AppCheck security clarification
58 views
Skip to first unread message
Kane Jeong
Jan 12, 2023, 8:26:21 PM1/12/23
to Firebase Google Group
Hello all,
From my understanding, AppCheck allows you to verify that requests are coming from an app that you (the developer / company) whitelist through an attestation provider.
When protecting custom backend solutions, we are advised to pass up the app check token via a header (i.e. X-Firebase-AppCheck) and verify the token in the backend with the admin sdk. I have this working, but the main question I have:
Can't someone inspect their own network traffic and see this header? Then they can just copy the token and impersonate the app. How does this guarantee the requests are coming from the app itself?
Can't someone inspect their own network traffic and see this header? Then they can just copy the token and impersonate the app. How does this guarantee the requests are coming from the app itself?
Am I missing something? Is it simply a mitigation tool? Doesn't seem that difficult to bypass.
Laurent Payot
Jan 16, 2023, 7:00:25 PM1/16/23
to Firebase Google Group
@Kane I came to the same conclusion as you…
Reply all
Reply to author
Forward
0 new messages