I am using Firebase Authentication and Firebase dynamic links in my android project. I have put restrictions in my API key here
https://console.cloud.google.com/apis/credentials/
and allowed only android app with the package name and signature i specified. But there are still people able to create accounts using my API key outside my application and using script. I don't know how is this possible. As per firebase docs, it should be restricted to only my app. Is there anything i am missing to prevent people creating accounts through script?
Note: I am just using Firebase authentication, No firestore or Realtime database.
Related
I am developing an app with Dart Flutter and I will publish this app in stores. So thousands of people will use this app.
I set up a notification system with OneSignal for this application.But if this app's APK file somehow gets access and is decrypted, the OneSignal key is also found.
Finding the key can have dire consequences.
What measures can I take for this? How can I hide the key?
Generally, you should not use any sensitive data in your application. Most of the keys provided to Flutter are Client keys, which means it's less destructive than server aka (secrets).
As I have checked OneSignal, they provide only Client_ID to Flutter SDK which is ok to keep, and the REST_KEY is supposed to be used in the backend and must be securely protected.
You may have two ways to protect your sensitive data:
Use services such as Firebase Remote Config and provide the key. This is technically a safe way to provide keys.
Use a backend API you and your team build and proxy all requests from your Flutter application via that. A Function could be a serverless function only to proxy your request protected for your application, or you can do it in the backend of your choice.
You can read more here too.
I am in the process of developing an android application which I intended to publish to the PlayStore soon. I was doing some research and apparently a lot of android apps can get hacked due to the nature of PlayStore with downloading APKs and decompiling to view source codes. I will be using firebase authentication which will include a google-services.json . Is there a way to secure this file or is this file harmless? Google/Firebase says its fine to just add to app folder, but i'm not sure? AND is there anyway of securing firebase auth - i am not using any database firebase facilities as i am using my backend , so I do not need to write any security keys for firebase database??
I really need the realtime data sync function for local DB and Google Firestore perfectly meet my requirement. But my only concern is: Does Firestore support mobile and table devices which don't have google service?
You can use the Cloud Firestore SDK on a device without Play services, but you will not be able to use it in tandem with Firebase Authentication, which currently does require Play. As a result, you can not effectively use any security rules that depend on a UID or anything else related to Auth.
I am working on an android application connected with firebase.
As we know that the api key and database name as being stored in strings.xml in apl file so they can be easily extracted.
As I told one of my friend his email-id and password for testing purpose.
The issue is that he was able to see all the data in the firebase realtime database by using the restAPI.
I had used sha1 but since the firebase is responding to the other links.
Is there any other way in which the firebase will respond to the request generated by the android app and not any web or ios.
Credentials for accessing Firebase are not platform specific. Once you know the credentials of a user, you can access the platform as that user.
For this reason you should never share your credentials with someone else, but instead give them access to your project with their credentials.
The simplest way to fix your problem now is to change the password of your account. After doing that, the other user will lose access within an hour.
The configuration data that is added to your Android app through google-services.json is just configuration data. It is in no way meant as authentication for your app. For more on this see Is it safe to expose Firebase apiKey to the public? and How to prevent other access to my firebase.
I have created an Admin portal using firebase which shows the details of the users registered in my android app. As soon as they register in my app, the user is created inside the firebase Auth. Now I am concerned about the security of the site as my firebase API key is visible to everyone. So if they use that key, then they can easily access my firebase database and fetch the data using a simple javascript. So I wanted to know any solution to avoid this security problem???