This page shows you how to enable App Check in an Android app, using the
built-in Play Integrity provider. When you enable App Check, you help ensure
that only your app can access your project's Firebase resources. See an
Overview
of this feature.
Currently, the built-in Play Integrity provider only supports Android apps
distributed by Google Play. To use Play Integrity's off-Play features, or to use
App Check with your own custom provider, see
Implement a custom App Check provider
.
1. Set up your Firebase project
Add Firebase to your Android project
if you haven’t
already done so.
Enable the Play Integrity API:
In the
Google Play Console
,
select your app, or add it if you haven't already done so.
In the
Release
section, click
App integrity
.
Go to the
Play Integrity API
section of the page, click
Link Cloud project
,
then select your Firebase project from the list of Google Cloud projects.
The project you select here must be the same Firebase project as the one
in which you register your app (see the next step).
Register your apps to use App Check with the Play Integrity provider in
the
App Check
section of
the Firebase console. You will need to
provide the SHA-256 fingerprint
of your app's signing certificate.
You usually need to register all of your project's apps, because once you
enable enforcement for a Firebase product, only registered apps will be able
to access the product's backend resources.
Optional
: In the app registration settings, set a custom time-to-live
(TTL) for App Check tokens issued by the provider. You can set the TTL
to any value between 30 minutes and 7 days. When changing this value, be
aware of the following tradeoffs:
- Security: Shorter TTLs provide stronger security, because it reduces the
window in which a leaked or intercepted token can be abused by an
attacker.
- Performance: Shorter TTLs mean your app will perform attestation more
frequently. Because the app attestation process adds latency to network
requests every time it's performed, a short TTL can impact the performance
of your app.
- Quota and cost: Shorter TTLs and frequent re-attestation deplete your
quota faster, and for paid services, potentially cost more.
See
Quotas & limits
.
The default TTL of
1 hour
is reasonable for most apps. Note that the App Check library refreshes
tokens at approximately half the TTL duration.
2. Add the App Check library to your app
In your
module (app-level) Gradle file
(usually
<project>/<app-module>/build.gradle.kts
or
<project>/<app-module>/build.gradle
),
add the dependency for the App Check library for Android. We recommend using the
Firebase Android BoM
to control library versioning.
dependencies {
// Import the BoM for the Firebase platform
implementation(platform("com.google.firebase:firebase-bom:32.8.1"))
// Add the dependencies for the App Check libraries
// When using the BoM, you don't specify versions in Firebase library dependencies
implementation("com.google.firebase:firebase-appcheck-playintegrity")
}
By using the
Firebase Android BoM
,
your app will always use compatible versions of Firebase Android libraries.
(Alternative)
Add Firebase library dependencies
without
using the BoM
If you choose not to use the Firebase BoM, you must specify each Firebase library version
in its dependency line.
Note that if you use
multiple
Firebase libraries in your app, we strongly
recommend using the BoM to manage library versions, which ensures that all versions are
compatible.
dependencies {
// Add the dependencies for the App Check libraries
// When NOT using the BoM, you must specify versions in Firebase library dependencies
implementation("com.google.firebase:firebase-appcheck-playintegrity:17.1.2")
}
Looking for a Kotlin-specific library module?
Starting in
October 2023
(Firebase BoM 32.5.0)
, both Kotlin and Java developers can
depend on the main library module (for details, see the
FAQ about this initiative
).
3. Initialize App Check
Add the following initialization code to your app so that it runs before you use
any other Firebase SDKs:
Kotlin+KTX
Firebase.initialize(context = this)
Firebase.appCheck.installAppCheckProviderFactory(
PlayIntegrityAppCheckProviderFactory.getInstance(),
)
Java
FirebaseApp.initializeApp(/*context=*/ this);
FirebaseAppCheck firebaseAppCheck = FirebaseAppCheck.getInstance();
firebaseAppCheck.installAppCheckProviderFactory(
PlayIntegrityAppCheckProviderFactory.getInstance());
Next steps
Once the App Check library is installed in your app, start distributing the
updated app to your users.
The updated client app will begin sending App Check tokens along with every
request it makes to Firebase, but Firebase products will not require the tokens
to be valid until you enable enforcement in the App Check section of the
Firebase console.
Monitor metrics and enable enforcement
Before you enable enforcement, however, you should make sure that doing so won't
disrupt your existing legitimate users. On the other hand, if you're seeing
suspicious use of your app resources, you might want to enable enforcement
sooner.
To help make this decision, you can look at App Check metrics for the
services you use:
Enable App Check enforcement
When you understand how App Check will affect your users and you're ready to
proceed, you can enable App Check enforcement:
Use App Check in debug environments
If, after you have registered your app for App Check, you want to run your
app in an environment that App Check would normally not classify as valid,
such as an emulator during development, or from a continuous integration (CI)
environment, you can create a debug build of your app that uses the
App Check debug provider instead of a real attestation provider.
See
Use App Check with the debug provider on Android
.