Get started using App Check with Play Integrity on AndroidStay organized with collectionsSave and categorize content based on your preferences.
This page shows you how to enableApp Checkin an Android app, using the
built-in Play Integrity provider. When you enableApp Check, you help ensure
that only your app can access your project's backend resources. See anOverviewof this feature.
The Play Integrity provider supports Android apps that are published on Google
Play, outside Google Play, or both. If your use case requires Play Integrity
features not implemented byApp Check, or if you want to useApp Checkwith your own custom provider, seeImplement a customApp Checkprovider.
In theGoogle Play Console,
select your app, or add it if you haven't already done so.
In theReleasesection, clickApp integrity.
Go to thePlay Integrity APIsection of the page, clickLink Cloud project,
then select your Firebase project from the list of Google Cloud projects.
The project you select here must be the same Firebase project as the one
in which you register your app (see the next step).
Register your apps to useApp Checkwith the Play Integrity provider in
theApp Checksection of
theFirebaseconsole. You will need toprovide the SHA-256 fingerprintof your app's signing certificate.
You usually need to register all of your project's apps, because once you
enable enforcement for a Firebase product, only registered apps will be able
to access the product's backend resources.
Optional: In the app registration settings, set a custom time-to-live
(TTL) forApp Checktokens issued by the provider. You can set the TTL
to any value between 30 minutes and 7 days. When changing this value, be
aware of the following tradeoffs:
Security: Shorter TTLs provide stronger security, because it reduces the
window in which a leaked or intercepted token can be abused by an
attacker.
Performance: Shorter TTLs mean your app will perform attestation more
frequently. Because the app attestation process adds latency to network
requests every time it's performed, a short TTL can impact the performance
of your app.
Quota and cost: Shorter TTLs and frequent re-attestation deplete your
quota faster, and for paid services, potentially cost more.
SeeQuotas & limits.
The default TTL of1 houris reasonable for most apps. Note that theApp Checklibrary refreshes
tokens at approximately half the TTL duration.
Configure advanced settings (optional)
App Checkoffers a number of settings to support advanced use cases,
including distributing your app outside Google Play. You can configure these
settings in theApp Checksection of theFirebaseconsole for each of your Android apps. We recommend
that you configure these settings according to the following table when you
firstregister your app.
Your app's distribution channel
PLAY_RECOGNIZED
LICENSED
Minimum acceptable device integrity level
Exclusively on Google Play
Required
Required
Don't explicitly check device integrity level
Exclusively outside Google Play
Not required
Not required
Device integrity
On Google Play and outside Google Play
Required
Not required
Don't explicitly check device integrity level
Details
Each advanced setting corresponds to a Play Integrity verdict label. Consult thePlay Integrity documentationfor additional details.
By default,App Checkrequires thePLAY_RECOGNIZEDapp recognition label. Apps not published on Google Play are not eligible
to receive this label.
By default,App Checkdoesn't require theLICENSEDapp licensing label. Only users who have installed or updated your app
directly from Google Play are eligible to receive this label.
By default,App Checkdoes not explicitly check the device integrity
verdict.App Checksupports explicitly checking for the following three
device integrity levels, listed in order of increasing device integrity.
Device integrity. CausesApp Checkto require theMEETS_DEVICE_INTEGRITYdevice recognition label. All apps are automatically eligible to
receive this label.
In yourmodule (app-level) Gradle file(usually<project>/<app-module>/build.gradle.ktsor<project>/<app-module>/build.gradle),
add the dependency for theApp Checklibrary for Android. We recommend using theFirebase Android BoMto control library versioning.
dependencies{// Import theBoMfor the Firebase platformimplementation(platform("com.google.firebase:firebase-bom:34.5.0"))// Add the dependencies for theApp Checklibraries// When using theBoM, you don't specify versions in Firebase library dependenciesimplementation("com.google.firebase:firebase-appcheck-playintegrity")}
By using theFirebase Android BoM,
your app will always use compatible versions of Firebase Android libraries.
(Alternative)
Add Firebase library dependencies without using theBoM
If you choose not to use theFirebase BoM, you must specify each Firebase library version
in its dependency line.
Note that if you usemultipleFirebase libraries in your app, we strongly
recommend using theBoMto manage library versions, which ensures that all versions are
compatible.
dependencies{// Add the dependencies for theApp Checklibraries// When NOT using theBoM, you must specify versions in Firebase library dependenciesimplementation("com.google.firebase:firebase-appcheck-playintegrity:19.0.1")}
3. InitializeApp Check
Add the following initialization code to your app so that it runs before you use
any other Firebase SDKs:
Once theApp Checklibrary is installed in your app, start distributing the
updated app to your users.
The updated client app will begin sendingApp Checktokens along with every
request it makes to Firebase, but Firebase products will not require the tokens
to be valid until you enable enforcement in theApp Checksection of the
Firebase console.
Monitor metrics and enable enforcement
Before you enable enforcement, however, you should make sure that doing so won't
disrupt your existing legitimate users. On the other hand, if you're seeing
suspicious use of your app resources, you might want to enable enforcement
sooner.
To help make this decision, you can look atApp Checkmetrics for the
services you use:
MonitorApp Checkrequest metricsforFirebase AI Logic,Data Connect,Realtime Database,Cloud Firestore,Cloud Storage,Authentication, Google Identity for iOS, Maps JavaScript API, and Places API (New).
When you understand howApp Checkwill affect your users and you're ready to
proceed, you can enableApp Checkenforcement:
EnableApp CheckenforcementforFirebase AI Logic,Data Connect,Realtime Database,Cloud Firestore,Cloud Storage,Authentication, Google Identity for iOS, Maps JavaScript API, and Places API (New).
If, after you have registered your app forApp Check, you want to run your
app in an environment thatApp Checkwould normally not classify as valid,
such as an emulator during development, or from a continuous integration (CI)
environment, you can create a debug build of your app that uses theApp Checkdebug provider instead of a real attestation provider.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-11-10 UTC."],[],[]]
