使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
Firebase App Check
plat_ios
plat_android
plat_web
plat_flutter
App Check 可以防止未经授权的客户端访问您的后端资源,从而有助于保护应用后端免遭滥用。它可与 Google 服务(包括 Firebase 和 Google Cloud 服务)和您自己的自定义后端搭配使用,以确保资源安全。
使用 App Check 时,运行您的应用的设备将使用应用或设备证明提供方,证明以下两项或其中一项:
- 请求来自您的正版应用
- 请求来自真实的、未经篡改的设备
此证明会附加到您的应用向您指定的 API 发出的每个请求。启用 App Check 强制执行后,来自没有有效证明的客户端的请求将被拒绝,来自未经您授权的应用或平台的请求也将被拒绝。
App Check 支持使用以下服务作为证明提供方(此支持是内置的):
如果这些服务不能完全满足您的需求,您还可以实现自己的服务,从而使用第三方证明提供程序或您自己的证明方法。
App Check 可与以下 Google 服务搭配使用:
您还可以使用 App Check 来保护非 Google 自定义后端资源,例如您自己的自托管后端。
了解如何开始使用
其运作方式是怎样的?
为服务启用 App Check 并在应用中添加客户端 SDK 后,将定期发生以下情况:
- 您的应用与您选择的提供程序交互,以获取应用和/或设备的真实性证明(具体取决于提供程序)。
- 证明会发送到 App Check 服务器,该服务器使用已向应用注册的参数来验证证明的有效性,并向应用返回带有过期时间的 App Check 令牌。此令牌可能会保留与其验证的证明材料相关的一些信息。
- App Check 客户端 SDK 会将令牌缓存到您的应用中,准备随您的应用发出的任何请求一起发送到受保护的服务。
App Check 保护的服务只接受带有当前有效的 App Check 令牌的请求。
App Check 的安全性如何?
App Check 依靠证明提供方来确定应用或设备的真实性。它可拦截一些(但不是所有)定向到您的后端的滥用矢量。使用 App Check 并不能保证消除所有滥用行为,但通过与 App Check 集成,您可以在保护后端资源免遭滥用方面迈出重要的一步。
App Check 和 Firebase Authentication 是相辅相成的单独产品,可共同帮助您提高应用安全性。Firebase Authentication 提供用户身份验证机制(用于保护您的用户),而 App Check 则提供应用或设备真实性证明(用于保护您,即开发者)。App Check 要求 API 调用包含一个有效的 App Check 令牌,以监控对 Google 后端资源和自定义后端的访问。这两种方式协同发挥作用,帮助保护您的应用。
配额和限制
使用 App Check 时,您会受到所用证明提供方的配额和限制的约束。
对 DeviceCheck 和 App Attest 的访问受 Apple 所设配额或限制的约束。
Play Integrity 的标准 API 用量层级的每日配额为 10,000 次调用。如需了解如何提高用量层级,请参阅 Play Integrity 文档。
reCAPTCHA Enterprise 每月可免费进行 10,000 次评估,超过此限制则需要付费。请参阅 reCAPTCHA 定价。
开始使用
准备好开始了吗?
DeviceCheck
App Attest
Android
Play Integrity
Web
reCAPTCHA Enterprise
Flutter
默认提供程序
Unity
默认提供程序
C++
默认提供程序
了解如何实现自定义 App Check 提供方
自定义提供程序
了解如何使用 App Check 来保护您的自定义后端资源
选择平台:
iOS+
Android
Web
Flutter
Unity
C++
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-08-17。
[null,null,["最后更新时间 (UTC):2025-08-17。"],[],[],null,["Firebase App Check \nplat_ios plat_android plat_web plat_flutter \n\nApp Check helps protect your app backends from abuse by preventing\nunauthorized clients from accessing your backend resources. It works with\nboth Google services (including Firebase and Google Cloud services) and your\nown custom backends to keep your resources safe.\n\nWith App Check, devices running your app will use an app or device\nattestation provider that attests to one or both of the following:\n\n- Requests originate from your authentic app\n- Requests originate from an authentic, untampered device\n\nThis attestation is attached to every request your app makes to the APIs you\nspecify. When you enable App Check enforcement, requests from\nclients without a valid attestation will be rejected, as will any request\noriginating from an app or platform you haven't authorized.\n\nApp Check has built-in support for using the following services as\nattestation providers:\n\n- [DeviceCheck](https://developer.apple.com/documentation/devicecheck) or [App Attest](https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity) on Apple platforms\n- [Play Integrity](https://developer.android.com/google/play/integrity) on Android\n- [reCAPTCHA Enterprise](https://cloud.google.com/recaptcha-enterprise) on web apps.\n\nIf these are insufficient for your needs, you can also implement your own\nservice that uses either a third-party attestation provider or your own\nattestation techniques.\n\nApp Check works with the following Google services:\n\n| Supported Firebase and Google Cloud services |\n|------------------------------------------------------------------------------------------------------------|\n| Firebase Authentication (Preview) |\n| Firebase Data Connect |\n| Cloud Firestore |\n| Firebase Realtime Database |\n| Cloud Storage for Firebase |\n| Cloud Functions for Firebase (callable functions only) |\n| Firebase AI Logic |\n| [Maps JavaScript API](https://developers.google.com/maps/documentation/javascript/overview) (Preview) |\n| [Places API (New)](https://developers.google.com/maps/documentation/places/web-service/overview) (Preview) |\n| [Google Identity for iOS](https://developers.google.com/identity/sign-in/ios/appcheck) |\n\nYou can also use App Check to protect your non-Google custom backend\nresources, like your own self-hosted backend.