Get started using App Check for Google Sign-in on iOS

This page shows you how to enable App Check in an iOS app. When you enable App Check, you help ensure that only your app can access Google's OAuth 2.0 endpoints on behalf of your project. See an Overview of this feature.

App Check uses App Attest to help verify that OAuth 2.0 requests are coming from your authentic app. App Check does not use App Attest to analyze fraud risk.

Before you begin

  1. Make sure you have Xcode 12.5 or newer.

  2. Integrate Google Sign-in into your iOS app, using the Google Sign-in library.

1. Set up your project

App Check can be enabled in the Google API Console or in the Firebase Console. It is not necessary to enable it in both places, just one is sufficient.

Google API Console

The following requirements must be met to successfully enable App Check for your iOS client:
  • You must specify a team ID for your iOS client.
  • You must not use a wildcard in your bundle ID since it can resolve to more than one app. This means that the bundle ID must not include the asterisk (*) symbol.
To enable App Check, turn on the Protect your OAuth client from abuse with Firebase App Check toggle button in the edit view of your iOS client.

After enabling App Check, you will start seeing metrics related to OAuth requests from your client in the edit view of the OAuth client. Requests from unverified sources won't be blocked until you enforce App Check. The information in the metrics monitoring page can help you determine when to start enforcement.

You might see errors related to the App Check feature when enabling App Check for your iOS app. To fix these errors, try the following:

  • Verify that the bundle ID and team ID you specified are valid.
  • Verify that you are not using a wildcard for the bundle ID.

Firebase Console

  1. You must have a Firebase project to use App Check with Google Sign-in.

  2. If you haven't already done so, add your iOS apps to your Firebase project using the Project settings page of the Firebase console.

  3. Register your apps to use App Check with the App Attest provider in the App Check section of the Firebase console.

  4. Make sure all of your project's OAuth clients are linked to an app.

    If you have unlinked clients, you'll see a message in the Google Identity for iOS section of the App Check page that says, "You have n unlinked OAuth clients which require additional setup."

    Additionally, if you have deleted some OAuth clients after setting them up in App Check, you'll see a message that says, "You have n overrides with no matching OAuth client". You can safely clean up by deleting those overrides.

    You can link unlinked clients to an existing or new app on the OAuth clients page of the Firebase console.

2. Add the Google Sign-in library to your app

  1. In your Xcode project, set the Google Sign-in dependency to version 8.0.0 or higher :

    SPM

    Set the dependency rule of googlesignin-ios to version 8.0.0 or higher.

    CocoaPods

    Update your Podfile:

    source 'https://github.com/CocoaPods/Specs.git'
    source 'https://github.com/firebase/SpecsDev.git'
    
    target 'YourAppName' do
      use_frameworks!
    
      pod 'GoogleSignIn','~> 8.0'
          :git => 'https://github.com/google/GoogleSignIn-iOS.git'
      pod 'GoogleSignInSwiftSupport'  # If you use SwiftUI.
    end
    

    Then, run pod install and open the created .xcworkspace file.

  2. In Xcode, add the App Attest capability to your app.

  3. In your project's .entitlements file, set the App Attest environment to production.

3. Initialize App Check

In your app delegate's didFinishLaunchingWithOptions method, call GIDSignIn.sharedInstance.configure(completion:). You should call this method as early as possible in your app's lifecycle to minimize user-perceived latency.

import SwiftUI
import GoogleSignIn

class AppDelegate: NSObject, UIApplicationDelegate {
  func application(
    _ application: UIApplication,
    didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey : Any]? = nil
  ) -> Bool {
    #if targetEnvironment(simulator)
    // Configure for debugging.
    // See: https://developers.google.com/identity/sign-in/ios/appcheck/debug-provider
    #else
    GIDSignIn.sharedInstance.configure { error in
      if let error {
        print("Error configuring `GIDSignIn` for Firebase App Check: \(error)")
      }
    }
    #endif

    return true
  }
}

@main
struct YourAppNameApp: App {
  @UIApplicationDelegateAdaptor(AppDelegate.self) var appDelegate

  // ...
}

Next steps

Once the App Check library is installed in your app, start distributing the updated app to your users.

The updated client app will begin sending App Check tokens along with every request it makes to Google's authentication endpoints, but the endpoints won't require the tokens to be valid until you enable enforcement in the App Check section of the Firebase console.

Monitor metrics

Before you enable enforcement, however, you should make sure that doing so won't disrupt your existing legitimate users. On the other hand, if you're seeing suspicious use of your app resources, you might want to enable enforcement sooner.

To help make this decision, you can look at App Check metrics for Google Sign-in.

Enable App Check enforcement

When you understand how App Check will affect your users and you're ready to proceed, you can enable App Check enforcement.

Use App Check in debug environments

If, after you have registered your app for App Check, you want to run your app in an environment that App Check would normally not classify as valid, such as a simulator during development, or from a continuous integration (CI) environment, you can create a debug build of your app that uses the App Check debug provider instead of App Attest.

See Use App Check with the debug provider.