Search code examples
androidfirebasefirebase-app-checksafetynetgoogle-play-integrity-api

App Check & Play Integrity with a custom backend


We're using SafetyNet Attestation API in our Android app and now planning to migrate to App Check / Play Integrity API since SafetyNet has been deprecated.

As far as I understand from the docs, the flow remains pretty much the same: you request a token/attestation from the SDK and then send it along with all requests to your trusted back-end (as an HTTP header, for instance), everything else is handled there.

The tricky thing here is how to obtain the token on the client side: documentation mentions two different ways of doing that. The first and probably the "main" one is described in "Protecting non-Firebase resources" doc:

 FirebaseAppCheck.getInstance()
            .getAppCheckToken(false)
            .addOnSuccessListener { tokenResponse ->
                val appCheckToken = tokenResponse.token
                val apiCall = yourExampleBackendService.exampleData(appCheckToken)
                // ...
            }

On the other hand, "Migrating from SafetyNet" doc describes a different approach:

val nonce: String = ...
val integrityManager = IntegrityManagerFactory.create(applicationContext)
val integrityTokenResponse: Task<IntegrityTokenResponse> =
    integrityManager.requestIntegrityToken(
        IntegrityTokenRequest.builder()
             .setNonce(nonce)
             .build()
).addOnSuccessListener { 
   val token = it.token()
   ...
}

So I'm not quite sure why existing SafetyNet users are suggested to use different APIs from Play Check SDK when compared to everyone else: shouldn't it be the same API for everyone? Can anyone suggest, what's the difference between these two approaches and what are their use cases? The documentation isn't quite clear in that regard, unfortunately :(


Solution

  • In short: the Firebase's AppCheck and Google Play Integrity API are two different things: AppCheck is a Firebase tool which consists of several layers and tools and can be set-up for different purposes. As one of those layers it supports Google Play Integrity API as an attestation provider. The "Migrating from SafetyNet" link you've posted is from the Google official docs describing Google Play Integrity API which they own. If you were only using SafetyNet API and not AppCheck with SafetyNet provider in it, you may migrate straight to the Play Integrity API.