In this episode, Mandelduck will show us how we can use Firebase’s App Check to verify that the player is using a genuinely uncompromised device and a legitimate, untampered version of the app.

A small correction at 20:00 when talking about encrypting the app check token, this may not be needed for android only, as in order to use charles proxy to get and change the app check token the attacker needs a rooted device as a non rooted device running an app from google play won’t let charles proxy see the data due to a security policy. This means they can only see app check tokens from devices that would fail the app check i.e. android forces a form of certificate pinning only allowing ssl certificates installed by the system and not by the user

Source code on branch security-4

Repo for the nodejs server can be found here