iOS App Check on Cloud Functions Fails 401 only when reviewed by Apple

[h-unterp]

I have 2 apps now that use app check and their cloud functions 401 only when being reviewed by apple.

I have created a minimal repro of a flutter app here: https://github.com/h-unterp/app_check_test and the cloud function is located in the same repo: https://github.com/h-unterp/app_check_test/tree/main/cloudfunctions

The app check works on my personal device and my friend's device, however it fails when being reviewed by apple. The working, published app of this repo is: https://apps.apple.com/app/id1663369999 you will see that app check works fine when you download the app.

While it does not stop this repro app from being published, it does stop my main app from being published which has failed review by Apple, so I have no choice but to make my app less secure and turn app check off.

Some of the cloud function's error log when being reviewed by apple

{
insertId: "63bab5160008ffed859cad48"
jsonPayload: {
message: "Callable request verification passed"
verifications: {
app: "MISSING"
auth: "MISSING"
}
}
labels: {
execution_id: "1gzgcjwmu2ct"
firebase-log-type: "callable-request-verification"
instance_id: "00c61b117c76a47428f3172c0af084670771b34135a672c62b8a305349f501217e93590e325b61d0d9dbf912fef7f5f21cc3904f5c237d3641"
}
logName: "projects/app-check-test-b33a5/logs/cloudfunctions.googleapis.com%2Fcloud-functions"
receiveTimestamp: "2023-01-08T12:20:38.837485828Z"
resource: {
labels: {
function_name: "helloWorld"
project_id: "app-check-test-b33a5"
region: "us-central1"
}
type: "cloud_function"
}
severity: "DEBUG"
timestamp: "2023-01-08T12:20:38.589805Z"
trace: "projects/app-check-test-b33a5/traces/cfd8c46afb0610ba8c4599767d69c6c0"
}

textPayload: "Function execution took 1098 ms, finished with status code: 401"

Flutter doctor

Click To Expand

Doctor summary (to see all details, run flutter doctor -v):
[✓] Flutter (Channel stable, 3.3.10, on macOS 13.1 22C65 darwin-arm, locale en-US)
[✗] Android toolchain - develop for Android devices
    ✗ Unable to locate Android SDK.
      Install Android Studio from: https://developer.android.com/studio/index.html
      On first launch it will assist you in installing the Android SDK components.
      (or visit https://flutter.dev/docs/get-started/install/macos#android-setup for detailed instructions).
      If the Android SDK has been installed to a custom location, please use
      `flutter config --android-sdk` to update to that location.

[✓] Xcode - develop for iOS and macOS (Xcode 14.2)
[✓] Chrome - develop for the web
[!] Android Studio (not installed)
[✓] VS Code (version 1.74.2)
[✓] Connected device (2 available)
[✓] HTTP Host Availability

! Doctor found issues in 2 categories.

---

Flutter dependencies

Run flutter pub deps -- --style=compact and paste the output below:

Click To Expand

Dart SDK 2.18.6
Flutter SDK 3.3.10
appchecktest 1.0.3+0

dependencies:
- cloud_firestore 4.3.1 [cloud_firestore_platform_interface cloud_firestore_web collection firebase_core firebase_core_platform_interface flutter meta]
- cloud_functions 4.0.7 [cloud_functions_platform_interface cloud_functions_web firebase_core firebase_core_platform_interface flutter]
- cupertino_icons 1.0.5
- firebase_app_check 0.1.1+8 [firebase_app_check_platform_interface firebase_app_check_web firebase_core firebase_core_platform_interface flutter]
- firebase_core 2.4.1 [firebase_core_platform_interface firebase_core_web flutter meta]
- flutter 0.0.0 [characters collection material_color_utilities meta vector_math sky_engine]

dev dependencies:
- flutter_lints 2.0.1 [lints]
- flutter_test 0.0.0 [flutter test_api path fake_async clock stack_trace vector_math async boolean_selector characters collection matcher material_color_utilities meta source_span stream_channel string_scanner term_glyph]

transitive dependencies:
- _flutterfire_internals 1.0.12 [collection firebase_core firebase_core_platform_interface flutter meta]
- async 2.9.0 [collection meta]
- boolean_selector 2.1.0 [source_span string_scanner]
- characters 1.2.1
- clock 1.1.1
- cloud_firestore_platform_interface 5.10.1 [_flutterfire_internals collection firebase_core flutter meta plugin_platform_interface]
- cloud_firestore_web 3.2.1 [_flutterfire_internals cloud_firestore_platform_interface collection firebase_core firebase_core_web flutter flutter_web_plugins js]
- cloud_functions_platform_interface 5.1.26 [firebase_core flutter meta plugin_platform_interface]
- cloud_functions_web 4.3.15 [cloud_functions_platform_interface firebase_core firebase_core_web flutter flutter_web_plugins js]
- collection 1.16.0
- fake_async 1.3.1 [clock collection]
- firebase_app_check_platform_interface 0.0.5+11 [_flutterfire_internals firebase_core flutter meta plugin_platform_interface]
- firebase_app_check_web 0.0.7+11 [_flutterfire_internals firebase_app_check_platform_interface firebase_core firebase_core_web flutter flutter_web_plugins js]
- firebase_core_platform_interface 4.5.2 [collection flutter flutter_test meta plugin_platform_interface]
- firebase_core_web 2.1.0 [firebase_core_platform_interface flutter flutter_web_plugins js meta]
- flutter_web_plugins 0.0.0 [flutter js characters collection material_color_utilities meta vector_math]
- js 0.6.4
- lints 2.0.1
- matcher 0.12.12 [stack_trace]
- material_color_utilities 0.1.5
- meta 1.8.0
- path 1.8.2
- plugin_platform_interface 2.1.3 [meta]
- sky_engine 0.0.99
- source_span 1.9.0 [collection path term_glyph]
- stack_trace 1.10.0 [path]
- stream_channel 2.1.0 [async]
- string_scanner 1.1.1 [source_span]
- term_glyph 1.2.1
- test_api 0.4.12 [async boolean_selector collection meta source_span stack_trace stream_channel string_scanner term_glyph matcher]
- vector_math 2.1.2

[darshankawar]

@h-unterp
Please check this similar issue that mentions the same error (401) as you listed above. Also, see if this comment helps in your case or not.

[h-unterp]

Thank you for the suggestions, but no they do not help. My app check works 99.999% of the time, except when reviewed by Apple.

[darshankawar]

My app check works 99.999% of the time, except when reviewed by Apple.

I'm afraid this may not be actionable from plugin side most probably and suggest you to reach out to firebase support for further resolution, since this doesn't occur locally and only when trying to publish, so it doesn't look like a code issue.

[google-oss-bot]

Hey @h-unterp. We need more information to resolve this issue but there hasn't been an update in 7 weekdays. I'm marking the issue as stale and if there are no new updates in the next 7 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

[google-oss-bot]

Since there haven't been any recent updates here, I am going to close this issue.

@h-unterp if you're still experiencing this problem and want to continue the discussion just leave a comment here and we are happy to re-open this.