\n\n[Learn how to get started](#get_started)\n\nHow does it work?\n\nWhen you enable App Check for a service and include the client SDK\nin your app, the following happens periodically:\n\n1. Your app interacts with the provider of your choice to obtain an attestation of the app or device's authenticity (or both, depending on the provider).\n2. The attestation is sent to the App Check server, which verifies the validity of the attestation using parameters registered with the app, and returns to your app an App Check token with an expiration time. This token might retain some information about the attestation material it verified.\n3. The App Check client SDK caches the token in your app, ready to be sent along with any requests your app makes to protected services.\n\nA service protected by App Check only accepts requests accompanied\nby a current, valid App Check token.\n\nHow strong is the security provided by App Check?\n\nApp Check relies on the strength of its attestation providers to determine\napp or device authenticity. It prevents some, but not all, abuse vectors\ndirected towards your backends. Using App Check does not guarantee\nthe elimination of all abuse, but by integrating with App Check, you are\ntaking an important step towards abuse protection for your backend resources.\n\nHow is App Check related to Firebase Authentication?\n\nApp Check and Firebase Authentication are complementary parts of your app security\nstory. Firebase Authentication provides user authentication, which protects your\nusers, whereas App Check provides attestation of app or device authenticity,\nwhich protects you, the developer. App Check guards access to your Google\nbackend resources and custom backends by requiring API calls to contain a valid\nApp Check token. These two concepts work together to help secure your app.\n\nQuotas \\& limits\n\nYour use of App Check is subject to the quotas and limits of the attestation\nproviders you use.\n\n- DeviceCheck and App Attest access is subject to any quotas or limitations set\n by Apple.\n\n- Play Integrity has a daily quota of 10,000 calls for its Standard API usage\n tier. For information on raising your usage tier, see the\n [Play Integrity documentation](https://developer.android.com/google/play/integrity/overview#usage-tiers).\n\n- reCAPTCHA Enterprise is no-cost for 10,000 assessments each month, and has a\n cost beyond that. See [reCAPTCHA pricing](https://cloud.google.com/security/products/recaptcha#pricing).\n\nGet started\n\nReady to get started?\n\nApple platforms\n\n[DeviceCheck](/docs/app-check/ios/devicecheck-provider)\n[App Attest](/docs/app-check/ios/app-attest-provider)\n\nAndroid\n\n[Play Integrity](/docs/app-check/android/play-integrity-provider)\n\nWeb\n\n[reCAPTCHA Enterprise](/docs/app-check/web/recaptcha-enterprise-provider)\n\nFlutter\n\n[Default providers](/docs/app-check/flutter/default-providers)\n\nUnity\n\n[Default providers](/docs/app-check/unity/default-providers)\n\nC++\n\n[Default providers](/docs/app-check/cpp/default-providers)\n\nLearn how to implement a custom App Check provider\n\n[Custom providers](/docs/app-check/custom-provider)\n\nLearn how to use App Check to protect your custom backend resources\n\nSelect your platform:\n\n[iOS+](/docs/app-check/ios/custom-resource)\n[Android](/docs/app-check/android/custom-resource)\n[Web](/docs/app-check/web/custom-resource)\n[Flutter](/docs/app-check/flutter/custom-resource)\n[Unity](/docs/app-check/unity/custom-resource)\n[C++](/docs/app-check/cpp/custom-resource)"]]