This question already has answers here:
Is there any way to give everyone access to firestore database, but only via app?
(1 answer)
How can I set Rules in Firebase so that only my app can write on my database firestore?
(1 answer)
Closed 2 years ago.
I am currently building two apps(admin and customer) and both have added in a single firebase project. Both apps are using Firebase Auth(Phone Number) registration process. The admin app is mostly saving details in Firestore DB and the customer app is only can fetch these details for viewing purposes.
Currently, I don't define any rules for them as I am a little new in Firestore/Firebase Rules. But I am wondering to add some rules which will give permission to fetch only those apps which I have added in the same Firebase project where my admin app is. I may be wrong but I think anyone can able to access my admin data by if they will get those names or keys which I am using in my Collections.
So is there any way or rules which will give the data accessing permission to specific apps that I have added in my same firebase project?
There is no way to limit access to "just this app" in Firebase security rules. Anyone can take the configuration data from your app and use it to call the same API as you app uses.
For this reason you will need to make sure that your security rules model the logic that you want. You'll typically replicate some of the data access logic between your client-side application code, and the server-side security rules. This means that you're modeling who can take certain actions, not what code/application they use to do that.
Also see:
How can I set Rules in Firebase so that only my app can write on my database firestore?
Is there any way to give everyone access to firestore database, but only via app?
How to enable access of firestore data to my nativescript app only?
and many more from these previous questions about the topic
Related
This question already has answers here:
Is there any way to give everyone access to firestore database, but only via app?
(1 answer)
Your Cloud Firestore database has insecure: any user can read your entire database
(2 answers)
Closed 2 years ago.
I have a Firestore database and an Android app that connects with it. I want my app only to read from the database; the app is not going to write or delete anything from it. I also don't need any users or authentication by passwords. I just want my app to access a few collections and display them in GUI. In the rules, I put this:
allow list;
However, if I understand it correctly, it is possible for other people to access my database/integrate it into their apps and use for their own purposes. How can I avoid this? I want my database only be accessible from my app + I don't need users to authenticate by typing their username/password...
If I include anonymous authentication, then how does it solve the problem if another person can do the same thing with it to access my database, i.e. come up with a code that uses anonymous authentication to access my DB?
I am creating Android application with Firestore. My app does not require authentication. Is there any security rule to allows everyone read & write to firestore, but only via my app?
I have tried to find some rules, but each of them based on authentication.
Thank you for your help!
No, you can't limit access to your Cloud Firestore only to your application.
Since your application needs to know all the details that are needed to access the database, a malicious user can take those details and replicate them with code of their own.
To properly secure access to your database, you'll have to use Firebase's security rules. These are enforced on the server, so can't be by-passed by a malicious user. The logic here is that as long as the interactions with the database follow the rules you've set up, it doesn't really matter who wrote the code.
Also see:
How to enable access of firestore data to my nativescript app only?
Why is it okay to allow writes into Firebase from the client side?
Is it safe to use Firestore and its features via client only?
I am using firebase as backend for my android app. I recently came across database security rules. In my app, any user can access only some specific data to which I have created a DatabaseReference to, in the code of the app. So why do we need security rules if I specify the portions of data the user can access through the app, in the code itself?
Because your code can easily be changed to do whatever an attacker wants. The rules one the server can't be changed or circumvented in any way, except by knowing how to log in to your Google account.
I have a pre-populated SQLite database for my Android app and I need to do some reads to show elements for an autoCompleteTextView and then other few operation, only reads on the database.
In the past days I've read about SQLCipher and Cloud Firestore by Firebase. SQLCipher seems what I was looking for but I read that I can't use it with a pre-populated database. I think that Firestore (or any other cloud service) it's my only other solution but I'm a little worried about the price and the possibile delay between the input on the ACTV and the server results.
The database does not contain any user information or other sensitive data, I just want to protect my work. I've no need for the strongest protection.
Can I use Firestore with my SQLite database? Are there any other solution for my problem? Thanks!
If you want to use Firebase, you need to know that there is way in which you can secure your database very simply using Firebase Database Security Rules.
Firebase Realtime Database Rules determine who has read and write access to your database, how your data is structured, and what indexes exist. These rules live on the Firebase servers and are enforced automatically at all times. Every read and write request will only be completed if your rules allow it. By default, your rules are set to allow only authenticated users full read and write access to your database. This is to protect your database from abuse until you have time to customize your rules or set up authentication.
If you want to use the new Firestore release (which is currently in beta release) please take a look at Secure Data in Cloud Firestore offical documentation for more informations.
Another thing to note is that also Firebase and Firestore can provide offline capabilities. So the pplications will work even if your app temporarily loses its network connection. So there is no need for other database in order to achieve that.
Another thing to note is that Firebase can provide Anonymously Authenticatin.
As a conclusion Firebase can provide you security, even your app does or does not contain any user information or other sensitive data.
I started learning about Firebase for an android, but still can't get my head around some stuff, so I have couple of questions that I would love your help to answer.
1 - Can a user (or a hacker) know my firebase link from the app?
2 - if they did, will they be able to change my stored data without knowing my google email address associated with the database?
Thanks
Unless properly secured, anyone can read or write data to your Firebase database.
To secure your Firebase database you need to write Security Rules.
Firebase Security Rules live on a Firebase server and validate whether someone can access your data.
You also might want to check out this answer too for a beginner explanation.