AppCheck VS Hacked & spammy requests

[pierroo]

Hi,

Although I fully understand the use of AppCheck, I still wonder how it can help against spamming request to an API endpoint.
In the scenario of a hacker using OpenBullet or whatever hacker tool to spam thousands of requests per minutes to a specific endpoint (for example, a Signup endpoints to create thousands of fake profiles in a social app):

• once the hacker got their hand on the appcheck token from the device, can't they simply attach it to the request's header, and spam all they want the api endpoint that we secured from our backend by checking appcheck token?

I mean, as long as the TTL didn't expire, I guess all their requests will pass the check thus they could use their hacker tool and pretend to come from the untempered app? Or am I missing something?

I guess a solution would be to:
1- forceRefresh the appcheck token on each fetch request from the mobile app
2- expire the received appcheck token programmatically after successful verification from the backend, so that further request would need a new one that can only be generated from the app, thus making it harder for the hacker?

[mikehardy]

This is out of scope for this repo really, I think you want to take this up with the underlying repos either firebase-android-sdk / firebase-ios-sdk / firebase-js-sdk (platforms with AppCheck) or more likely StackOverflow with appropriate firebase tags so you get the attention of the relevant google developers

We wrap+expose the APIs but the upstream documentation + support channels should be considered canonical with respect to security concerns + usage.

Not trying to pass the buck but I definitely don't want to speculate non-authoritatively on something with money or security concerns, I hope you understand

[pierroo]

You are actually right; I created a stack overflow instead. thank you :)

[mikehardy]

Could you link it here for future folks - they may discover it this way and I am actually curious, I just did not want to speculate / be non-authoritative :-)

[pierroo]

Here it is, let's hope someone passes by :)
https://stackoverflow.com/questions/72789995/firebase-appcheck-vs-hackers-spammy-requests