firebase-android-sdk: Can't pass appcheck outside play store after migrating from safetynet to play integrity
[READ] Step 1: Are you in the right place?
[REQUIRED] Step 2: Describe your environment
- Android Studio version: 2022.1.1 Patch 2
- Firebase Component: AppCheck
- Component version: BOM 31.2.2
[REQUIRED] Step 3: Describe the problem
We’re having issues at our company after migrating AppCheck from SafetyNet to PlayIntegrity provider. Before migration our testers been able to run app built from firebase using SafetyNet without manual token input as we (developers) do with DebugProvider. We tried to upload our develop app into play console internal testing, but that didn’t help. We’ve used same SHA keys which were generated at play console. So, it seems that play integrity appcheck currently works only with production app which must be published on play store.
Is this intended logic and are there any solutions for apps outside play store which are not yet published to pass AppCheck without manual token input? That’s very inconvenient for our testers. It’s major problem for us as safetynet gets discontinued in June 2023. Here are some additional issues regarding this topic on stackoverflow: https://stackoverflow.com/questions/72631258/android-app-check-play-integrity-not-work https://stackoverflow.com/questions/74992711/google-play-integrity-api-invalid-app-check-token-error-after-adding-app-to-fi
Steps to reproduce:
- Use PlayIntegrityAppCheckProviderFactory for AppCheck
- Run app build from firebase
- Result:
pc_0 - Detected invalid AppCheck token. Reconnecting (2 attempts remaining)
pc_0 - Detected invalid AppCheck token. Reconnecting (1 attempts remaining)
pc_0 - Detected invalid AppCheck token. Reconnecting (0 attempts remaining)
pc_0 - Firebase Database connection was forcefully killed by the server. Will not attempt reconnect. Reason: Invalid appcheck token
Relevant Code:
Before (debug for developers and safety net for other cases):
private fun setCheckProviders(firebaseAppCheck: FirebaseAppCheck) {
if (BuildConfig.DEBUG) {
firebaseAppCheck.installAppCheckProviderFactory(DebugAppCheckProviderFactory.getInstance())
} else {
firebaseAppCheck.installAppCheckProviderFactory(SafetyNetAppCheckProviderFactory.getInstance())
}
}
Wanted (debug for developers, play integrity for other cases):
private fun setCheckProviders(firebaseAppCheck: FirebaseAppCheck) {
if (BuildConfig.DEBUG) {
firebaseAppCheck.installAppCheckProviderFactory(DebugAppCheckProviderFactory.getInstance())
} else {
firebaseAppCheck.installAppCheckProviderFactory(PlayIntegrityAppCheckProviderFactory.getInstance())
}
}
Now (debug for developers, safetynet for testers, play integrity for public play store:
private fun setCheckProviders(firebaseAppCheck: FirebaseAppCheck) {
if (BuildConfig.DEBUG) {
firebaseAppCheck.installAppCheckProviderFactory(DebugAppCheckProviderFactory.getInstance())
} else { // it's release
if (BuildConfig.FLAVOR_env.isDevEnv() || BuildConfig.FLAVOR_env.isUatEnv())
firebaseAppCheck.installAppCheckProviderFactory(SafetyNetAppCheckProviderFactory.getInstance())
else
firebaseAppCheck.installAppCheckProviderFactory(PlayIntegrityAppCheckProviderFactory.getInstance())
}
}
About this issue
- Original URL
- State: closed
- Created a year ago
- Reactions: 3
- Comments: 17 (7 by maintainers)
I am facing the same issues with the migration, safetynet would validate test devices (not emulators), so we never felt the need to even install the debug library on staging environment. I think the issue would be mitigated by providing the option to set a fixed debug token like is permitted on the iOS version of the library. It has been asked here
We don’t need any manual process when using safetynet. That’s the issue here, because it’s being discontinued and we lose this automation. PlayIntegrity doesn’t suit us because we won’t publish our develop builds on play store for appcheck to pass.
So turns out these additional cases don’t work and we must make sure two first steps are intact for play integrity appcheck to work.