Replies: 1 comment
-
|
Great question! Thanks for bringing this up. The goal of App Check is to make abuse harder, but it is not able to completely eliminate all abuse (see: https://firebase.google.com/docs/app-check#how_strong_is_the_security_provided_by). What you observed is true; a motivated attacker can manually extract an App Check token. However, this process would need to be repeated every time the underlying App Check token expired (1 hour on SafetyNet, DeviceCheck, and App Attest, 1 day on reCAPTCHA v3 by default), and is unlikely to be automated. An attacker could still make requests to your backend on a one-off basis even with App Check, which is why it's still important to use App Check in conjunction with other authorization controls such as Firebase Security Rules. App Check makes it much more difficult for someone to publish their own App that was pointed at your backend. |
Beta Was this translation helpful? Give feedback.
-
I'm considering adding AppCheck to my web app, but I hope to first understand the mechanism.
So, on a high level, here's how AppCheck works:
It seems to me that an attacker can easily install my app, observe the web traffic, and repeat either step1 or step2 with curl. Am I missing something?
Beta Was this translation helpful? Give feedback.
All reactions