This page shows you how to enable App Check in an Apple app, using the built-in App Attest provider. When you enable App Check , you help ensure that only your app can access your project's Firebase resources. See an Overview of this feature.
App Check uses App Attest to verify that requests to Firebase services are coming from your authentic app. App Check currently does not use App Attest to analyze fraud risk .
If you want to use App Check with your own custom provider, see Implement a custom App Check provider .
1. Set up your Firebase project
-
You will need Xcode 12.5+ to use App Attest.
-
Add Firebase to your Apple project if you haven't already done so.
-
In the Firebase console, navigate to Security> App Check .
-
In the Appstab, register your apps to use App Check with the App Attest provider.
You usually need to register all of your project's apps, because once you enable enforcement for a Firebase product, only registered apps will be able to access the product's backend resources.
-
Optional: In the app registration settings, set a custom time-to-live (TTL) for App Check tokens issued by the provider. You can set the TTL to any value between 30 minutes and 7 days. When changing this value, be aware of the following tradeoffs:
- Security: Shorter TTLs provide stronger security, because it reduces the window in which a leaked or intercepted token can be abused by an attacker.
- Performance: Shorter TTLs mean your app will perform attestation more frequently. Because the app attestation process adds latency to network requests every time it's performed, a short TTL can impact the performance of your app.
- Quota and cost: Shorter TTLs and frequent re-attestation deplete your quota faster, and for paid services, potentially cost more. See Quotas & limits .
The default TTL of 1 hour is reasonable for most apps. Note that the App Check library refreshes tokens at approximately half the TTL duration.
