I would like to add Firebase AppCheck to my mobile app to protect my backend (not Firebase services). I want to use Google Play Integrity provider (default one).
I know that Firebase AppCheck for Android is a wrapper around Google Play Integrity. It prepares "nonce" and callsrequestIntegrityToken method to fetch "integrity verdicts". But these verdicts are not included in Firebase AppCheck Token which I pass to my custom backend. I read the source code of Firebase Android SDK and Firebase Admin SDK for NodeJS and I saw that Firebase Admin SDK uses https://firebase.google.com/docs/reference/appcheck/rest/v1/projects.apps/exchangePlayIntegrityToken method to exchange "Google Play Integrity token" for Firebase AppCheck Token. And in that place we lost information about "integrity verdicts".
In Google Play Console there are given settings:
Why MEETS_DEVICE_INTEGRITY value cannot be deleted? How these values are considered by Firebase AppCheck? Let's say I checked all values in Google Play Console ("MEETS_STRONG_INTEGRITY", "MEETS_DEVICE_INTEGRITY", "MEETS_BASIC_INTEGRITY") and Google Play Integrity returns only one value: "MEETS_DEVICE_INTEGRITY". How Firebase AppCheck treats this verdicts? Is it valid or not? Does Firebase AppCheck return validated AppCheck Token or not?
Related
So I have an android app that must interface with a google sheet (both reading and writing data). The Java quickstart guide: google sheet quick start for java has been a good resource but I'd like to do this with firebase if at all possible because that's what the iOS version of this app uses. Is it possible to get the proper credentials from firebase to interface with google sheets in this way? Thanks!!
Users in Firebase Authentication are identified by an ID token, which is not a valid sign-in mechanism for Google Sheets (and other parts of Google docs) - which requires an OAuth based sign-in token.
The only variant that could work is if you sign in to Firebase with a Google account, and capture the OAuth token for that Google account and use it to access Google Sheets.
Also see:
my answer here: User Google Api with Firebase auth.
How to use Firebase IdToken to generate OAuth Access for Google drive?
In our project we're using safetynet for attestation, but we need to migrate project into google play integrity API because safetynet is deprecated. We're not using google play to distribute our app, so I need to link our app with project on google cloud.
Linking is available only with using google cloud project number which I need to pass with setCloudProjectNumber() method in my request.
And this is my doubt - linking app with google play integrity ONLY with google cloud project number. Not with using firebase, nor with generated api key from google cloud restricted to Google Play Integrity API.
I noticed that using play integrity requests consume my requests daily limit (10000) to google play integrity API what I can check here.
My question is:
Is this the only protection - knowing google cloud project number - to prevent using someone else's requests limit to google play integrity API?
I checked google documentation, but I cannot found information about requests limit protection. The only thing I found is a form to request Google for increase the limit - form.
Imo, I didn't understand something and Google Play Integrity service limit for my project is protected by something else, not only by number.
I tried to disconnect my app with firebase by using different package name, but my request limit was still consumed when I was sending requests to Google Play Integrity API.
I have an Android application which uses Integrity API with Google Cloud. This method is described here.
I need to implement server side offline verification for JWE token which requires decryption and verification keys from Play console. An example of verification.
Documentation also says, that for local verification I should get keys from Play console. As long as Integrity API token generation is on Google Cloud side right now, how can I obtain required keys?
If you app is distributed outside of Play, I am afraid there is no option for the local decryption and verification.
I'm trying to implement Google sign-in through Firebase according to this documentation https://firebase.google.com/docs/auth/android/google-signin. I got stuck on a problem with SHA-1 certificates and generating web client Id.
problem is with steps 4. If you haven't yet specified your app's SHA-1 fingerprint, do so from the Settings page of the Firebase console. See Authenticating Your Client for details on how to get your app's SHA-1 fingerprint.
and You must pass your server's client ID to the requested token method. To find the OAuth 2.0 client ID:
Open the Credentials page in the API Console.
Since I added my SHA-1 for my project in Firebase I can not do the same in Google API Console - it gives me exception with duplicate entries for App package and SHA-1. I tried to enter them one way or the other but either Firebase or Google API console gives me this error. What is the proper way to solve this?
well for those who get stuck at the same thing - once you enable Google sign-in in Firebase console, it generates it's own Web client Id, so you don't have to create credentials in Google API Console
I have seen many post about firebase with google sign-in. In google's tutorial for google sign-in for android project, it does not use firebase but on many post people use firebase with google sign-in. What is the advantage of using firebase and when and why we need to use it?
Authenticate users by integrating with federated identity providers. The Firebase Authentication SDK provides methods that allow users to sign in with their Google, Facebook, Twitter, and GitHub accounts.
With Firebase the users will be authenticated and you will have access to the firebase database/cloud functions and other services. So its better to use firebase with google sign in. Basically to make it easier for you after sign in.
Top two reasons for using Firebase:
You want your users to have option to login with any social media platform but do not want separate dashboards since its hard to get proper analytics.
Firebase has introduced something amazing called cloud functions which will allow to have your server side script to be hosted on Firebase. You would generally want the token given to you through authentication to be stored in your server and database. Firebase is now providing both so having everything in the same place does help. I basically brought down the release time for a decently complicated app from 14 days to 6 days using a combination of these two.