[firebase_app_check] How to handle failed checks & quota limits (and bot attacks)

[jimmyff]

My app was recentlly targetted by bots and they burned through my android app check quota. As I enforce verified firestore requests this took my whole app offline - this went on for 4 days. I've now had my quota raised by Google Play (from 10k checks to 100k per day) but it still seems reasonbly easy for someone that knows what they're doing to take an app offline via app check.

My question is how can I handle app check failed events? I want handle two situations:

• Someones app check fails - so I can display information that they cannot use the app due to their device's integrity (or lack of!).
• Quota limit reached - so I can tell the user that the app is currently down for maintenance or something similar.

My quota is now 100k checks per day on Android, which is only slightly more than one device per second for the duration of the day and that isn't including genuine traffic. The current attack was using around 60k checks a day and I'm convinced it was coming from 5-10 devices and VPNs. I asked for a higher quota but the Play team told me I should put systems in place and only check integrity when I'm confident it's a genuine user -I had hoped that this package was doing exactly that for me! I'm now thinking of having an 'under attack' flag via remote config which when triggered would require a recaptcha or something on app start before appcheck & firestore initalises, to try and stop the bots eating my app check qutoa. There isn't a question attached to this final paragraph, more thinking outloud and wondering if anyone has a better idea or any feedback?

[moertel]

A Google search led me here. Did you ever find an elegant solution to this?

Have you considered increasing the TTL for AppCheck tokens from its default (1 hour) to one or multiple days? It wouldn't solve the problem for new users but at least existing users could mostly continue using the app as normal. (If an attack targets your app, specifically, they'll always find ways, so your best bet is to make it as expensive as possible for them.)

If you ended up going with a captcha or some sort of challenge, I'd be curious how you did it. I'm currently contemplating adding a good old Google license check but only enforcing the check when I've set a flag in RemoteConfig, similar to what you suggest.