I could not find this anywhere, but..
How does Firebase provide security on the persistence of user sessions in Android? So, a user logs in, and he can now perform certain actions corresponding to his privilege, obviously the auth token and other data is hold somewhere for the android app to send to firebase. Where? How is security enforced?
Thanks
Android provides the security, and Firebase doesn't really have to do anything special. On Android, each app is provided a dedicated per-app local storage space that only the app process itself can read and write. No other apps can access this. This is where the token is stored. According to the Android documentation:
App-specific storage: Store files that are meant for your app's use only, either in dedicated directories within an internal storage volume or different dedicated directories within external storage. Use the directories within internal storage to save sensitive information that other apps shouldn't access.
Any app can use its own dedicated space to store data securely. This is what the Firebase SDKs use.
What I can say from my experience with firebase auth store current login user info
in share preference i.e. APP_SHARED_PREFERENCES inside that here is column for firebase auth com.google.firebase.auth.api.Store.{some random string} inside that you can find key value pairs as follows
Key com.google.firebase.auth.FIREBASE_USER value > current login user info
key com.google.firebase.auth.GET_TOKEN_RESPONSE value > token value for user
you can find this using this library
for debugging database in debug mode
Related
I have an app, that on the first start generates a random user id and password to set up an account on my server and store them in the shared preferences.
I am looking for a way to write this data into the cloud so that if the user installs the app on a second device it will retrieve this account data and use them on the second device as well.
On iOS, this is a trivial task but I am still trying to figure out how to achieve this on Android. I tried an approach with Firestore, but it seems to be able to write to the Firebase database, the user has to log in with Firebase. I assumed being logged in to a Google Account on the device would do this, but I still get invalid permissions back when writing data.
I do not want to force the user to a separate login.
Any ideas on how to approach this task? Is it possible on Android at all?
I have an app, that on first start generates a random user ID and password to set up an account on my server and store them in the shared preferences.
If you have your own server where you authenticate the users, and you also want to authenticate to Firebase, then I recommend you check:
Custom Authentication System
I am looking for a way to write this data into the cloud so that if the user installs the app on a second device it will retrieve this account data and use them on the second device as well.
You just should never simply store the credentials in Firestore. Storing passwords in cleartext is one of the worst security risks you can inflict on your users. You should either use authentication with your custom system or use one of the existing providers, like Google, Facebook, etc.
I tried an approach with Firestore, but it seems to be able to write to the database, the user has to log in with Firebase.
It's recommended to authenticate the user in Firebase before reading/writing data from/to Firestore because you can secure your database using Firestore Security Rules.
P.S. Don't store data in ShartedPreferences because this type of data is stored locally and doesn't persist application uninstalls.
I have this token that I am using to call remote rest API
I get this token from the server in the app at runtime (when user install the app)
How/where can I store this token on Android device so it will not go away,
So even if user clear the app cache or clear the app data it will stay?
So local file or db is out of the question..
Thank you
This is not recommended way but if you request external file storage permission
from user and store token as file (with encryption) somewhere outside of app storage, you can get it again after clear app storage.
However this is not recommended because when user clear app data app should reset its state, when user uninstall the app the token file is remain in user's storage as a garbage.
Also external files can be deleted by user out side of the app at anytime so you need recovery plan for such situation.
As a conclusion you are encouraged not to create such system.
If you need just user identity, check Best practices for unique identifiers to map id to token on server or something like that.
You can't achieve that without writing to external file like mentioned above. What you should do, is save the token to SharedPreferences, check if the token is there every time you launch the app, and ask the server for a new token if it's not there.
I am using firebase as backend for my android app. I recently came across database security rules. In my app, any user can access only some specific data to which I have created a DatabaseReference to, in the code of the app. So why do we need security rules if I specify the portions of data the user can access through the app, in the code itself?
Because your code can easily be changed to do whatever an attacker wants. The rules one the server can't be changed or circumvented in any way, except by knowing how to log in to your Google account.
I have a project where one app needs to access multiple databases sharded across multiple firebase projects. Now since it's the same app, i can't use the same SHA1 across all the projects where i add the app.
I do not add any google-services.json files for any of the projects, instead i fetch the database url, the storage bucket info, the api-key and the appids for each project from my own server which keeps a track of all the sharded firebase projects.
My question is, with just this much information, can anyone just authenticate to firebase?
There's no SHA1 protection so is my db even safe even with the auth!=null rule? (since anyone can initialize FirebaseApp with this info and get a FirebaseAuth instance and sign in anonymously). In summary for this one, can anyone just make an app of their own, use the info and access/manipulate my database?
How can i secure my app if it's not secure with the current configuration
Yes, that should be enough information to create a web app that connects to your database.
But this should not be a problem if the database rules and auth providers are the right ones for your case. For example:
If you don't want anonymous Users to authenticate with your app, disable the option in the Firebase console.
If you want to give access only to a limited set of users without enabling new signups (or if you have special requirements for auth) then user a custom auth provider.
If you want to limit access to certain parts of your database (or need different user roles) adjust your database rules.
I hope that answers your question!
After a little research and a little brain storming, i came to the conclusion that Oauth domain which by default is localhost and the firebase-app domain will prevent anyone from directly authenticating to my Firebase app.
Even if the api-key and other info is exposed, as long as the service-account is hidden, the auth-domain will protect my app since the auth-domain will cause the authentication from a non-authorized domain to fail. Maybe I'll even want to remove the localhost in production :)
I have images saved to my Firebase storage and I only want users using the app to be able to access them. I don't want to force my users to login just to use the app, so that is not an option.
Since the Firebase back-end services are hosted in the cloud, they are by nature accessible by anyone. There is no way to limit their access to only people that are using the code that you write. Any developer can download the SDK, rewrite your code and use that to access the same back-end services.
That's why you secure access to Firebase data (whether structured data in the database or files in storage) through user-based security. Making your users sign in to the app, means that you can identify who is accessing the data. Once you've authenticated the users, you can use Firebase's security rules (for database or storage) to ensure they can only access the data they're authorized for. They may still be using other code, but you'll at least know who they are and be assured that they can only access the data in ways you authorized.
You can get the best of both worlds (requiring users to be authenticated, without requiring them to log-in) by using anonymous authentication. Just keep in mind that there too, any developer can download the Firebase SDK and authenticate the user anonymously.
For an older discussion on the topic (for the database, but it applies equally to storage), see How to prevent other access to my firebase
Basically you want to change the Rules of your Storage. Under the Firebase console and in Storage there are two tabs in the top of the frame. One that says file and one that says Rules. If you click the Rules tab you will get a view of the code that defines who can read and write to and from your storage. You will want to follow the link below to set up the correct rules for your storage. But based on what you want all you have to do is set the read write code to be:
allow read: if request.auth != null;
Check out this link: https://firebase.google.com/docs/storage/security/user-security