This page shows you how to enableApp Check in an Android app, usingyourcustomApp Check provider. When you enableApp Check,you help ensure that only your app can access your project's Firebase resources.

If you want to useApp Check with the default Play Integrity provider, seeEnableApp Check with Play Integrity on Android.

Before you begin

• Add Firebase to your Android project if you haven’talready done so.

• Implement your customApp Check provider's server-side logic.

1. Add theApp Check library to your app

dependencies{// Import theBoM for the Firebase platformimplementation(platform("com.google.firebase:firebase-bom:34.7.0"))// Add the dependency for theApp Check library// When using theBoM, you don't specify versions in Firebase library dependenciesimplementation("com.google.firebase:firebase-appcheck")}

By using theFirebase Android BoM, your app will always use compatible versions of Firebase Android libraries.

dependencies{// Add the dependency for theApp Check library// When NOT using theBoM, you must specify versions in Firebase library dependenciesimplementation("com.google.firebase:firebase-appcheck:19.0.1")}

2. Implement theApp Check interfaces

First, you need to create classes that implement theAppCheckProvider andAppCheckProviderFactory interfaces.

YourAppCheckProvider class must have agetToken() method, which collectswhatever information your customApp Check provider requires as proof ofauthenticity, and sends it to your token acquisition service in exchange for anApp Check token. TheApp Check SDK handles token caching, so always geta new token in your implementation ofgetToken().

classYourCustomAppCheckToken(privatevaltoken:String,privatevalexpiration:Long,):AppCheckToken(){overridefungetToken():String=tokenoverridefungetExpireTimeMillis():Long=expiration}classYourCustomAppCheckProvider(firebaseApp:FirebaseApp):AppCheckProvider{overridefungetToken():Task<AppCheckToken>{// Logic to exchange proof of authenticity for an App Check token and//   expiration time.// ...// Refresh the token early to handle clock skew.valexpMillis=expirationFromServer*1000L-60000L// Create AppCheckToken object.valappCheckToken:AppCheckToken=YourCustomAppCheckToken(tokenFromServer,expMillis)returnTasks.forResult(appCheckToken)}}
CustomProvider.kt

publicclassYourCustomAppCheckTokenextendsAppCheckToken{privateStringtoken;privatelongexpiration;YourCustomAppCheckToken(Stringtoken,longexpiration){this.token=token;this.expiration=expiration;}@NonNull@OverridepublicStringgetToken(){returntoken;}@OverridepubliclonggetExpireTimeMillis(){returnexpiration;}}publicclassYourCustomAppCheckProviderimplementsAppCheckProvider{publicYourCustomAppCheckProvider(FirebaseAppfirebaseApp){// ...}@NonNull@OverridepublicTask<AppCheckToken>getToken(){// Logic to exchange proof of authenticity for an App Check token and//   expiration time.// ...// Refresh the token early to handle clock skew.longexpMillis=expirationFromServer*1000L-60000L;// Create AppCheckToken object.AppCheckTokenappCheckToken=newYourCustomAppCheckToken(tokenFromServer,expMillis);returnTasks.forResult(appCheckToken);}}
CustomProvider.java

Also, implement aAppCheckProviderFactory class that creates instances of yourAppCheckProvider implementation:

classYourCustomAppCheckProviderFactory:AppCheckProviderFactory{overridefuncreate(firebaseApp:FirebaseApp):AppCheckProvider{// Create and return an AppCheckProvider object.returnYourCustomAppCheckProvider(firebaseApp)}}
CustomProvider.kt

publicclassYourCustomAppCheckProviderFactoryimplementsAppCheckProviderFactory{@NonNull@OverridepublicAppCheckProvidercreate(@NonNullFirebaseAppfirebaseApp){// Create and return an AppCheckProvider object.returnnewYourCustomAppCheckProvider(firebaseApp);}}
CustomProvider.java

3. InitializeApp Check

Add the following initialization code to your app so that it runs before you useany other Firebase SDKs:

Firebase.initialize(context)Firebase.appCheck.installAppCheckProviderFactory(YourCustomAppCheckProviderFactory(),)
CustomProvider.kt

FirebaseApp.initializeApp(/*context=*/context);FirebaseAppCheckfirebaseAppCheck=FirebaseAppCheck.getInstance();firebaseAppCheck.installAppCheckProviderFactory(newYourCustomAppCheckProviderFactory());
CustomProvider.java

Next steps

Once theApp Check library is installed in your app, start distributing theupdated app to your users.

The updated client app will begin sendingApp Check tokens along with everyrequest it makes to Firebase, but Firebase products will not require the tokensto be valid until you enable enforcement in theApp Check section of theFirebase console.

Monitor metrics and enable enforcement

Before you enable enforcement, however, you should make sure that doing so won'tdisrupt your existing legitimate users. On the other hand, if you're seeingsuspicious use of your app resources, you might want to enable enforcementsooner.

To help make this decision, you can look atApp Check metrics for theservices you use:

• MonitorApp Check request metrics forFirebase AI Logic,Data Connect,Realtime Database,Cloud Firestore,Cloud Storage,Authentication, Google Identity for iOS, Maps JavaScript API, and Places API (New).
• MonitorApp Check request metrics forCloud Functions.

EnableApp Check enforcement

When you understand howApp Check will affect your users and you're ready toproceed, you can enableApp Check enforcement:

• EnableApp Check enforcement forFirebase AI Logic,Data Connect,Realtime Database,Cloud Firestore,Cloud Storage,Authentication, Google Identity for iOS, Maps JavaScript API, and Places API (New).
• EnableApp Check enforcement forCloud Functions.

UseApp Check in debug environments

If, after you have registered your app forApp Check, you want to run yourapp in an environment thatApp Check would normally not classify as valid,such as an emulator during development, or from a continuous integration (CI)environment, you can create a debug build of your app that uses theApp Check debug provider instead of a real attestation provider.

SeeUseApp Check with the debug provider on Android.