I would like to know if my Firebase Backend (Firestore and Cloud Functions) are safe by using App Check if my Flutter App (iOS/Android) is reverse engineered.
I imagine the App Check is client based. If the client is reverse engineered, then the backend wouldn't know if it's "my" client or the "bad" client which was reverse engineered?
CodePudding user response:
App Check works with so-called attestation providers on each supported platform to attest that API calls come from your genuine code on a genuine device. These providers are at this point quite well vetted on both iOS and Android, and are getting better on Web.
But there is still a potential for abuse, even when you use App Check. That's why you should always combine App Check with other security measures, such as the server-side security rules that exist for Firestore (since you tagged with that) and other Firebase products.
I recommend also checking out:
- How strong is the security provided by App Check?
- Is it safe to expose Firebase apiKey to the public?
CodePudding user response:
I would day yes and must be used. recommend check this out for better and easy implementation firebase-app-check