How secure is Flutter and AppCheck? [closed]

Question

If I have AppCheck enabled, how would it be possible for an attacker to make any Firebase call they want? What other vulnerabilities exist even with AppCheck enabled on a mobile app?

Answer 1

Firebaser here!

Please see How strong is the security provided by App Check? in our documentation for a high level description of the security offered by App Check.

App Check is only as strong as the underlying Attestation provider (such as SafetyNet/Play Integrity on Android, Device Check/App Attest on iOS, or reCAPTCHA on Web). If an attacker can bypass the security of the attestation providers (such as tricking reCAPTCHA into believing they are not a bot, or tricking SafetyNet into believing a rooted device is legitimate) they can abuse that vector to making calls against your API.

Additionally, App Check intentionally allows for limited time-bound replay (configured by the TTL on the App Check token). This allows you to use a single attestation to protect multiple API calls. However, if an attacker uses a legitimate device to obtain a valid App Check token and then somehow intercepts that token (by either rooting the device or sniffing their network traffic), they can use the token to make calls against your API until it expires. However the cost of performing this attack generally outweighs any benefits, and becomes very costly and infeasible to perform at scale.

This is all assuming App Check is not only enabled but also enforced, and you are using it in conjunction with secure user authentication and rigorous authorization logic such as well defined Firebase Security Rules.