Firebase App Check rejecting all requests from Android devices

Asked 5/8, 2022 at 23:44 Answered 25/2, 2023 at 16:55

I set up App Check for iOS and Android on Flutter. iOS devices are working fine and able to access my RT Database and Cloud Functions. However, Android devices are blocked. I used the SHA-256 certificate fingerprint generated on Google Play Console. Also, Firebase says my Android app is registered. So, everything looks ok, but it's not.

I don't know what to check at this point because there is no error on my side. The only thing I can see is unverified: invalid requests from App Check request metrics.

This is my Flutter code to activate App Check:

void main() async {
  await Firebase.initializeApp(
    options: DefaultFirebaseOptions.currentPlatform,
  );

  await FirebaseAppCheck.instance.activate();

  runApp(MyApp());
}

This is a log info from Cloud Functions:

Callable request verification passed {"verifications"{"auth":"MISSING","app":"MISSING"}}

Phonetist answered 5/8, 2022 at 23:44 Comment(4)

Running on a real device with release build? – Angy 6/8, 2022 at 6:8

Yes, it's internal testing. I downloaded the app from the Google Play Store and then tested it. Still all requests denied. – Phonetist 6/8, 2022 at 7:15

I have same issue. "Real device", "Release build" and "Closed Testing". I have still not published this app in Google Play to "Production". I am downloading app to real device from Google Play via "Closed Testing" testers. If that's the case, I'd like to continue developing my app without spending any more time on this issue, and if anyone can provide information on this, I'd greatly appreciate it. – Privacy 6/8, 2022 at 21:28

Same for me on real android, release build, google play internal | closed | open testing stage – Garboard 11/8, 2022 at 11:5

I have solved my problem and I have recently received my first "App Check Verified Request" successfully at my Firebase Cloud Firestore App Check request metrics.

I only added "Play Integrity" until now, because the Firebase documentation (https://firebase.google.com/docs/app-check/android/safetynet-provider) uses the following statement: "Note: The SafetyNet Attestation API is deprecated and has been replaced by the Play Integrity API. Consider enabling App Check with Play Integrity instead. See the deprecation timeline for more information."

To solve the problem, it will be enough to apply the following: Firebase Console -> Project Settings -> App Check -> Apps -> Add SafetyNet as additional Attestation providers.

I have now Play Integrity and SafetyNet both together. Now App Check Requests are working also for "Real device", "Release build" and "Closed Testing" scenario.

I suggest using "Consider enabling App Check with both Play Integrity and SafetyNet." instead of "Consider enabling App Check with Play Integrity instead." on Firebase Documentation.

Thanks for adding such a great service that improves security in any case.

Privacy answered 7/8, 2022 at 23:2 Comment(4)

Thanks for sharing this, but I already added SafetyNet and it still doesn't work. – Phonetist 8/8, 2022 at 6:22

The issue we had seemed very similar, I hope you can solve it as soon as possible. – Privacy 8/8, 2022 at 6:29

I have both Play Integrity and SafetyNet, but still doesn't work – Garboard 11/8, 2022 at 11:10

I have enabled App signing instead of Play Integrity API and still FIrebase App check API showing 100% errors in APIs & services – Piteous 24/4 at 5:37

This might be too obvious for most, but you need to enable play integrity in the Google Play console.

To do this, you have to select your app in the play console and then go to the Integrity API tab under Release -> Setup -> App integrity. Here you have to link your project to a Google Cloud project to use play integrity.

That was the only thing I was missing. I hope it might help someone.

Hydrokinetic answered 25/2, 2023 at 16:55 Comment(1)

so helpful..... – Panoply 30/5 at 8:48

So just leaving a comment in case this helps. I had the same issue but made this work after using the SHA-256 under "App Signing key certificate" (It wasn't working until I used Upload key certificate). Hope this helps in any way.

Spoondrift answered 7/8, 2022 at 15:42 Comment(3)

I'm already using the app signing key certificate, but no luck. – Phonetist 7/8, 2022 at 21:26

Same here again. I have already both key certificate's fingerprints. – Privacy 7/8, 2022 at 22:13

I had the same problem and also did all the suggestions posted in this StackOverflow topic. What I did to solve the problem of Google Play's private testing on a real phone was to configure the correct SHA256 in the Firebase App Check Play Integrity Apps page. – Mapes 30/10, 2023 at 11:1

Recommended topics

Hot tags