firebase-ios-sdk: AppCheck not working on new iPhone 14

Description

When AppCheck was released we updated our app to use it, and its been working perfectly.

But just recently when some of our customers have upgraded their phones to the new iPhone14 when they run our app it does not show any data from Firestore, when on older phone it did.

The app as min 15.0.0 iOS set, and don’t think its an iOS version issue, for older phones running iOS 16.1.2 work ok.

Checking the App Check API for Cloud Firestore it does show “unverified: invalid requests” when the user run our app.

What is strange if I connect the iPhone to my computer and run the app from Xcode it does work ok. This is using a different firebase project than the production app from the App Store, but both projects are configured the same.

Does AppCheck support the latest phones from Apple?

Reproducing the issue

Code in app

let providerFactory = YourAppCheckProviderFactory() AppCheck.setAppCheckProviderFactory(providerFactory)

class YourAppCheckProviderFactory: NSObject, AppCheckProviderFactory { func createProvider(with app: FirebaseApp) -> AppCheckProvider? { return AppAttestProvider(app: app) } }

Firebase SDK Version

9.6.0

Xcode Version

14.1

Installation Method

Swift Package Manager

Firebase Product(s)

App Check

Targeted Platforms

iOS

Relevant Log Output

No response

If using Swift Package Manager, the project’s Package.resolved

Expand Package.resolved snippet

Replace this line with the contents of your Package.resolved.

If using CocoaPods, the project’s Podfile.lock

Expand Podfile.lock snippet

Replace this line with the contents of your Podfile.lock!

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 2
  • Comments: 22 (10 by maintainers)

Most upvoted comments

I have had what I think is the same problem with my app, which uses App Attest but not Device Check. Users complain that it isn’t working after they restore from an icloud backup onto a new device (not just iPhone 14). Deleting and reinstalling the app solves the problem.

Reproducing it today I find that in after reinstalling an iPhone 8 plus from an iCloud backup, within AppCheck.token(), FIRAppAttestProvider.attestionState() passes through all checks and returns a state of FIRAppAttestAttestationStateKeyRegistered, then ultimately failing on call to DCAppAttestService.attestKey() returning DCError.invalidKey, which is documented by Apple to occur “for a key that’s already been attested”.

After reinstalling the app, FIRAppAttestProvider.attestionState() returns state of FIRAppAttestAttestationStateSupportedInitial, and ulitmately succeeds.

Without analysing fully, I am guessing there is some issue with state retained via NSUserDefaults (which would be retained across iCloud restore) vs the keychain (which would not be).

I have yet to confirm but a hacky workaround would be, upon seeing this failure, to remove relevant entries from NSUserDefaults and call AppCheck.token() again.

This all seems consistent with what @michaelscampbell was saying above. I look forward to a fix. Let me know if you need more info.

@ncooke3 We saw issues with AppCheck for users of our own app and during our investigation we concluded the problem lies with the scenarios highlighted in the quoted Apple documentation. In particular, (1) device migration (an example is an issue we saw with a user migrating from iPhone 13 to iPhone 14) and (2) restoration (an example is an issue we saw with an iPhone 8 user restoring an offloaded app).

Since Ian mentioned his issue occurred with existing users who upgraded their phones, it sounded to me like it could be the device migration issue that we had seen. Naturally, I might be wrong. Since installing from Xcode puts the app on the phone in a different way than device migration and restoration that could explain why installing from Xcode works for Ian. We saw that Xcode installs did NOT have a problem with AppCheck – the bug was only tickled by migration and restoration.

I’ve noticed that Firebase’s implementation of AppCheck does not correctly handle device migration/restoration .

Per Apple’s DeviceCheck documentation: “The keys that you generate remain valid through regular app updates, but don’t survive app reinstallation, device migration, or restoration of a device from a backup. In these cases, you need to start the process from the beginning and generate a new key.”

https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

No I don’t, but will run it again within the next day or two to check.

Sent from Outlook for iOShttps://aka.ms/o0ukef


From: Nick Cooke @.> Sent: Friday, February 17, 2023 6:01:19 PM To: firebase/firebase-ios-sdk @.> Cc: Simon Pickup @.>; Mention @.> Subject: Re: [firebase/firebase-ios-sdk] AppCheck not working on new iPhone 14 (Issue #10561)

@sjpickuphttps://github.com/sjpickup, got it.

But do you recall how the state transitioned from FIRAppAttestAttestationStateKeyRegistered to FIRAppAttestAttestationStateKeyRegistered?

— Reply to this email directly, view it on GitHubhttps://github.com/firebase/firebase-ios-sdk/issues/10561#issuecomment-1435043759, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AEJL4IIIGXYSCOLMHC3UUYDWX64G7ANCNFSM6AAAAAASYDKDN4. You are receiving this because you were mentioned.Message ID: @.***>

Thank you @michaelscampbell for sharing-- that’s really good to know! I agree that it could be related here.

@ian-sayles, that’s good that it is now working. Since there were no SDK changes, it makes me think that it could be even more an Apple issue. I don’t think the TTL would cause this type of issue, but I’m going to check with the AppCheck backend team to verify for you.