|
| 1 | +--- |
| 2 | +title: App Check |
| 3 | +description: Installation and getting started with App Check. |
| 4 | +icon: //static.invertase.io/assets/social/firebase-logo.png |
| 5 | +next: /auth/usage |
| 6 | +previous: /analytics/screen-tracking |
| 7 | +--- |
| 8 | + |
| 9 | +# Installation |
| 10 | + |
| 11 | +This module requires that the `@react-native-firebase/app` module is already setup and installed. To install the "app" |
| 12 | +module, view the [Getting Started](/) documentation. |
| 13 | + |
| 14 | +```bash |
| 15 | +# Install & setup the app module |
| 16 | +yarn add @react-native-firebase/app |
| 17 | + |
| 18 | +# Install the app-check module |
| 19 | +yarn add @react-native-firebase/app-check |
| 20 | + |
| 21 | +# If you're developing your app using iOS, run this command |
| 22 | +cd ios/ && pod install |
| 23 | +``` |
| 24 | + |
| 25 | +App Check requires you set the minimum iOS Deployment version in `ios/Podfile` to `11.0` or greater. |
| 26 | + |
| 27 | +You may have Xcode compiler errors after including the App Check module, specifically referencing linker problems and missing directories. |
| 28 | + |
| 29 | +You may find excluding the `i386` architecture via an addition to the `ios/Podfile` `post_install` hook like the below works: |
| 30 | + |
| 31 | +```ruby |
| 32 | + installer.aggregate_targets.each do |aggregate_target| |
| 33 | + aggregate_target.user_project.native_targets.each do |target| |
| 34 | + target.build_configurations.each do |config| |
| 35 | + config.build_settings['ONLY_ACTIVE_ARCH'] = 'NO' |
| 36 | + config.build_settings['EXCLUDED_ARCHS'] = 'i386' |
| 37 | + end |
| 38 | + end |
| 39 | + aggregate_target.user_project.save |
| 40 | + end |
| 41 | +``` |
| 42 | + |
| 43 | +# What does it do |
| 44 | + |
| 45 | +App Check works alongside other Firebase services to help protect your backend resources from abuse, such as billing fraud or phishing. With App Check, devices running your app will use an app or device attestation provider that attests to one or both of the following: |
| 46 | + |
| 47 | +- Requests originate from your authentic app |
| 48 | +- Requests originate from an authentic, untampered device |
| 49 | + |
| 50 | +This attestation is attached to every request your app makes to your Firebase backend resources. |
| 51 | + |
| 52 | +<Youtube id="Fjj4fmr2t04" /> |
| 53 | + |
| 54 | +This App Check module has built-in support for using the following services as attestation providers: |
| 55 | + |
| 56 | +- DeviceCheck on iOS |
| 57 | +- SafetyNet on Android |
| 58 | + |
| 59 | +App Check currently works with the following Firebase products: |
| 60 | + |
| 61 | +- Realtime Database |
| 62 | +- Cloud Storage |
| 63 | +- Cloud Functions (callable functions) |
| 64 | + |
| 65 | +The [official Firebase App Check documentation](https://firebase.google.com/docs/app-check) has more information, including about the iOS AppAttest provider, and testing/ CI integration, it is worth a read. |
| 66 | + |
| 67 | +# Usage |
| 68 | + |
| 69 | +## Activate |
| 70 | + |
| 71 | +On iOS if you include the App Check package, it is activated by default. The only configuration possible is the token auto refresh. When you call activate, the provider (DeviceCheck by default) stays the same but the token auto refresh setting will be changed based on the argument provided. |
| 72 | + |
| 73 | +On Android, App Check is not activated until you call the activate method. The provider is not configurable here either but if your app is "debuggable", then the Debug app check provider will be installed, otherwise the SafetyNet provider will be installed. |
| 74 | + |
| 75 | +You must call activate prior to calling any firebase back-end services for App Check to function. |
| 76 | + |
| 77 | +## Automatic Data Collection |
| 78 | + |
| 79 | +App Check has an "tokenAutoRefreshEnabled" setting. This may cause App Check to attempt a remote App Check token fetch prior to user consent. In certain scenarios, like those that exist in GDPR-compliant apps running for the first time, this may be unwanted. |
| 80 | + |
| 81 | +If unset, the "tokenAutoRefreshEnabled" setting will defer to the app's "automatic data collection" setting, which may be set in the Info.plist or AndroidManifest.xml |
| 82 | + |
| 83 | +## Using App Check tokens for non-firebase services |
| 84 | + |
| 85 | +The [official documentation](https://firebase.google.com/docs/app-check/web/custom-resource) shows how to use `getToken` to access the current App Check token and then verify it in external services. |
| 86 | + |
| 87 | +## Testing Environments / CI |
| 88 | + |
| 89 | +App Check may be used in CI environments by following the upstream documentation to configure a debug token shared with your app in the CI environment. |
| 90 | + |
| 91 | +In certain react-native testing scenarios it may be difficult to access the shared secret, but the react-native-firebase testing app for e2e testing does successfully fetch App Check tokens via: |
| 92 | + |
| 93 | +- including the App Check debug test helper in the test app, along with a change to `DetoxTest` for Android |
| 94 | +- by setting an environment variable and initializing the debug provider before firebase configure in `AppDelegate.m` for iOS. |
0 commit comments