I'm creating app with Firestore database only for Android platform. I want to restrict access to my Firestore database from Rest API.
Is there any way?
There is no way to do this. Firestore does not care where access comes from. It could come from any client SDK, from any server SDK, or the REST API.
The only way to control access from a client SDK is to use security rules along with Firebase Authentication to limit access based on the user's identity. Server SDK access is controlled using service accounts that are granted permission to read and write the database (and they bypass security rules altogether).
Related
I am really concerned about the security of my data which I would be storing in Firestore, I want to know If someone somehow can extract google-services.json file from my android app or use some other tools to access my Firestore database. Is it possible If yes how can I prevent it?
If your app uses Firebase services and makes use of google-services.json, then yes, anyone can extract that data.
The issue for app developers isn't how to lock down that data (impossible), the issue is how to protect database and storage data to only those users who should be able to access it. The only solution for this is to use Firebase Authentication to verify the identity of people accessing your app, and use security rules to determine who should be able to read and write data.
There are currently no alternatives to this. If you don't require users to sign in using Firebase Auth, and your security rules allow universal access to data, then anyone on the internet who knows the name of your project will be able to access that data. Again, there are no exceptions to this. If your data is readable and writable to the world, then you will need to accept the potential billing consequences for this.
Again, learn about security rules for the products you use: Realtime Database, Firestore, and Cloud Storage.
If security rules are not feasible for your requirements, then you will need to set up a backend service that you securely control, and route all client access through that backend. You will want to make clients pass a Firebase Authentication token to your endpoint so it can validate access using the Firebase Admin SDK.
You should setup Cloud Firestore Security Rules to limit access to the data. Here is an example:
// Allow read/write access on all documents to any user signed in to the application
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth.uid != null;
}
}
}
Take a look at Get started with Cloud Firestore Security Rules for more details.
I am creating Android application with Firestore. My app does not require authentication. Is there any security rule to allows everyone read & write to firestore, but only via my app?
I have tried to find some rules, but each of them based on authentication.
Thank you for your help!
No, you can't limit access to your Cloud Firestore only to your application.
Since your application needs to know all the details that are needed to access the database, a malicious user can take those details and replicate them with code of their own.
To properly secure access to your database, you'll have to use Firebase's security rules. These are enforced on the server, so can't be by-passed by a malicious user. The logic here is that as long as the interactions with the database follow the rules you've set up, it doesn't really matter who wrote the code.
Also see:
How to enable access of firestore data to my nativescript app only?
Why is it okay to allow writes into Firebase from the client side?
Is it safe to use Firestore and its features via client only?
I have images saved to my Firebase storage and I only want users using the app to be able to access them. I don't want to force my users to login just to use the app, so that is not an option.
Since the Firebase back-end services are hosted in the cloud, they are by nature accessible by anyone. There is no way to limit their access to only people that are using the code that you write. Any developer can download the SDK, rewrite your code and use that to access the same back-end services.
That's why you secure access to Firebase data (whether structured data in the database or files in storage) through user-based security. Making your users sign in to the app, means that you can identify who is accessing the data. Once you've authenticated the users, you can use Firebase's security rules (for database or storage) to ensure they can only access the data they're authorized for. They may still be using other code, but you'll at least know who they are and be assured that they can only access the data in ways you authorized.
You can get the best of both worlds (requiring users to be authenticated, without requiring them to log-in) by using anonymous authentication. Just keep in mind that there too, any developer can download the Firebase SDK and authenticate the user anonymously.
For an older discussion on the topic (for the database, but it applies equally to storage), see How to prevent other access to my firebase
Basically you want to change the Rules of your Storage. Under the Firebase console and in Storage there are two tabs in the top of the frame. One that says file and one that says Rules. If you click the Rules tab you will get a view of the code that defines who can read and write to and from your storage. You will want to follow the link below to set up the correct rules for your storage. But based on what you want all you have to do is set the read write code to be:
allow read: if request.auth != null;
Check out this link: https://firebase.google.com/docs/storage/security/user-security
I am making android app which authenticate anonymously, so how can i make difficult for other person to discover my firebase url that is accessed from my android app ?
Exposing your Firebase URL is not a big security risk and it is necessary to expose it in order for the users to be able to interact with your database.
To properly protect your data, you should use a combination of authentication and authorization.
The first you'd do through Firebase Authentication, which means you require your users to sign in with the app.
You'd then use this knowledge of who the users are to ensure they can only perform authorized operations on the data. For that you'd use the security rules for the Firebase Database.
If you have those two in place, you can secure the data against malicious users and share the URL without fearing them.
I want to add security to my firebase application so that no one can write data by only knowing firebase url. We are using Android/ iOS client applications and php server.
I need the following to be clarified.
Is authentication using token is the best way to add security (we do not need a user login)
I do not want the token to be expired. Is this possible?
Will this effect read operations from client apps which do not use this tokens?
Can I remove this authentication later so that any one can access
Firebase uses a declarative, server-side rules language to control access to data. This is covered in detail in the security docs. I'd highly recommend reading this before continuing; it would address all the questions here and save some pain later.
Authentication is indeed the simplest way to identify users and control access. Firebase provides a number of authentication methods, including Anonymous auth.
Since security rules can also depend on data stored in Firebase, and use a complex rules engine, it's possible to create any sort of dynamic combination of authenticated and non-authenticated access, role-based security, et al.