10

Previously, I used to check the application through Safety Net. Then, when logging in by phone number, the error This request is missing a valid app identifier came out. I started to figure it out and read that use the app check via Play Integrity. I started trying, the error is the same. Now I can neither turn on Play Integrity, nor turn off all verification methods. The error is the same. I read the forum, did all the settings and recommendations. It didn't help. Tell me plz, maybe there are more ideas or successful practice in this.

Dependencies

implementation 'com.google.firebase:firebase-appcheck-debug:16.0.0'
implementation 'com.google.firebase:firebase-appcheck-playintegrity'

Initialization

if (BuildConfig.DEBUG) {
Timber.plant(Timber.DebugTree())

    FirebaseApp.initializeApp(/*context=*/this)
    val firebaseAppCheck = FirebaseAppCheck.getInstance()
    firebaseAppCheck.installAppCheckProviderFactory(
        DebugAppCheckProviderFactory.getInstance()
    )
} else {

    FirebaseApp.initializeApp(/*context=*/this)
    val firebaseAppCheck = FirebaseAppCheck.getInstance()
    firebaseAppCheck.installAppCheckProviderFactory(
        PlayIntegrityAppCheckProviderFactory.getInstance()
    )
}

All signatures have been added to the FB project (debug, release, store) SHA-1 and SHA-256.

The following APIs are included:

  • Android Device Verification
  • Firebase App Check API
  • Firebase Installations API
  • Google Play Integrity API
  • Identity Toolkit API
  • Token Service API

What else is missing?

zizi union
  • 101
  • 1
  • 3
  • Did you manage to fix this? I have similar problem, now I don't even know how this whole service should work. It seems someone in Firebase introduced this feature and just throw it to production half bake without checking all use cases with now poor documentation. – Bitwise DEVS May 13 '23 at 10:00

5 Answers5

3

SafetyNet will keep working for a year. So temporary solution will be to keep using SafetyNet until the API gets a fix update. Turn off date for SafetyNet is June 30, 2024 based on email Google sent to developers which use SafetyNet in their apps.

Update: I just realized App Check with Play Integrity already works! You just need to download the app from Play Store. Otherwise it will not accept your connection. You can test quickly with Internal Testing. Additionally you can still test on emulator with App Check Debug tokens.

Samudra Ganguly
  • 637
  • 4
  • 24
Okan Seref
  • 31
  • 4
  • 2
    Still does not work. Have been in touch with Firebase support for about a month. Even they cannot understand! No one cares! – Oru Nov 25 '22 at 13:21
  • How to use app check with play integrity api for apks that are downloaded from other sources? – Samudra Ganguly Nov 28 '22 at 13:31
  • @SamudraGanguly You can't because that is why you implement play integrity api: Geniue app installs & app binary. – Okan Seref Dec 02 '22 at 09:44
  • @OkanSeref If I want to implement Firebase App Check in an apk that will be distributed directly (not through play store), is there any alternative of Play Integrity API other than SafetyNet Attestation? SafetyNet is going to be shut down in June 2024. – Samudra Ganguly Dec 03 '22 at 16:39
  • @SamudraGanguly Zimperium might be an option for that. You can take a look in details from official website. – Okan Seref Dec 03 '22 at 17:18
0

You probably need to setup the Play Integrity API by enabling it in the Play Console (see the details in the official documentation).

Abzal Serekov
  • 107
  • 8
0

Make sure you are using updated versions of Firebase dependencies since some of these dependencies were updated after introducing Firebase App Check. The best way to achieve this is by using the Firebase Android BoM and remove versions from all Firebase dependencies in your app/build.gradle. Another thing to check is that you are including the latest google-services.json installed from Firebase console -> Project Settings -> Android App.

Regarding the use of App Check with the debug provider, make sure to include the debug tokens for all your test/debug devices into Firebase console. Also building on my previous point, remove the ":16.0.0" from the dependency declaration.

lubani
  • 1
  • 2
  • I did everything, it didn't work. What do you mean by debug tokens? SHA-256 signatures? I checked it many times. – zizi union Jul 25 '22 at 13:14
  • Debug tokens are not the same as SHA signatures. You can add debug tokens in Firebase console-> App Check -> Manage debug tokens (https://firebase.google.com/docs/app-check/android/debug-provider). Also make sure the Firebase App Check API is enabled in Google Cloud Console -> APIs & Services -> Enable APIs. – lubani Jul 26 '22 at 01:12
  • I updated the debugging token, it did not heal. The API was previously added, indicated in your question. Until it worked, I don’t know which way to dig. – zizi union Jul 29 '22 at 11:10
  • It's Not Working! – Oru Nov 25 '22 at 13:22
  • This solution does not work, distributed my app through play store but still redirects to a browser before sending token – Brian Mutiso Feb 24 '23 at 13:48
0

According to official site, Firebase currently allows Play Integrity API App Check only for apps distributed through Play Store (link).

So, if you want to use App Check for Android in Firebase, you have two options - either upload your app to Play Store or use custom App Check provider.

PS: It may be possible to integrate Play Integrity API in Firebase for apps that are not distributed through Play Store using custom provider.

Samudra Ganguly
  • 637
  • 4
  • 24
  • I see, but the OP set the debug provider so it should work as well. Unfortunately that debug provider does not work as well. – Bitwise DEVS May 13 '23 at 10:07
0

For debug provider you need to run the app, and it will print a debug token in logs on info channel - this token has to be inserted in Firebase: Build > App Check > [app package] > 3-dots menu > manage debug tokens > add your token Mind, that this token may be different for every app install/device etc, so it will need more tokens on firebase console for your devices/team

For Integrity provider, your app has to be published on Play Store (closed test channel for init tests), and it has to be connected with proper project on FB: release > integrity > connect with project. You should also pay attention to signing fingerprints - if your app is signed on publishing with Google key, you will have to update fingerprints on Firebase

bovquier
  • 78
  • 1
  • 14