透過集合功能整理內容
你可以依據偏好儲存及分類內容。
Firebase App Check
plat_ios
plat_android
plat_web
plat_flutter
App Check 可防止未經授權的用戶端存取後端資源,進而保護應用程式後端免於遭到濫用。這項服務可搭配 Google 服務 (包括 Firebase 和 Google Cloud 服務) 和您自己的自訂後端使用,確保資源安全無虞。
使用 App Check 時,執行應用程式的裝置會使用應用程式或裝置認證提供者,以便對下列一或兩項項目進行認證:
- 來自您已驗證應用程式的要求
- 要求來自未經竄改的真實裝置
這項認證會附加至應用程式對您指定 API 發出的每項要求。啟用 App Check 強制執行功能後,系統會拒絕來自沒有有效認證的用戶端要求,以及來自您未授權的應用程式或平台的任何要求。
App Check 內建支援功能,可將下列服務用作認證提供者:
如果這些服務無法滿足您的需求,您也可以實作自己的服務,使用第三方認證服務供應商或您自己的認證技術。
App Check 可與下列 Google 服務搭配使用:
您也可以使用 App Check 保護非 Google 自訂後端資源,例如您自行管理的後端。
瞭解如何開始使用
運作原理
為服務啟用 App Check,並在應用程式中加入用戶端 SDK 後,系統會定期執行下列操作:
- 應用程式會與您選擇的供應商互動,取得應用程式或裝置的真實性認證 (或兩者皆是,視供應商而定)。
- 認證會傳送至 App Check 伺服器,後者會使用應用程式註冊的參數驗證認證的有效性,並傳回具有到期時間的 App Check 權杖給應用程式。此權杖可能會保留已驗證的認證資料相關資訊。
- App Check 用戶端 SDK 會在應用程式中快取權杖,隨時準備與應用程式向受保護服務提出的任何要求一併傳送。
受 App Check 保護的服務只會接受附帶有效的目前 App Check 權杖要求。
App Check 提供的安全性有多強?
App Check 會依據其認證服務供應商的強度,判斷應用程式或裝置的真實性。這項功能可防止部分濫用行為向後端發動攻擊,但並非全部。使用 App Check 無法保證能完全消除濫用行為,但透過整合 App Check,您已朝著保護後端資源免於遭受濫用行為的目標邁進了一大步。
App Check 和 Firebase Authentication 是應用程式安全性策略的互補部分。Firebase Authentication 提供使用者驗證,可保護使用者;App Check 則提供應用程式或裝置真實性的認證,可保護開發人員。App Check 會要求 API 呼叫包含有效的 App Check 權杖,藉此保護 Google 後端資源和自訂後端的存取權。這兩個概念相輔相成,有助於確保應用程式的安全。
配額與限制
使用 App Check 時,必須遵守所用認證服務供應商的配額和限制。
DeviceCheck 和 App Attest 存取權會受到 Apple 設定的配額或限制的約束。
Play Integrity 的標準 API 用量層級每日配額為 10,000 個呼叫。如要瞭解如何提高用量層級,請參閱 Play Integrity 說明文件。
reCAPTCHA Enterprise 每月可免費進行 10,000 次評估,超過這個數量就會產生費用。請參閱 reCAPTCHA 定價。
開始使用
準備踏出第一步了嗎?
DeviceCheck
App Attest
Android
Play Integrity
網頁
reCAPTCHA Enterprise
Flutter
預設供應商
Unity
預設供應商
C++
預設供應商
瞭解如何實作自訂 App Check 供應器
自訂供應器
瞭解如何使用 App Check 保護自訂後端資源
選取平台:
iOS+
Android
網頁版
Flutter
Unity
C++
除非另有註明,否則本頁面中的內容是採用創用 CC 姓名標示 4.0 授權,程式碼範例則為阿帕契 2.0 授權。詳情請參閱《Google Developers 網站政策》。Java 是 Oracle 和/或其關聯企業的註冊商標。
上次更新時間:2025-07-25 (世界標準時間)。
[null,null,["上次更新時間:2025-07-25 (世界標準時間)。"],[],[],null,["Firebase App Check \nplat_ios plat_android plat_web plat_flutter \n\nApp Check helps protect your app backends from abuse by preventing\nunauthorized clients from accessing your backend resources. It works with\nboth Google services (including Firebase and Google Cloud services) and your\nown custom backends to keep your resources safe.\n\nWith App Check, devices running your app will use an app or device\nattestation provider that attests to one or both of the following:\n\n- Requests originate from your authentic app\n- Requests originate from an authentic, untampered device\n\nThis attestation is attached to every request your app makes to the APIs you\nspecify. When you enable App Check enforcement, requests from\nclients without a valid attestation will be rejected, as will any request\noriginating from an app or platform you haven't authorized.\n\nApp Check has built-in support for using the following services as\nattestation providers:\n\n- [DeviceCheck](https://developer.apple.com/documentation/devicecheck) or [App Attest](https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity) on Apple platforms\n- [Play Integrity](https://developer.android.com/google/play/integrity) on Android\n- [reCAPTCHA Enterprise](https://cloud.google.com/recaptcha-enterprise) on web apps.\n\nIf these are insufficient for your needs, you can also implement your own\nservice that uses either a third-party attestation provider or your own\nattestation techniques.\n\nApp Check works with the following Google services:\n\n| Supported Firebase and Google Cloud services |\n|------------------------------------------------------------------------------------------------------------|\n| Firebase Authentication (Preview) |\n| Firebase Data Connect |\n| Cloud Firestore |\n| Firebase Realtime Database |\n| Cloud Storage for Firebase |\n| Cloud Functions for Firebase (callable functions only) |\n| Firebase AI Logic |\n| [Maps JavaScript API](https://developers.google.com/maps/documentation/javascript/overview) (Preview) |\n| [Places API (New)](https://developers.google.com/maps/documentation/places/web-service/overview) (Preview) |\n| [Google Identity for iOS](https://developers.google.com/identity/sign-in/ios/appcheck) |\n\nYou can also use App Check to protect your non-Google custom backend\nresources, like your own self-hosted backend.