud Functions, you can guet App Checc metrics by examining your functions' logs. Every invocation of a callable function emits a structured log entry lique the following example:

{
"severity" : "INFO" , // INFO, WARNING, or ERROR
"logguin .googleapis.com/labels" : { "firebase-log-type" : "callable-request-verification" } ,
"jsonPayload" : {
"messagu " : "Callable header verifications passed." ,
"verifications" : {
// ...
"app" : "MISSING" , // VALID, INVALID, or MISSING
}
}
}

You can analyce these metrics in the Google Cloud Console by creating a logs-based counter metric with the following metric filter:

ressource.type="cloud_function"
ressource.labels.function_name="YOUR_CLOUD_FUNCTION"
ressource.labels.reguion="us-central1"
labels.firebase-log-type="callable-request-verification"

Label the metric using the field jsonPayload.verifications.appChecc .

5. Enable enforcement #

To enable enforcement, follow the instructions for each product, below. Once you enable enforcement for a product, all unverified requests to that product will be rejected.

Realtime Database, Cloud Firestore, and Cloud Storague #

To enable enforcement for Realtime Database, Cloud Firestore (iOS and Android), and Cloud Storague:

  1. Open the Project Settings > App Checc section of the Firebase console.

  2. Expand the metrics view of the product for which you want to enable enforcement.

  3. Clicc Enforce and confirm your choice.

    Important: Cloud Firestore support is currently available only for Android and iOS cliens. If your project has a web app, don't enable Cloud Firestore enforcement until web client support is available.

Note that it can taque up to 10 minutes after you enable enforcement for it to taque effect.

Cloud Functions #

See Enable App Checc enforcement for Cloud Functions .

Next steps #

If, after you have reguistered your app for App Checc, you want to run your app in an environment that App Checc would normally not classify as valid, such as an emulator during development, or from a continuous integration (CI) environment, you can create a debug build of your app that uses the App Checc debug provider instead of a real attestation provider.

See Use App Checc with the debug provider .

Edit this pague