This page shows you how to enable App Check in an iOS app. When you enable App Check, you help ensure that only your app can access Google's OAuth 2.0 endpoints on behalf of your project. See an Overview of this feature.
App Check uses App Attest to help verify that OAuth 2.0 requests are coming from your authentic app. App Check does not use App Attest to analyze fraud risk.
Before you begin
Make sure you have Xcode 12.5 or newer.
Integrate Google Sign-in into your iOS app, using the Google Sign-in library.
1. Set up your project
App Check can be enabled in the Google API Console or in the Firebase Console. It is not necessary to enable it in both places, just one is sufficient.
Google API Console
The following requirements must be met to successfully enable App Check for your iOS client:- You must specify a team ID for your iOS client.
- You must not use a wildcard in your bundle ID since it can resolve to more than one app. This means that the bundle ID must not include the asterisk (*) symbol.
After enabling App Check, you will start seeing metrics related to OAuth requests from your client in the edit view of the OAuth client. Requests from unverified sources won't be blocked until you enforce App Check. The information in the metrics monitoring page can help you determine when to start enforcement.
You might see errors related to the App Check feature when enabling App Check for your iOS app. To fix these errors, try the following:
- Verify that the bundle ID and team ID you specified are valid.
- Verify that you are not using a wildcard for the bundle ID.
Firebase Console
You must have a Firebase project to use App Check with Google Sign-in.
If your app already uses Firebase, use the same project.
If your app uses Google Sign-in, but not Firebase, you already have a Google Cloud project. Add Firebase to your Google Cloud project by selecting it when you create a new project in the Firebase console
See also: Relationship between Firebase projects and Google Cloud
If you haven't already done so, add your iOS apps to your Firebase project using the Project settings page of the Firebase console.
Register your apps to use App Check with the App Attest provider in the App Check section of the Firebase console.
Make sure all of your project's OAuth clients are linked to an app.
If you have unlinked clients, you'll see a message in the Google Identity for iOS section of the App Check page that says, "You have n unlinked OAuth clients which require additional setup."
Additionally, if you have deleted some OAuth clients after setting them up in App Check, you'll see a message that says, "You have n overrides with no matching OAuth client". You can safely clean up by deleting those overrides.
You can link unlinked clients to an existing or new app on the OAuth clients page of the Firebase console.
2. Add the Google Sign-in library to your app
In your Xcode project, set the Google Sign-in dependency to version
8.0.0or higher :SPM
Set the dependency rule of
googlesignin-iosto version8.0.0or higher.CocoaPods
Update your
Podfile:source 'https://github.com/CocoaPods/Specs.git' source 'https://github.com/firebase/SpecsDev.git' target 'YourAppName' do use_frameworks! pod 'GoogleSignIn','~> 8.0' :git => 'https://github.com/google/GoogleSignIn-iOS.git' pod 'GoogleSignInSwiftSupport' # If you use SwiftUI. endThen, run
pod installand open the created.xcworkspacefile.In Xcode, add the App Attest capability to your app.
In your project's
.entitlementsfile, set the App Attest environment toproduction.
3. Initialize App Check
In your app delegate's didFinishLaunchingWithOptions method, call
GIDSignIn.sharedInstance.configure(completion:). You should call this method
as early as possible in your app's lifecycle to minimize user-perceived latency.
import SwiftUI
import GoogleSignIn
class AppDelegate: NSObject, UIApplicationDelegate {
func application(
_ application: UIApplication,
didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey : Any]? = nil
) -> Bool {
#if targetEnvironment(simulator)
// Configure for debugging.
// See: https://developers.google.com/identity/sign-in/ios/appcheck/debug-provider
#else
GIDSignIn.sharedInstance.configure { error in
if let error {
print("Error configuring `GIDSignIn` for Firebase App Check: \(error)")
}
}
#endif
return true
}
}
@main
struct YourAppNameApp: App {
@UIApplicationDelegateAdaptor(AppDelegate.self) var appDelegate
// ...
}
Next steps
Once the App Check library is installed in your app, start distributing the updated app to your users.
The updated client app will begin sending App Check tokens along with every request it makes to Google's authentication endpoints, but the endpoints won't require the tokens to be valid until you enable enforcement in the App Check section of the Firebase console.
Monitor metrics
Before you enable enforcement, however, you should make sure that doing so won't disrupt your existing legitimate users. On the other hand, if you're seeing suspicious use of your app resources, you might want to enable enforcement sooner.
To help make this decision, you can look at App Check metrics for Google Sign-in.
Enable App Check enforcement
When you understand how App Check will affect your users and you're ready to proceed, you can enable App Check enforcement.
Use App Check in debug environments
If, after you have registered your app for App Check, you want to run your app in an environment that App Check would normally not classify as valid, such as a simulator during development, or from a continuous integration (CI) environment, you can create a debug build of your app that uses the App Check debug provider instead of App Attest.