Plugin.Firebase.AppCheck 4.0.0
App Check
Firebase App Check helps protect backend resources from abuse by ensuring requests come from your authentic app.
Installation
Nuget
Install-Package Plugin.Firebase.AppCheck
Setup
- Follow the instructions for the basic setup.
- Configure App Check before calling
CrossFirebase.Initialize(). The plugin uses initialization hooks internally to install the provider factory at the correct moment on each platform (beforeConfigure()on iOS, afterInitializeApp()on Android).
using Plugin.Firebase.AppCheck;
#if IOS
CrossFirebaseAppCheck.Configure(AppCheckOptions.Debug); // registers a "before configure" hook
CrossFirebase.Initialize(); // hook fires here
#elif ANDROID
CrossFirebaseAppCheck.Configure(AppCheckOptions.Debug); // registers an "after initialize" hook
CrossFirebase.Initialize(activity, activityProvider); // hook fires here
#endif
Note: Calling
Configure()afterCrossFirebase.Initialize()also works — the hook detects that initialization already happened and fires immediately. But calling it before is the recommended pattern because it is consistent across platforms and avoids a window where Firebase is alive without a provider.
Providers
| Provider | Platforms | Typical usage |
|---|---|---|
Disabled |
All | No provider installed (default) |
Debug |
iOS, Android | Development / CI — prints a debug token to the console |
DeviceCheck |
iOS | Production fallback on older devices |
AppAttest |
iOS (14+) | Production (preferred on iOS) |
PlayIntegrity |
Android | Production (required for Google Play) |
Configuring a provider that is not supported on the current platform throws a NotSupportedException.
iOS — Cannot instantiate FIRAppCheck log message
When App Check is configured with AppCheckOptions.Disabled, the plugin explicitly clears the native provider factory by calling SetAppCheckProviderFactory(null) before FirebaseApp.Configure(). The native Firebase iOS SDK then logs:
[FirebaseAppCheck][I-FAA002001] Cannot instantiate `FIRAppCheck` for app: __FIRAPP_DEFAULT
without a provider factory. Please register a provider factory using
`AppCheck.setAppCheckProviderFactory(_ ,forAppName:)` method.
This is expected and harmless. It confirms that App Check is properly disabled — no provider factory is installed, so no App Check tokens are generated or attached to requests. Without this explicit clearing, the native SDK may auto-register a default DeviceCheckProviderFactory when the FirebaseAppCheck.framework is linked, which would produce invalid placeholder tokens on simulators and cause FirebaseAuthException: The supplied auth credential is malformed or has expired errors on Auth and Functions requests.
iOS enablement
App Check for iOS uses AdamE.Firebase.iOS.AppCheck.
Make sure your NuGet sources include the feed where that package is published (see GoogleApisForiOSComponents).
iOS App Attest: capability + entitlements (and sandbox gotcha)
If you use AppCheckOptions.AppAttest, iOS requires:
- Apple Developer capability enabled for your Bundle ID:
- Enable App Attest for the app identifier, then regenerate the provisioning profile.
- If you see two checkboxes (App Attest / App Attest Opt-In), pick App Attest for the normal Firebase App Check flow.
- Entitlements include the App Attest environment:
com.apple.developer.devicecheck.appattest-environment=production(for TestFlight / App Store builds)- For DEV testing with a Development provisioning profile you may need
development.
Firebase note (important during beta / rollout phases):
- Some App Check configurations only accept tokens generated in the production App Attest environment, and will reject sandbox tokens with
403 PERMISSION_DENIED / App attestation failed.- Firebase doc excerpt: "App Check does not currently accept tokens generated in the App Attest sandbox environment."
Playground note:
- Ensure
GoogleService-Info.plistmatches the Playground Bundle ID and the Firebase project where App Check is configured. A mismatch commonly looks like 403 errors (or Firebase configure errors if the plist is missing).
Android — native library packaging
.NET Android apps embed native .so files in the APK/AAB. If these files are compressed during packaging, the monodroid runtime crashes at startup with:
F monodroid: ALL entries in APK named `lib/arm64-v8a/` MUST be STORED.
This is not an App Check bug — it can happen whenever a new NuGet adds native interop libraries (like the Firebase AppCheck SDK). The fix is a single MSBuild property in your .csproj:
<PropertyGroup Condition="'$(TargetFramework)' == 'net10.0-android'">
<!-- Prevent compression of .so / .dll inside the APK/AAB -->
<AndroidStoreUncompressedFileExtensions>so;dll</AndroidStoreUncompressedFileExtensions>
</PropertyGroup>
This is the standard .NET Android MSBuild property. It works with both APK and AAB formats and is compatible with Google Play requirements.
Do NOT use
AndroidPackageFormat=apkorEmbedAssembliesIntoApk=trueas a workaround for this issue — those properties serve different purposes (debug speed, distribution format) and are not needed to fix native library compression.
See also the sample Playground project for a working reference.
No packages depend on Plugin.Firebase.AppCheck.
.NET 9.0
- Plugin.Firebase.Core (>= 4.1.0)
.NET 9.0
- Plugin.Firebase.Core (>= 4.1.0)
- Xamarin.Firebase.AppCheck (>= 118.0.0.2)
- Xamarin.Firebase.AppCheck.Debug (>= 118.0.0.2)
- Xamarin.Firebase.AppCheck.PlayIntegrity (>= 118.0.0.2)
.NET 9.0
- Plugin.Firebase.Core (>= 4.1.0)
- AdamE.Firebase.iOS.AppCheck (>= 12.5.0.4)
| Version | Downloads | Last updated |
|---|---|---|
| 4.0.0 | 1 | 03/07/2026 |