\n\n[Learn how to get started](#get_started)\n\nHow does it work?\n\nWhen you enable App Check for a service and include the client SDK\nin your app, the following happens periodically:\n\n1. Your app interacts with the provider of your choice to obtain an attestation of the app or device's authenticity (or both, depending on the provider).\n2. The attestation is sent to the App Check server, which verifies the validity of the attestation using parameters registered with the app, and returns to your app an App Check token with an expiration time. This token might retain some information about the attestation material it verified.\n3. The App Check client SDK caches the token in your app, ready to be sent along with any requests your app makes to protected services.\n\nA service protected by App Check only accepts requests accompanied\nby a current, valid App Check token.\n\nHow strong is the security provided by App Check?\n\nApp Check relies on the strength of its attestation providers to determine\napp or device authenticity. It prevents some, but not all, abuse vectors\ndirected towards your backends. Using App Check does not guarantee\nthe elimination of all abuse, but by integrating with App Check, you are\ntaking an important step towards abuse protection for your backend resources.\n\nHow is App Check related to Firebase Authentication?\n\nApp Check and Firebase Authentication are complementary parts of your app security\nstory. Firebase Authentication provides user authentication, which protects your\nusers, whereas App Check provides attestation of app or device authenticity,\nwhich protects you, the developer. App Check guards access to your Google\nbackend resources and custom backends by requiring API calls to contain a valid\nApp Check token. These two concepts work together to help secure your app.\n\nQuotas \\& limits\n\nYour use of App Check is subject to the quotas and limits of the attestation\nproviders you use.\n\n- DeviceCheck and App Attest access is subject to any quotas or limitations set\n by Apple.\n\n- Play Integrity has a daily quota of 10,000 calls for its Standard API usage\n tier. For information on raising your usage tier, see the\n [Play Integrity documentation](https://developer.android.com/google/play/integrity/overview#usage-tiers).\n\n- reCAPTCHA Enterprise is no-cost for 10,000 assessments each month, and has a\n cost beyond that. See [reCAPTCHA pricing](https://cloud.google.com/security/products/recaptcha#pricing).\n\nGet started\n\nReady to get started?\n\nApple platforms\n\n[DeviceCheck](/docs/app-check/ios/devicecheck-provider)\n[App Attest](/docs/app-check/ios/app-attest-provider)\n\nAndroid\n\n[Play Integrity](/docs/app-check/android/play-integrity-provider)\n\nWeb\n\n[reCAPTCHA Enterprise](/docs/app-check/web/recaptcha-enterprise-provider)\n\nFlutter\n\n[Default providers](/docs/app-check/flutter/default-providers)\n\nUnity\n\n[Default providers](/docs/app-check/unity/default-providers)\n\nC++\n\n[Default providers](/docs/app-check/cpp/default-providers)\n\nLearn how to implement a custom App Check provider\n\n[Custom providers](/docs/app-check/custom-provider)\n\nLearn how to use App Check to protect your custom backend resources\n\nSelect your platform:\n\n[iOS+](/docs/app-check/ios/custom-resource)\n[Android](/docs/app-check/android/custom-resource)\n[Web](/docs/app-check/web/custom-resource)\n[Flutter](/docs/app-check/flutter/custom-resource)\n[Unity](/docs/app-check/unity/custom-resource)\n[C++](/docs/app-check/cpp/custom-resource)"]]