I would like to know if my Firebase Backend (Firestore and Cloud Functions) are safe by using App Check if my Flutter App (iOS/Android) is reverse engineered.
I imagine the App Check is client based. If the client is reverse engineered, then the backend wouldn't know if it's "my" client or the "bad" client which was reverse engineered?
App Check works with so-called attestation providers on each supported platform to attest that API calls come from your genuine code on a genuine device. These providers are at this point quite well vetted on both iOS and Android, and are getting better on Web.
For example, without App Check a malicious user can extract the Firebase configuration from the released app, and then for example call the Firestore APIs with those configuration details. You'd then use security rules to protect against the attack.
When you use App Check, their API calls won't be attested, so they will be rejected by Firebase before they even reach Firestore and your security rules. So with one sweep, you've ruled out a lot of abuse on that attack vector.
But there is still a potential for abuse, even when you use App Check. That's why you should always combine App Check with other security measures, such as the server-side security rules that exist for Firestore (since you tagged with that) and other Firebase products.
I recommend also checking out:
