Login/Register
Why is Appcheck randomly generating invalid requests from published Android but not iPhone although exact same flutter code
Asked Answered
androidflutterfirebasefirebase-app-check
S

2

8

I built an app that uses flutter, Firebase Firestore and Firebase Authentication.

I published my app in both Android Play store (internal tests) and Apple App Store (Testflight) using the exact same flutter base code.

The Problem:

Why does App check not recognize some Android requests (Unverified: invalid requests) every few hours while it recognizes all the rest as verified... meanwhile App Check recognizes (verified requests) 100% of the iPhone requests? and it even recognizes the same android ones when I just restart the app from the device

Explanation:

  1. Here is a Snapshot showing only the Android app requests (from 1 device): You can see the "unverified" at the beginning (see red arrow in graph), then it becomes all "verified" for a few hours, then again 1 "unverified" (not shown here) and so on.

Snapshot showing only the Android app requests

2 - And here is a Snapshot showing only the iPhone app requests (from 1 device): You can see that everything is "verified" as expected, even after several hours or days.

enter image description here

The Code:

  Future <void> main() async{
    WidgetsFlutterBinding.ensureInitialized(); 
    await Firebase.initializeApp(options: DefaultFirebaseOptions.currentPlatform,);
    await FirebaseAppCheck.instance.activate(
        androidProvider: AndroidProvider.playIntegrity, appleProvider: AppleProvider.appAttestWithDeviceCheckFallback);
    runApp(AuthUserProviderWidget());
  }

For the signing key, I use the one from Google Play Console > Release > Setup > App Signing > App signing key certificate > SHA-256

and I copy that SHA-256 to Firebase > App Check > Apps > Android > Play Integrity >SHA-256 certificate fingerprint

Update 1:

I have tried "enforcing" appcheck: same outcome... I have tried a different Android phone device: same thing (mostly "verified" until after a few hours I get the "unverified" one)... I have tried using the SHA256 of the "Upload key": this one does not work at all with appcheck... I am lost, any ideas anyone???

Update 2:

I used kReleaseMode to confirm it is release mode... but still same issue with Android:All requests are verified, then randomly one request is unverified and blocked... then again, subsequent calls are verified again... I also updated to last versions of flutter (3.13.4) and Appcheck 0.2.0 and all Firebase... Still same...

Because the fact that rerunning the app after the error always runs smoothly, I also tried to add artificial delays after initializing Firebase and after activating AppCheck... I also tried to activate multiple times... I tried await FirebaseAppCheck.instance.setTokenAutoRefreshEnabled(true); ... Still the same random error, once every few hours

Update 3: See "Partial Solution" described below... Basically, I was able to reduce the frequency of this error by forcing a getToken(true) and setTokenAutoRefreshEnabled(true)... But error still happens every few hours... It seems to happen when the app comes back to foreground from a long time in the background

Update 4: 2 months after this question, I am still actively looking for a solution... Also looking if anyone else is experiencing this same error or is it just me?

Sagesagebrush answered 16/9, 2023 at 3:54 Comment(4)
Have you tried enforcing app check?Pittel
@Pittel ... yes, I have tried enforcing app check... same outcome... That specific request will fail and trigger an error in my app... after that if I restart my app, it will work fine (with a "verified" request)Sagesagebrush
Just to make sure everything's alright: Can you please do: if (!kReleaseMode) { await FirebaseAppCheck.instance .activate(androidProvider: AndroidProvider.debug); } else { await FirebaseAppCheck.instance .activate(androidProvider: AndroidProvider.playIntegrity); }Pittel
@Pittel ... I tried with kReleaseMode... confirmed that we are in release mode... But still same issue... All requests are verified, then randomly one request is unverified and blocked... then again, subsequent calls are verified againSagesagebrush
S
0

Partial Solution:

I was able to find a "partial" solution to my problem. I had to force a getToken(true) and setTokenAutoRefreshEnabled(true).

Future<void> main() async{
WidgetsFlutterBinding.ensureInitialized(); 
await Firebase.initializeApp(options: DefaultFirebaseOptions.currentPlatform,);
await FirebaseAppCheck.instance.activate(androidProvider: AndroidProvider.playIntegrity, appleProvider: AppleProvider.appAttestWithDeviceCheckFallback);
await FirebaseAppCheck.instance.getToken(false); // Solution here
await FirebaseAppCheck.instance.setTokenAutoRefreshEnabled(true);// and solution here

runApp(...);

I assume the reason is that activate is a lazy call but this looks like a bug they will need to fix in this Beta release... getToken seems to force the call and avoid the error.

So far, I still encounter an App Check error on resume after the app comes back to foreground from a long time in the background... Still need to fix this.

Sagesagebrush answered 25/9, 2023 at 3:52 Comment(1)
did you try with the latest firebase-appcheck-playintegrity version ?Suppositious
S
0

I got a similar issue , and I finally resolved the issue after contacting the Firebase support team. We realized that it was a device integrity issue .

Request was refused from a device that has only the MEETS_BASIC_INTEGRITY integrity verdict, while my Play Integrity API was only accepting MEETS_DEVICE_INTEGRITY. This explains why my application was working on a device that has MEETS_DEVICE_INTEGRITY integrity verdict .

I guess you got the same issue here , i invite you to check my question/answer here .

Hope it will help you .

Suppositious answered 19/3, 2024 at 13:45 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.