RORK LABJP
TOOLING — Rork's developer repos keep moving: rork-xcode was updated on July 16, rork-device on July 15, and rork-plist on July 13OPUS46 — Claude Opus 4.6 is live in Rork, and Rork Max is built to assemble apps on top of Claude CodeSIM — A cloud iOS simulator runs in the browser, with one click to install on a device and two clicks to publish to the App StoreMAX — Rork Max emits pure Swift rather than React Native, reaching iPhone, iPad, Apple Watch, Apple TV, Vision Pro, and even iMessageNATIVE — That opens up HealthKit, ARKit and LiDAR, NFC, Dynamic Island, Live Activities, 3D through Metal, and on-device inference with Core MLSEED — Rork raised a $15M seed led by Left Lane Capital, with Peak XV and a16z Speedrun joining the roundTOOLING — Rork's developer repos keep moving: rork-xcode was updated on July 16, rork-device on July 15, and rork-plist on July 13OPUS46 — Claude Opus 4.6 is live in Rork, and Rork Max is built to assemble apps on top of Claude CodeSIM — A cloud iOS simulator runs in the browser, with one click to install on a device and two clicks to publish to the App StoreMAX — Rork Max emits pure Swift rather than React Native, reaching iPhone, iPad, Apple Watch, Apple TV, Vision Pro, and even iMessageNATIVE — That opens up HealthKit, ARKit and LiDAR, NFC, Dynamic Island, Live Activities, 3D through Metal, and on-device inference with Core MLSEED — Rork raised a $15M seed led by Left Lane Capital, with Peak XV and a16z Speedrun joining the round
Articles/Dev Tools
Dev Tools/2026-05-19Advanced

Rolling Out Firebase App Check in Rork Without Breaking AdMob or Crashlytics

A practical, staged rollout for Firebase App Check in Rork apps that keeps Crashlytics reporting, Realtime Database listeners, and AdMob payouts intact — written from 50M+ downloads of indie experience.

Firebase10App CheckAdMob70Crashlytics12Rork515Production10

Premium Article

One Monday morning, my Crashlytics dashboard went almost completely quiet. For a few seconds I was happy — crash-free sessions had jumped to 99.97%. Then it sank in. Crashes were not down. Reports were not arriving. The night before, I had flipped Firebase App Check from "unenforced" to "enforced" on both Realtime Database and Crashlytics, and a chunk of my legitimate traffic was being rejected silently.

App Check is well documented and the official setup guides are clear enough. What they tend not to dwell on is how easy it is to take a production app down by toggling a single switch from a console UI. As an indie developer who has been running AdMob-funded apps since 2014 with around 50 million cumulative downloads across the catalogue, App Check has been the one piece of Firebase infrastructure that still makes me nervous every time I roll it out. So this is the design I now use for Rork apps, written from the side of someone who has already taken the blast.

Why "instant enforce" is a bad default in production

App Check verifies that a request to a Firebase backend came from a legitimate build of your app. iOS uses DeviceCheck or App Attest, Android uses Play Integrity, and your server-side enforcement decides whether unverified requests should be rejected with a 401. The conceptual model is clean: enforce attestation, drop spoofed traffic, sleep well.

The problem is that "unverified" is a much broader bucket than "spoofed." In practice, it also catches:

  1. App Attest assertions in the first few seconds of a freshly installed device, before the attestation key has been provisioned.
  2. Debug or TestFlight builds where the Debug Provider was never wired up.
  3. Internal QA sessions running on iOS Simulator or Android Emulator.

When App Check enforcement is on, every one of those is rejected. Crashlytics simply stops receiving reports. Realtime Database listeners fail to attach. Remote Config falls back to defaults forever. None of this is visible in your app logs — only in the Firebase console, on a screen you are not looking at unless you already know to.

So the rule I run by is: do not enable App Check enforcement in production without (a) a staged rollout controlled from the client and (b) a single Remote Config flag that lets you turn it all off in the next fetch interval.

Three preconditions before touching enforcement in Rork

Rork projects sit on top of Expo plus the React Native Firebase JS SDK, which means App Check has to be initialized through both layers. Before I let myself touch the Firebase console enforcement toggle, I check three things.

First, the @react-native-firebase/app-check package is on v18 or newer. v17 had an irritating intermittent initialization issue on iOS where the AppAttest provider would silently fail to obtain its first token, which left the app permanently in an "unverified" state on cold start.

Second, after expo prebuild, the iOS AppDelegate.swift calls the App Check provider factory before Firebase.configure(). The order matters. If Firebase.configure() runs first, the App Check internal listener that fires on the initial token fetch can be missed and you end up unverified until the next backoff.

Third, on Android the Play Integrity API is actually marked "in use" on the Play Console side. Picking Play Integrity in the Firebase console is necessary but not sufficient. Without the Play Console flag, the device will fall through to the unverified branch every time.

If any of those is wrong, no amount of rollback at the Firebase console level will resolve the symptoms, which is why I keep this as a hard preflight checklist.

Thank you for reading this far.

Continue Reading

What follows includes implementation code, benchmarks, and practical content we hope you'll find useful. This site runs without ads — server and development costs are supported entirely by members like you. If it's been helpful, we'd be truly grateful for your support.

WHAT YOU'LL LEARN
A four-stage rollout (0% / 10% / 50% / 100%) driven by Remote Config that lets you compare crash-free sessions between enforced and non-enforced cohorts before flipping the whole base
Three concrete failure modes seen in a 50M-download AdMob business where App Check silently killed Crashlytics and Realtime Database traffic, plus how to detect them in under a day
An emergency rollback design using a single `appCheckEmergencyDisable` Remote Config flag and a Cloud Functions bypass route that brings production back in roughly three minutes
Secure payment via Stripe · Cancel anytime

Unlock This Article

Get full access to the rest of this article. Buy once, read anytime. This site is ad-free — your support goes directly toward keeping it running.

or
Unlock all articles with Membership →
Share

Thank You for Reading

Rork Lab is ad-free, supported entirely by members like you. We publish practical guides daily with implementation code, benchmarks, and production-ready patterns. If you've found it useful, we'd love to have you on board.

  • Copy-paste ready implementation code
  • New advanced guides published daily
  • $5/mo or $10 for lifetime access
View Membership →

Related Articles

Dev Tools2026-05-31
Running Crash-Free Rate as a Budget: An SLO Design Note for Deciding Where to Invest Across 6 Indie Apps
Notes from running 6 wallpaper apps in parallel and the shift from treating crash-free rate as a pass/fail threshold to treating it as an error budget. A working write-up on turning burn rate into investment and sunset decisions.
Dev Tools2026-05-27
Making Silent Failures Visible Across 6 Rork Apps: An Early-Warning Design Note for Non-Crash Degradation
Notes from running 6 wallpaper apps in parallel and the layer I built in 3 weeks to make Crashlytics-invisible failures observable. Beacons, timeouts, and a small Cloudflare Worker for cross-app aggregation.
Dev Tools2026-05-21
Automating Production Incident Response as a Solo Developer — Crashlytics, Sentry, Slack Routing, and Staged Rollback
Twelve years of running my own iPhone and Android apps, accumulating 50 million downloads, taught me a specific shape for production incident response. This article shares the Crashlytics + Sentry double layer, Slack routing into interrupt and log channels, and a Remote Config plus EAS Update staged rollback I keep returning to.
📚RECOMMENDED BOOKS
Build a Large Language Model (From Scratch)
Sebastian Raschka
LLM Dev
Prompt Engineering for LLMs
Berryman & Ziegler
Prompting
AI Engineering
Chip Huyen
AI Eng
* Contains affiliate links
See all →