I've created an app, which uses the Firebase Realtime Database.
I have a pretty big problem with the security rules. My users don't need to login use the app, they can send the data to the database without any authentication.
For example: it's a simple game, they can play with each other, then they can save the scores.
I would like to create a secure database, but anyone can write & read it. What is the best solution? Anonymous authentication?
If you don't secure your database, anyone can write any score.
Worse, anyone can write their own app to use your database, and you'll then end up paying for it. If you don't want this, write rules that only allow the exact interaction that is valid for your app.
If you don't want to require (even anonymous) authentication, at the very least write validation rules that ensure the data that is written follows the business rules of your app and code. That at least makes it less interesting for others to abuse your database for their own purposes.
Anonymous auth is better than no auth at all. But you will need to take care to write rules that allow each user appropriate access to whatever parts of the database they should have access to. Simply allowing all anonymously auth'd users to read and write everything is still not really "secure" at all.
Related
I am creating Android application with Firestore. My app does not require authentication. Is there any security rule to allows everyone read & write to firestore, but only via my app?
I have tried to find some rules, but each of them based on authentication.
Thank you for your help!
No, you can't limit access to your Cloud Firestore only to your application.
Since your application needs to know all the details that are needed to access the database, a malicious user can take those details and replicate them with code of their own.
To properly secure access to your database, you'll have to use Firebase's security rules. These are enforced on the server, so can't be by-passed by a malicious user. The logic here is that as long as the interactions with the database follow the rules you've set up, it doesn't really matter who wrote the code.
Also see:
How to enable access of firestore data to my nativescript app only?
Why is it okay to allow writes into Firebase from the client side?
Is it safe to use Firestore and its features via client only?
I am using firebase as backend for my android app. I recently came across database security rules. In my app, any user can access only some specific data to which I have created a DatabaseReference to, in the code of the app. So why do we need security rules if I specify the portions of data the user can access through the app, in the code itself?
Because your code can easily be changed to do whatever an attacker wants. The rules one the server can't be changed or circumvented in any way, except by knowing how to log in to your Google account.
Say I'm building some basic not-so-secure Android app, and I want to use firebase as a DB, but I really don't want the user to login. What would be my best choice of authentication?
If I allow "Annonymous" login - will this mean a big security hole, or would it just mean that programmatically I am allowed to change data anywhere in the db?
Does firebase support automatic creation/logging of user using my own custom user/id mechanism (without any user intervention)? Docs aren't very clear about that...
Anonymous log-in just provide authentication, that means you can associate a Unique ID to each of your user.
This de facto create a user ID and a Auth Token that is persisted in the phone between runs of your app. Token is refreshed when you call signInAnonymously().
Check this link for hits on how to handle anonymous logins.
Talking about security, anonymous login is not a bad practice. Obviously if you want to keep your DB safe you have to write custom access rules:
e.g. you probably want "anon_user322" to read your page content, but definitely not to modify or delete it.
Achieving this is not so hard, you have just to go to your FirebaseConsole and write your own rules for the Database.
You can find on this page a good starting guide. I suggest to watch this talk from Google I/O 2016, it is a bit long but you will be able to understand the basic of authentication and security in Firebase Database just with the first 25-30 minutes.
I was using annoymous sign in at first but it has somedown sides like you cannot export and import the exact same user on another device. Therefore i started using password authentication. You can just generate an pseudo email via uuid#yourappdomain.com and also generate the password and keep it within the appdata.
For security purpose you wont get around setting up rules for writing and reading data but it is working quite simple and easy enough to test with both methods annonymous and passoword auth.
The title doesn't really indicates what I mean:
I am searching for a secure way to save user data (a point system for a game - under no circumstances the user should have the ability to change his amount of points). And I stumbled across firebase, which seems pretty nice and easy.
But:
If I give the app the rights to directly write the users new points to the database it is pretty insecure, right? I mean, someone could decompile the app and get the keys from firebase so that anyone could write to the database, or am I wrong?
Also, what would be the best way to save those "new point" into a firebase realtime database?
Edit: I am already securing my app with pro-guard but that just makes it more difficult for users to get the key, I guess.
The Firebase configuration data in your app is not a security concern. It is simply information that your app needs to find its Firebase project on the servers. See Is it safe to expose Firebase apiKey to the public?.
To properly secure data you write security rules, which are evaluated on the server. With these you ensure that users can only read the data you want them to and that only authorized users can make valid changes.
In cases where security rules become more complex than is feasible, you can consider proxying the read/write through Cloud Functions for Firebase. With Cloud Functions your code runs on Google's servers, so you have to worry less about user modifying the code for malicious purposes.
its secure if you use cloud code. This way everything is going through the server to save it and a user has no way to change that unless they have access to your cloud code.
I understand that having security is on the top of our "TO-DO" list, we all need it and want it. But i don't understand what could happen if I don't use security rules in my Firebase database.
Currently, I'm developing an app and the way I did it, I haven't implemented security rules to work with the app, so .read and .write is just set to true. User has to log-in through Facebook though to be able to send requests.
I have tried to implement the security rules to work with the app, but I have some bugs, so does it really bother if it stays that way? Is there any way someone could send a "bad" request? What are the risks?
With write set to true anybody who finds your app URL could delete your whole database. They could change whatever they want. Android, ios or websites, nothing is safe as they will be able to find the URL easily.
In addition to Mathew's answer you'll also want to think about abuse to your database.
Any user who knows the URL of your database can:
write any data to your database. So by dumping data, they could push your database over its quota and make your app unusable for your actual users.
use your database for their own uses. They'd be eating up your bandwidth quota. Once your quota has been consumed, your app may become unusable for your actual users.
The above apply to the Spark and Flame plans. If your project is on a metered plan, malicious users can drive up your usage and thus your bill.
Your Firebase Rules generally helps you take care of Server side security. and ensures your data are secure and database protected from malicious user.
So Authenticating a user does not in anyway hep protect your database.
So if you dont have rules in place you could lose all your data. An Authenticated user can simply use a sigle line of code " ref.remove() " and viola all you data in your data base is gone so easy.
So please always ensure you write security Rules to make you firebase database secured.