I am developing an Ionic application. My app is almost done, I just have to fix some bugs, but I have security concerns. I do not have a server side application, everything is inside of the ionic app itself.
Since I have database calls and writes and edits how secure is my application? Is it possible that someone could reverse engineer the apk, change some firebase code and completely ruin my database and application? How does this work and how can i secure my application?
Also, which rules should I apply in firebase? Currently I have the default testing rules:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}
I am new to firebase and I dont quite understand the rules. I have two collections users and matches, and I want a specific user to only write and read from the user document which is his (has his id) and read and write to every document inside matches, that contains his id inside.
Since I have database calls and writes and edits how secure is my application?
It's not secure at all.
Is it possible that someone could reverse engineer the apk, change some firebase code and completely ruin my database and application?
With the security rules you show here, that is very possible. Your database allows full read and write access to anyone with an internet connection.
There's not enough information in your question to say exactly what you need to do. I strongly suggest first reviewing the documentation for security rules, and learn how to apply rules for your specific case. If you are having problems with specific code and rules, please post a question that shows the combination of client code and security rules that aren't working the way you expect.
Related
Using firebase rules as:
{
"rules": {
".read": true,
".write": true
}
}
means that everyone inside my application can read/write the firebase resource or means everyone including any request not necessary comming from my application can read/write?
With these rules, I can:
Get your entire database with a single URL, which you actually ship in application source code. I don't even need to use your app for this, I can just do https://<yourdatabaseURL>/.json and get it all.
Wipe your entire database with a single line of code, from a tool as simple as the JavaScript console of my browser.
So yeah, it's pretty much as insecure as all the reports make it out to be.
Since you have to include the URL in your app in order to be able to access database, leaving the rules like this is just asking for problems.
You should secure your database by using Firebase App Check to make it harder to access the database outside of your application, and then implement proper security rules to have fine-grained access control.
Ideally you should:
Start with the exact opposite rules, that deny all access, then
Implement the first small use-case of your application in code.
Watch it get rejected by the security rules.
Change your rules to allow only that one use-case, and nothing else.
Go on to the next use-case.
This is known as the principle of least privilege and is key to protecting the data.
I recommend also checking out these other questions on the same (really broad) topic:
Is it safe to expose Firebase apiKey to the public?
Does Firebase App Check discard the need for implementing Security Rules?
Firebase Permission Denied
Firebase email saying my realtime database has insecure rules
I am new to Firebase and I want to understand it
How do I make Database safe?
When i using real-time database, if i make rules like this:
{
"rules": {
".read": true,
".write": true
}
}
Is this safe?
If it is not safe for my app, how do I make it safe?
What does it mean to add auth (users who have registered) reading and writing in the rules, is it a good way to protect databases, and how do I do this?
If the rules are true, what are the risks that implementation may face and when? What is the alternative? – TaHa M. Younis 22 mins ago
The security rules of your app depend almost solely on the business logic of the app. So just like you will have to figure out the code to match your use-cases, you also have to figure out the security rules (and data model) to match your use-cases. There is no way for us to do that for you in a simple Q&A fashion here.
I highly recommend getting started with the Firebase documentation on security rules, which includes an explanation of concepts, how security rules work, and some great examples of common use-cases such as content-owner only access, role-based and attribute-based access control and others.
I'm trying understand which is the best way to store sensitive data in Android. In my app i want to insert a classic in-app-purchase model with some coins. My problem is that i'm not sure how to implement this correctly.
The initial idea was to simply use my firebase database, store the number of coins for every user and fetch the data every time the app is launched. This way I can easily detect some inappropriate usage but my users are forced to use the internet to play.
Looking at the documentations, I found this. Can this be a solution? Can I save in the internal storage the number of coins, maybe with some type of encryption, to avoid root user to modify the file? Then when the internet is on I can double-check the local stored variable with the the one in the database.
Thanks
Not an "easy" task.
Technically, you can create a SecretKey and encrypt data, so no normal user will be able to reproduce. If your concern are root users, You are kind of out of luck, as he can hook into your app while it is reading/writing that value.
But to store it online is not a solution in itself. You have to answer questions like: "Do you trust any server input"?
"How to make sure just paid coins are added"?
Have you had a look at Google Play billing?
it provides safe way's to determine if somebody paid or not.
This will require to be online.
If you have a sensitive data to save you can use sqlcipher database .. the good with it that it encrypt the database file itself so even the root user be able to get the database file he will not be able to decrypt it if you use a secured encryption algorithm.
you can find more about sqlcipher here
https://www.zetetic.net/sqlcipher/sqlcipher-for-android/
Since I assume you will grant your app a reading permission of your sensitive data and all writing processes should be reserved server-side, I would not recommend storing the data in a file on a phone, though every encryption can potentially be passed.
Maybe you already have heard about SharedPreferences, which is a good solution for let's say Preferences the user selects and that only shall affect his particular installation of your app. The difference is, that values are not stored in an external file, so not that easy accessible, BUT your app needs to write them, due only the app can access them directly (also your server can't). I am not aware of how your sensitive data is used at all but I would also not use SharedPreferences since it's injective-prone.
Official docs about SharedPreferences.
If security of your data (speaking of Confidentiality, Integrity, Authentication) is your No. 1 priority, simply don't store your sensitive data on the users device. Focus more on creating an API that ensures secure and performant passing of the relevant bits of your sensitive data. Hope this helps to give you a view of which way to go and which to walk around.
I am working on an Android project where I will have to edit (only decrement) data from an online database. I want to stop anybody from changing the values by themselves. It should be possible only through the Programming.
In short my online database would contain the Balance of a particular account.
While using some of my services in my app, the balance will get deducted.
App should only be able to deduct the value. I dont want any hacker to study my code and be able to increment the balance by any mean.
Is there any possible mean to add security to database. The database should be very secure.
If you want security over network, Do it using existing and well implemented secure protocol, e.g. TLS/SSL. openssl is one good implementation: http://www.openssl.org/
If you even want data to be secure on the server, even the root cannot access it, check this: http://css.csail.mit.edu/cryptdb/
This is a theory question more than an implementation question. What, in your opinion, is the best way to create a mobile application that syncs data to a server?
I have been writing an application that has a user sign-in, allows them to create notes and then selectively share them with other users. I have been doing this with a Rails webapp that returns JSON data to my iOS app. It seems like a lot of overhead for something that so many apps are doing. Is there a better way? How would, or do, you do it?
You should optimize the data quantity you exchange between server and device. You need to set up a flag that indicate you if something changed, case you need to sync.
Let say you have an app that allow to a group of users to update/load from the same file. you can save on the server the time of the last changes, and on mobile device you have the last update time you get. When you want to update your app data, on the request you can include the time you got the last updates. if the time you send and the time you have on the server differs, update; else... do nothing.
Because the request/response is minimal (Req = time; resp = empty), you can check for updates as often as you like.
The option I found that proved to be the easiest and allows you to focus on mobile development while virtually ignoring the data storage element is Parse. I wish I had found this months ago.
I really don't think there's necessarily anything wrong with maintaining a simple Rails web service as a REST interface for your database, but I can see how that might seem like unnecessary overhead. You could find a DB which has a REST interface by default. Here are two to start you off:
CouchDB
Amazon SimpleDB