firebase-ios-sdk icon indicating copy to clipboard operation
firebase-ios-sdk copied to clipboard

Published 20 hours ago verified publisher icon firebase

AppCheck SDK doesn't generate tokens for legitimate devices

Open diomidispapas opened this issue 3 years ago • 16 comments

Description

After integrating and using AppCheck SDK on production for 2 weeks, we observed that. 7.76% fail to generate an integrity token on iOS and more ~20% on Android fails to generate integrity token.

Reproducing the issue

No response

Firebase SDK Version

8.10.0

Xcode Version

13.2.1

Installation Method

Carthage

Firebase Product(s)

App Check

Targeted Platforms

iOS

Relevant Log Output

No response

If using Swift Package Manager, the project's Package.resolved

Expand Package.resolved snippet 

Replace this line with the contents of your Package.resolved.

If using CocoaPods, the project's Podfile.lock

Expand Podfile.lock snippet 

Replace this line with the contents of your Podfile.lock!

diomidispapas avatar Aug 26 '22 15:08 diomidispapas

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

google-oss-bot avatar Aug 26 '22 15:08 google-oss-bot

Hi @diomidispapas, sorry for the trouble. Do you have information regarding the OS version of devices that are not generating an App Check token?

ncooke3 avatar Aug 26 '22 16:08 ncooke3

@ncooke3 I wasn't able to observe anything pattern in terms of OS versions. I can see a lot of failures on iOS 15.6, 14.1 as well as 16.0 beta. Yesterday 6% of all devices failed to generate a token on iOS

Similar picture on Android with higher failure rate around 20% with Androids 10,11,12.

diomidispapas avatar Aug 27 '22 19:08 diomidispapas

@ncooke3 I wasn't able to observe anything pattern in terms of OS versions. I can see a lot of failures on iOS 15.6, 14.1 as well as 16.0 beta. Yesterday 6% of all devices failed to generate a token on iOS

Similar picture on Android with higher failure rate around 20% with Androids 10,11,12.

Thanks @diomidispapas for the info. For your AppCheck integration in your iOS app, what attestation provider are you using?

Likewise for Android?

cc: @rosalyntan

ncooke3 avatar Aug 28 '22 04:08 ncooke3

On iOS App Attest & Device Check and Play Integrity on Android

diomidispapas avatar Aug 30 '22 05:08 diomidispapas

@ncooke3 @rosalyntan Is there a way to investigate why there are so many tokens not generated ? Is it an issue of App Check or underlying attestation providers ?

diomidispapas avatar Aug 31 '22 06:08 diomidispapas

Hi @diomidispapas,

Apologies for the delay in response. I've done some investigation and my leading suspicion is that this is with the actual attestation providers. See this Apple forums thread, for example.

You mention this is happening for "legitimate devices", I'm curious how confirmed such devices to be legitimate?

Anyhow, this may be tricky to debug if it is indeed the attestation providers. I'm looking into what we can do to further investigate. I'll update the thread when I have some actionable info.

ncooke3 avatar Sep 07 '22 05:09 ncooke3

Hi @diomidispapas,

Unfortunately, errors that occur during the attestation process with the attestation provider don't leave the device so it's indeed difficult to analyze such attestation failures. This something that the AppCheck team is looking into improving.

Based on some past issues I've seen, my leading theory is that the issue is with the actual attestation providers.

ncooke3 avatar Sep 12 '22 19:09 ncooke3

Hi @diomidispapas: can you please reply regarding the last queries on the thread. I have been assigned an internal case from DoIT on this, but looks like the thread here was quite active.

@ncooke3 hi, do we have any internal tracking bug on this? It'd great if you could ping me on Chat.

~ kmx@

kmonsoor avatar Sep 15 '22 12:09 kmonsoor

@diomidispapas Also, I'd highly recommend to send us the debug log, after this issue reproduced.

For example, Logcat [1] is a highly popular tool to capture this logs on an Android device. In this regard, I'd suggest the customer to build the app in DEBUG mode first to capture the most extensive logs.

[1] https://developer.android.com/studio/debug/am-logcat

kmonsoor avatar Sep 15 '22 14:09 kmonsoor

Hey @diomidispapas. We need more information to resolve this issue but there hasn't been an update in 5 weekdays. I'm marking the issue as stale and if there are no new updates in the next 5 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

google-oss-bot avatar Sep 22 '22 01:09 google-oss-bot

@kmonsoor the way that we know failed and successful attestations is via even tracking. The failure rate is significantly high. More than 20% on Android as I mentioned above. We have already checked the implementation with DoiT International and its correct as well as rate limits with attestation providers (Apple, Google). Do you track the errors, are able to identify why it is failing in such a high rate ?

diomidispapas avatar Sep 22 '22 10:09 diomidispapas

I'm having the same problem. We know about this because of our server is checking the token and writing in the logs when it fails. There is no pattern regarding iOS version, but out app is iOS 15+ only, so it's using App Attest as provider. A retry mechanism was set in place in order to reduce this problem, so when it fails, a force refresh call to the Appcheck is made, with no success. Seems that deleting the app and installing again solve most of the cases, which makes me thing if it's an Appcheck or provider problem.

It's happening with Firebase 9.6.0 and 10.0.0.

bguidolim avatar Oct 20 '22 09:10 bguidolim

I've added some logging and I found this from one customer:

Screenshot 2022-10-20 at 14 51 26

Checking the Apple docs, this is the error: https://developer.apple.com/documentation/devicecheck/dcerror/code/invalidinput

Maybe the AppAttestProvider is missing something before the request.

bguidolim avatar Oct 20 '22 12:10 bguidolim

I'm having the same problem. We know about this because of our server is checking the token and writing in the logs when it fails. There is no pattern regarding iOS version, but out app is iOS 15+ only, so it's using App Attest as provider. A retry mechanism was set in place in order to reduce this problem, so when it fails, a force refresh call to the Appcheck is made, with no success. Seems that deleting the app and installing again solve most of the cases, which makes me thing if it's an Appcheck or provider problem.

It's happening with Firebase 9.6.0 and 10.0.0.

Thanks @bguidolim for the helpful info. When you say "It's happening with Firebase 9.6.0 and 10.0.0.", do you also mean that app instances on pre-9.6.0 are not having this issue?

ncooke3 avatar Nov 15 '22 19:11 ncooke3

@ncooke3 I cannot say that, we only enforced AppCheck from version 9.6.0.

bguidolim avatar Nov 15 '22 20:11 bguidolim

We added a fix and additional debug info in Firebase https://github.com/firebase/firebase-ios-sdk/releases/tag/10.17.0. When you get a chance to upgrade, please let us know if 10.17.0 resolves the issue for you and, if not, any new debugging info you can provide.

andrewheard avatar Nov 01 '23 19:11 andrewheard

Hey @diomidispapas. We need more information to resolve this issue but there hasn't been an update in 5 weekdays. I'm marking the issue as stale and if there are no new updates in the next 5 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

google-oss-bot avatar Nov 08 '23 02:11 google-oss-bot

Since there haven't been any recent updates here, I am going to close this issue.

@diomidispapas if you're still experiencing this problem and want to continue the discussion just leave a comment here and we are happy to re-open this.

google-oss-bot avatar Nov 15 '23 02:11 google-oss-bot