Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request]: Enable AppCheck on Production #5084

Closed
5 tasks done
adhiamboperes opened this issue Jul 11, 2023 · 3 comments
Closed
5 tasks done

[Feature Request]: Enable AppCheck on Production #5084

adhiamboperes opened this issue Jul 11, 2023 · 3 comments
Assignees
@BenHenning
Labels
enhancement End user-perceivable enhancements. Impact: High High perceived user impact (breaks a critical feature or blocks a release). Work: Medium The means to find the solution is clear, but it isn't at good-first-issue level yet.
Milestone
1.x GA Follow-up ...

Comments

@adhiamboperes
Copy link
Collaborator

adhiamboperes commented Jul 11, 2023
edited by BenHenning
Loading

Is your feature request related to a problem? Please describe.

As part of the Android NPS survey, we are uploading some of the user responses to Firestore. Firestore by itself does not offer adequate security, and Firebase AppCheck provides a solution that protects our database from malicious abuse by verifying the authenticity of writing apps and devices.

Describe the solution you'd like

The Setup steps for AppCheck from the documentation are as follows:

In the Release section, click Setup > App integrity.

On the Integrity API page, click Link project, then select your Firebase project from the list of Google Cloud projects.

The project you select here must be the same Firebase project as the one in which you register your app.

  • Register your apps to use App Check with the Play Integrity provider in the App Check section of the Firebase console.

    • Click on Register and follow the wizard.
    • You will need to provide the SHA-256 fingerprint of your app's signing certificate.
    • Set a custom time-to-live of 7 days(this is the maximum allowed). Note that the App Check library refreshes tokens at approximately half the TTL duration.

  • Developer: Add the App Check library to the app
    Add the Appcheck and play integrity dependencies to the app(gradle and bazel) and initialize app check in the code.

    implementation("com.google.firebase:firebase-appcheck-playintegrity:17.0.1")
    implementation("com.google.firebase:firebase-appcheck-ktx:17.0.1")

Init block

Firebase.initialize(context = this)
Firebase.appCheck.installAppCheckProviderFactory(
    PlayIntegrityAppCheckProviderFactory.getInstance(),
)

Per the documentation, this code needs to run before any other Firebase SDKs.

  • Monitor App Check request metrics
    After adding the App Check SDK to the app, but before enabling App Check enforcement, we should make sure that doing so won't disrupt our existing legitimate users. To view the App Check request metrics for a product, open the App Check section of the Firebase console.

  • Enable App Check enforcement
    This step will not be enabled from the onset for production apps, because we need to ensure that doing so won't disrupt our existing legitimate users. We will first deploy the app with AppCheck configured so that we can monitor the metrics and be able to see usages from Verified, Outdated clients, Unknown origin and Invalid requests. See here for more information on metrics. Reference.

Once we have a good view of metrics, we can then enforce AppCheck.

To enable enforcement for Firestore:

  • Open the App Check section of the Firebase console.
  • Expand the metrics view of the product for which you want to enable enforcement.
  • Click Enforce and confirm your choice.

Describe alternatives you've considered

N/A

Additional context

Additional Resources:

  1. Firebase App Check
  2. Play Integrity
  3. Securing Firebase
  4. Firebase App Check,
  5. Attestation with Play Integrity
@adhiamboperes adhiamboperes added enhancement End user-perceivable enhancements. triage needed Impact: High High perceived user impact (breaks a critical feature or blocks a release). Work: Medium The means to find the solution is clear, but it isn't at good-first-issue level yet. and removed triage needed labels Jul 11, 2023
@seanlip
Copy link
Member

seanlip commented Jul 16, 2023

@adhiamboperes I've done the first two steps, but I can't see the graphs so I can't do the last one.

This page suggests that there are other steps that need to be followed first (2 and 3). Should I wait for the dev team to do that before proceeding?

@seanlip seanlip assigned adhiamboperes and unassigned seanlip Jul 16, 2023
@adhiamboperes
Copy link
Collaborator Author

@adhiamboperes I've done the first two steps, but I can't see the graphs so I can't do the last one.

This page suggests that there are other steps that need to be followed first (2 and 3). Should I wait for the dev team to do that before proceeding?

Yes, step 2 and 3 are dev side, and the last step on this issue will be done post-release so I will re-assign you then.

@adhiamboperes adhiamboperes removed their assignment Jul 24, 2023
@adhiamboperes adhiamboperes self-assigned this Aug 1, 2023
@adhiamboperes adhiamboperes mentioned this issue Aug 1, 2023
Merged
6 tasks
@adhiamboperes adhiamboperes removed their assignment Aug 1, 2023
@adhiamboperes adhiamboperes self-assigned this Sep 30, 2023
@BenHenning BenHenning added this to the 1.0 Global availability milestone Jan 30, 2024
adhiamboperes added a commit that referenced this issue Feb 13, 2024
@adhiamboperes @BenHenning
Fix Part of #5084: Initialize Appcheck (#5115)
f7b9260 
## Explanation
Fixes Part of #5084. This is PR 6 of 6 Planned PRs.

