Hello all,
From my understanding, AppCheck allows you to verify that requests are coming from an app that you (the developer / company) whitelist through an attestation provider.
When protecting custom backend solutions, we are advised to pass up the app check token via a header (i.e. X-Firebase-AppCheck) and verify the token in the backend with the admin sdk. I have this working, but the main question I have:
Can't someone inspect their own network traffic and see this header? Then they can just copy the token and impersonate the app. How does this guarantee the requests are coming from the app itself?
Am I missing something? Is it simply a mitigation tool? Doesn't seem that difficult to bypass.