What is a "CAPTCHA"?
CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart". It is named after mathematician Alan Turing's "Turing test" (a test of a machine's ability to exhibit intelligent behaviour equivalent to, or indistinguishable from, that of a human).
What does a CAPTCHA look like?
A CAPTCHA test is normally an image test or a simple mathematics problem.
The most typical form of CAPTCHA is presented as a distorted image. The test requires someone to correctly evaluate and enter a sequence of letters or numbers perceptible from the displayed on their screen.
What are CAPTCHA's for?
A CAPTCHA is a test that is used to separate humans and machines. Specifically, it is a type of challenge–response test used in computing to determine whether or not the user is human. The perfect CAPTCHA would be one which a human can trivially read or solve, but a computer cannot despite an infinte period of time. In practice, it may simply take disproportionate effort for a computer to solve.
What are CAPTCHA's used for?
CAPTCHA's are typically used as a "gate" to allow humans to perform an action screened or only accessible after solving the test. They are typically implemented on websites in order to stop computer hackers from writing code to automatically perform actions at a scale not intended by the website owner, and known as "bot fraud". One example might be to prevent the use of automation to set up hundreds of accounts (such as email accounts), or to prevent one individual from submitting hundreds of competition entry forms and "cheat" their chances of winning a competition.
Why might CAPTCHA present a challenge for AppCheck?
CAPTCHAs are specifically designed to prevent completion or circumvention by computer programs. Since AppCheck is an automated scanner, written in code, it is indistinguishable by the screening application from a malicious attacker attempting to use automation - that is, CAPTCHAs are specifically designed to prevent solution or bypass by any and all software, including AppCheck.
CAPTCHA's can at any moment in time be bypassed given sufficient effort, using mechanisms such as machine learning-based attacks. However, doing so represents something of an "arms race" and would require significant resources to consistently out-smart new CAPTCHA mechanisms and implementations. It is not practical to do so.
Can AppCheck bypass CAPTCHAs?
No, AppCheck cannot bypass CAPTCHAs, for the reason outlined above - CAPTCHAs are specifically designed to prevent solution or bypass by software: that is their single and explicit design function.
Can AppCheck scan an application that uses CAPTCHA's?
Yes, application can scan any portion of a web application that makes use of CAPTCHAs with the exception of the content or endpoints screened behind the CAPTCHA - typically CAPTCHAs are used to screen only certain very specific process flows or functionality, so AppCheck remains able to scan the vast majority of the web application.
What other options exist to scan those areas of an application that are screened by CAPTCHAs?
It may be possible in some implementations to bypass CAPTCHA forms (by design) by submitting a pre-shared key or other mechanism built into the CAPTCHA handling code for the specific purpose of allow-lists of trusted automated sources. Some implementations will allow the use of a pre-set cookie value for this purpose, for example - when shared with a trusted party such as AppCheck, the cookie can be submitted by the AppCheck scanner in requests, allowing it to bypass the CAPTCHA form. However this is very rare and is not typically the case so is likely to be unavailable in any given implementation.
Another option that might be available to customers is to use AppCheck to scan a pre-production (e.g. test or staging) instance of your application rather than the "live" site - since this pre-production instance is not publicly exposed, it can safely have the CAPTCHA functionality disabled. However, this may not be possible in your given environment.