This PR adds Firebase AppCheck and Play Integrity dependencies to the
project. It also initializes AppCheck.

Once a new production build is released with this commit, requests to
all our Firebase resources will include an attestation token, and we
will be able to begin monitoring the type of requests we receive. We
will use this data to inform when we will fully enforce AppCheck for all
Firebase access, after gaining an understanding of how many active users
would be impacted(unable to upload logs to Firestore).

To test this, I added a [debug
token](https://firebase.google.com/docs/app-check/android/debug-provider#emulator)
to the firebase console, to be used to verify our requests to Firestore.

<img width="1405" alt="Screenshot 2024-01-24 at 09 33 25"
src="https://github.com/oppia/oppia-android/assets/59600948/034f3176-b5cf-465a-858d-d55fd6495987">

<img width="918" alt="Screenshot 2024-01-24 at 09 45 54"
src="https://github.com/oppia/oppia-android/assets/59600948/19295576-8540-4890-b30b-0c6defb0a670">

#### The Appcheck console

<img width="1062" alt="Screenshot 2024-01-24 at 09 06 17"
src="https://github.com/oppia/oppia-android/assets/59600948/30c09bd1-f9bd-412d-8510-9fc8f9f5dd65">

<img width="1062" alt="Screenshot 2024-01-24 at 09 06 02"
src="https://github.com/oppia/oppia-android/assets/59600948/d4c3a8b0-fb4a-4531-89d3-c2783b9d702f">

<img width="1062" alt="Screenshot 2024-01-24 at 09 05 48"
src="https://github.com/oppia/oppia-android/assets/59600948/0423ea9d-db48-47c6-bbeb-7af905fc0785">

#### Test on the release token fetch
<img width="1377" alt="Screenshot 2024-01-24 at 08 57 10"
src="https://github.com/oppia/oppia-android/assets/59600948/0deee04b-ca34-482f-9663-b3959dbdda6d">


## Essential Checklist
<!-- Please tick the relevant boxes by putting an "x" in them. -->
- [x] The PR title and explanation each start with "Fix #bugnum: " (If
this PR fixes part of an issue, prefix the title with "Fix part of
#bugnum: ...".)
- [x] Any changes to
[scripts/assets](https://github.com/oppia/oppia-android/tree/develop/scripts/assets)
files have their rationale included in the PR explanation.
- [x] The PR follows the [style
guide](https://github.com/oppia/oppia-android/wiki/Coding-style-guide).
- [x] The PR does not contain any unnecessary code changes from Android
Studio
([reference](https://github.com/oppia/oppia-android/wiki/Guidance-on-submitting-a-PR#undo-unnecessary-changes)).
- [x] The PR is made from a branch that's **not** called "develop" and
is up-to-date with "develop".
- [x] The PR is **assigned** to the appropriate reviewers
([reference](https://github.com/oppia/oppia-android/wiki/Guidance-on-submitting-a-PR#clarification-regarding-assignees-and-reviewers-section)).

## For UI-specific PRs only
<!-- Delete these section if this PR does not include UI-related
changes. -->
If your PR includes UI-related changes, then:
- Add screenshots for portrait/landscape for both a tablet & phone of
the before & after UI changes
- For the screenshots above, include both English and pseudo-localized
(RTL) screenshots (see [RTL
guide](https://github.com/oppia/oppia-android/wiki/RTL-Guidelines))
- Add a video showing the full UX flow with a screen reader enabled (see
[accessibility
guide](https://github.com/oppia/oppia-android/wiki/Accessibility-A11y-Guide))
- Add a screenshot demonstrating that you ran affected Espresso tests
locally & that they're passing

---------

Co-authored-by: Ben Henning <[email protected]>
@BenHenning
Copy link
Member

This is enabled now for production and should start affecting the new NPS Firestore datastore (only--events are unaffected).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@BenHenning BenHenning

Labels
enhancement End user-perceivable enhancements. Impact: High High perceived user impact (breaks a critical feature or blocks a release). Work: Medium The means to find the solution is clear, but it isn't at good-first-issue level yet.
Projects
[Team] Core Learner and Mastery flows & UI Frontend - Android
Archived in project
Milestone
1.x GA Follow-up Items
Development

No branches or pull requests
3 participants
@seanlip @BenHenning @adhiamboperes