Level Up Your Flutter App Security: How to add Firebase App Check

Firebase App Check is a security feature offered by Google Firebase that helps protect your Flutter app from unauthorized access and abuse. It works by verifying that incoming requests to your app's backend resources (like databases, storage, or custom APIs) originate from your legitimate app and not from a malicious source.

Basically it makes sure that the firebase cloud requests that you are receiving are originating from your app. Not from a bad actor that wants to run your cloud bill up.

Here's how to set it up.

Step 1: Make sure that your Flutter apps are connected to firebase.

If you want to know how to do that: I wrote a comprehensive article on connecting your Flutter apps to Firebase.

After we are done connecting this is how our main() should look like:

void main() async {
  // Ensure that Firebase is initialized
  // Initialize Firebase
  await Firebase.initializeApp(options: DefaultFirebaseOptions.currentPlatform);

  runApp(const MyApp());

Step 2: Add Firebase App Check plugin to your pubspec.yaml

We are going to install firebase_app_check plugin to activate app check later.

\==Note: Run the following command from inside your project directory.==

flutter pub add firebase_app_check

This is my terminal output:

This is my updated pubspec.yaml :

Do note that your version might be different from mine as Firebase tends to update their plugins regularly.

Step 3: Activate App Check on Firebase

Go to your Firebase console and click on all products and select App Check.

After that click on Get started on App Check:

Now you'll see the option to register app check on all the apps that are connected to your firebase.

Step 4: Registering Android

  1. First we are going to start with Android.

  2. When I click on the register button for android I get the following two options:

  1. \==We should choose Play Integrity as SafetyNet has been deprecated.==

  2. When I select Play Integrity it'll ask us for the SHA-256 certificate fingerprint of our android app:

  3. So here's how we generate SHA-256 for our android app:

    1. Go to your project root directory in your terminal and run the following command:

      cd android

    2. Now that we are in the android folder we'll have to generate signing report. So we can just run the following command:

      ./gradlew signingReport

    3. It should take a few minutes but in the end you'll get your SHA-1 and SHA-256.

    4. Here's the output from my terminal when I run the above command:

    5. You'll see a variants like debug, release profile, debugAndroidTest and so on ...

    6. But you can copy the values from any one of them because they are all the same.

  4. Paste SHA-256 into Firebase App Check:

  5. After that you can hit Save. Also if you want can decrease the Token time to live depending on your preferences.

  6. Finally Our Android is registered 🎉

  1. Important: Make sure to register your SHA keys for the app inside project settings.

    1. Let's go to project settings for our firebase console.

You can see all the apps connected in our Firebase. Let's select our android app:

  1. Click on Add fingerprint and add our SHA-1 key as well from our terminal

  2. So this should be the end result.

  1. Important: When you release the app on Google Play Store change these keys with the ones you get from Google Play Signing.

Step 5: Registering iOS

  1. Prerequisite: In iOS we have both Device Check and App Attest. We'll be using them both. In order to have that you'd need an  Active Apple Developer Account.

  2. App Attest:

    1. So when we tap on the iOS section in App Check we see the following two options:

  1. We'll be use App Attest as it offers us more granular control. But App Attest requires your Team ID which you'd get from a paid Apple Developer Account:

  1. You can get your Team ID by going to Your Apple Developer Account. Over When you scroll down you should find your Team ID under Membership Details:

  2. Once you get the Team ID. You can paste it in here and register the app.

  3. After setting it up we need to configure App Attest in Xcode:

  4. Open your app it Xcode and add App Attest in it's capability

  5. To make the App attest work we need to set the App Attest Environment in the ==.entitlements== to production

  1. Device Check:

    1. When we click on the Device check in the Firebase App Check, we can see that we need to enter Auth Key, Key ID and Team ID information.

    2. Now let's generate one by one

    3. As I said to generate an Auth Key, we need an Apple developer account. If you have an account you can get generate auth keys from the Apple Developer keys page.

  1. After clicking "Create a Key", you can enter any Key Name and then enable the Device check option.

  2. Now proceed with clicking on the Continue button and finally click on the Register button.

  3. \==Remember that we can download the key only once. So make sure to store it in a secure place.==

  4. Once downloaded, make sure to add it to your Firebase and click on save. 6.Finally you should be able to see both your apps registered under you app check 🎉🎉:

Step 6: Setup App Check in our Flutter App:

  1. In main() go ahead and add the following code:
void main() async {
  // Ensure that Firebase is initialized
  // Initialize Firebase
  await Firebase.initializeApp(options: DefaultFirebaseOptions.currentPlatform);

  await FirebaseAppCheck.instance.activate(  
    appleProvider: kDebugMode  
        ? AppleProvider.debug  
        : AppleProvider.appAttestWithDeviceCheckFallback,  
    kDebugMode ? AndroidProvider.debug : AndroidProvider.playIntegrity);

  runApp(const MyApp());

And that's it your Firebase App Check is setup and should be working. Now you can be rest assured that every API call that you encounter on your Firebase is going to be from an authorized user using your app.

Did you find this article valuable?

Support Harish Kunchala by becoming a sponsor. Any amount is appreciated!