What is the purpose of Firebase AppCheck?

Question

I want to improve the security of my application and I'm looking into the Firebase App Check service which ensures that all requests made to the server come from my application. Only in Firebase Realtime Database I put the following rules:

"Users": {
      "$userId": {
        ".read": "auth != null && $userId === auth.uid",
          ".write": "auth != null && $userId === auth.uid", 
      }

Which I think ensures that the requests come from a user logged into the application.

So what does App Check do more, does the service also block jailbroken or specially rooted devices? Because it says on the site: Requests originate from an authentic, untampered device. But nothing in the introduction explicitly mentions what tampered means even if it seems logical I'd rather make sure.

So how does AppCheck ensure that the data sent to the database is not corrupted?

For example if data persistence is enabled and the user closes the application, changes the locally stored query and restarts the application. Then in my opinion the corrupted request will be sent and authenticated by AppCheck, yet it will have been modified. If not, can you detail the process as I am a bit confused.

Answer 1

If you have just the security rules you show, and don't use App Check, anyone can take the configuration data from your app, and make API calls with that data. So they can call the API to create a user account, and make calls to the database in ways that you may have not imagined.

If your security rules capture all the requirements you have about your data, then App Check indeed doesn't change anything about what a malicious user can do, and it's just an extra layer to deter abusers.

In many cases though, there are (sometimes subtle) differences between what your application code does and what your security rules enforce. In cases like those, an abusive user may run their own code and do something different than your code does.

For example, your security rules don't enforce anything about what data can be written. So an abusive user could:

• not write data that your code expects in the user profile.
• write completely different data in the user profile that your code does not expect.
• write much more data into the profile, which your project would then be charged for.

While you can (and should) encode all such requirements around data format and data size into your security rules, enabling App Check is a quick way to already deter many malicious users.

Between using App Check and Security Rules you have both broad protection, and fine grained control over who can access the data and what they can do to it.

Answer 2

In addition to the answer from puf , check out the WWDC talk Mitigate fraud with App Attest and DeviceCheck . Firebase App Check provides the server for App Attest.

Answer 3

Go To Apple Certificates, Identifiers & Profiles: Select Your Key Upload firebase and Make Check For: Access the DeviceCheck and AppAttest APIs to get data that your associated enter image description here