I set up App Check for iOS and Android on Flutter. iOS devices are working fine and able to access my RT Database and Cloud Functions. However, Android devices are blocked. I used the SHA-256 certificate fingerprint generated on Google Play Console. Also, Firebase says my Android app is registered. So, everything looks ok, but it's not.
I don't know what to check at this point because there is no error on my side. The only thing I can see is unverified: invalid requests from App Check request metrics.
This is my Flutter code to activate App Check:
void main() async {
await Firebase.initializeApp(
options: DefaultFirebaseOptions.currentPlatform,
);
await FirebaseAppCheck.instance.activate();
runApp(MyApp());
}
This is a log info from Cloud Functions:
Callable request verification passed {"verifications"{"auth":"MISSING","app":"MISSING"}}
I have solved my problem and I have recently received my first "App Check Verified Request" successfully at my Firebase Cloud Firestore App Check request metrics.
I only added "Play Integrity" until now, because the Firebase documentation (https://firebase.google.com/docs/app-check/android/safetynet-provider) uses the following statement: "Note: The SafetyNet Attestation API is deprecated and has been replaced by the Play Integrity API. Consider enabling App Check with Play Integrity instead. See the deprecation timeline for more information."
To solve the problem, it will be enough to apply the following:
Firebase Console -> Project Settings -> App Check -> Apps -> Add SafetyNet as additional Attestation providers.
I have now Play Integrity and SafetyNet both together. Now App Check Requests are working also for "Real device", "Release build" and "Closed Testing" scenario.
I suggest using "Consider enabling App Check with both Play Integrity and SafetyNet." instead of "Consider enabling App Check with Play Integrity instead." on Firebase Documentation.
Thanks for adding such a great service that improves security in any case.
So just leaving a comment in case this helps.
I had the same issue but made this work after using the SHA-256 under "App Signing key certificate" (It wasn't working until I used Upload key certificate). Hope this helps in any way.
Related
I would like to know if my Firebase Backend (Firestore and Cloud Functions) are safe by using App Check if my Flutter App (iOS/Android) is reverse engineered.
I imagine the App Check is client based. If the client is reverse engineered, then the backend wouldn't know if it's "my" client or the "bad" client which was reverse engineered?
App Check works with so-called attestation providers on each supported platform to attest that API calls come from your genuine code on a genuine device. These providers are at this point quite well vetted on both iOS and Android, and are getting better on Web.
For example, without App Check a malicious user can extract the Firebase configuration from the released app, and then for example call the Firestore APIs with those configuration details. You'd then use security rules to protect against the attack.
When you use App Check, their API calls won't be attested, so they will be rejected by Firebase before they even reach Firestore and your security rules. So with one sweep, you've ruled out a lot of abuse on that attack vector.
But there is still a potential for abuse, even when you use App Check. That's why you should always combine App Check with other security measures, such as the server-side security rules that exist for Firestore (since you tagged with that) and other Firebase products.
I recommend also checking out:
How strong is the security provided by App Check?
Is it safe to expose Firebase apiKey to the public?
I have an app with Huawei Health SDK integrated. I applied some data Read/Write permission of Fitness and Health data. The app works fine for some of features like step count data. However, it reports following error when calling activityRecord API:
activityRecord failure 50005: Unknown authorization error
Can someone help?
You need to ensure that your app for Health Kit data has been approved, and the scope of Activity Record has been added in Signing in and Applying for permission.
It looks like the app has been approved for the access of some fitness and health data because the step count works on the app. However, it seems that you have not requested the “user activity records data” in Health Kit service.
You need to enable Read/Write for user activity records data in Motion record data as you did for other data. You can refer the link for the details on HMS SDK v5 or link on HMS SDK v6 error codes.
After the application is approved, please try again. Hope this fix the issue. If you still get the result code 50005 error, the HMS Core version may be too low. Please upgrade the HMS Core version.
I'm using Firebase Cloud Messaging in my Dart/Flutter app. The code below updates a user doc with a retrieved android notification token.
FirebaseMessaging().getToken().then((token) {
_usersRef.doc(user.id).update({
"notificationAndroidToken": token,
});
});
I then read the notificationAndroidToken in my cloud functions. Works great except I had wrongly assumed the token would be invalid if the user had shut off their notifications (e.g., empty or null). What's the best way for determining if notifications are enabled for my app in cloud functions? I'm finding some hits in my searches but many are outdate or for a different dev environment.
The firebase_messaging package does not provide any method for checking if notifications are enabled by calling NotificationManagerCompat.areNotificationsEnabled on the platform. The awesome_notifications package provides such a isNotificationAllowed method.
We develop an app to be used with Google assissant. All works fine in develop envirnoment, than when we deploy in test envirnoment on aws we have these errors from Google:
DEADLINE_EXCEDEED
RESOURCE_EXHAUSTED
these when we answer to a Sync request.
The account link and the First Sync are working fine!
Any idea?
DEADLINE_EXCEEDED - This generally happens when an intent request times out waiting for a response. If you're seeing these errors during account linking, it may also be related to the time taken to issue the OAuth token in addition to the initial SYNC.
RESOURCE_EXHAUSTED - This happens when you call Request Sync more than once concurrently for a given agentUserId. For more details see the Error responses section of the Request Sync developer guide.
I'm trying to integrate Google Play Games Services as an update to my already published Android game.
However signin is not working and I get a "SIGN_IN status: ERROR_NOT_AUTHORIZED" error message.
I guess that it may be related to linked app that doesn't have an Oath Client ID for Android. So I tried to created one, but got an error message : "The fingerprint you specified is already used by an Android OAuth2 client ID in this project or another project".
This is true, this SHA fingerprint is indeed used by another game that I already published, as I used the same certificate for both games.
Is it a bad practice to use the same certificate for multiple apps ?
What should I do to link my app, as I guess I can't change the certificate on any of the two games as they are already published ? Thanks !
The fingerprint you specified is already used by an Android OAuth2
client ID in this project or another project
implies that you shouldn't be doing that, so to me it doesn't sound like a good practice.
Try to generate a different signed certificate for each project.