Can I use SafetyNet with firebase functions?

Question

I am trying to implement SafetyNet in my app. I also, don't have a server, and I am using Firebase Firestore and Firebase Functions.

My knowledge about Firebase Functions is very limited. And I was wondering if I could somehow use the functions to help me with the SafetyNet attestation. As I see, I should be producing a nonce on the cloud, send this nonce to the app, use it to attest, and send it back to the cloud to verify the integrity correct?

But I can't seem to find anywhere on how to do this. Can anyone point me in the right direction?

Answer 1

YES

Sorry for the excitement there, but this is possible since a few weeks ago through a new feature called Firebase App Check.

With App Check, you always end up with a two-step process:

1. Use an attestation provider (such as SafetyNet) in your application, so that information about the app is attached to each request it makes to Firebase.
2. Then at some point in time, when enough of your app requests have this information attached, check for the app information in Cloud Functions, or enable the check in one of the other supported services.

If you check the documentation on enabling App Check enforcement for Cloud Functions, you'll see that it mostly boils down to this check in the code:

exports.yourCallableFunction = functions.https.onCall((data, context) => {
  // context.app will be undefined if the request doesn't include a valid
  // App Check token.
  if (context.app == undefined) {
    throw new functions.https.HttpsError(
        'failed-precondition',
        'The function must be called from an App Check verified app.')
  }

  // Your function logic follows.
});