If someone wanted to reverse engineer my android application by getting the apk file and then customising it to do other things that it shouldn't do. Keeping in mind that the apk file will have the google-services.json file that we download from firebase when we create the firebase project to link the android app.
The question is:
Even though there is security rules on the real time database or firebase storage that only allows authenticated users. Then the hacker can reverse engineer the app and makes his own application that has the same google-services.json file and then when compiling the hacker can create an account and login to the app (which makes him authenticated) and then maybe he can delete and write data to the real time database.
Can someone please explain how the security holds then?
In general, you should assume that any code that you ship to a customer could be compromised. You should assume that the device that they're running it on is under their full control, and that they could change the way your code executes on that device. The issue isn't so much that your app gets decompiled, it's that you simply can't control the execution environment in any way (unless of course you manufacture the device and have built in your own hardware security).
The data in google-services.json is not private data. You should assume that the moment you publish an app, everyone will know all the information in that file. Think of that data as unique identifiers that tell your app where to get data. There are no passwords or credentials in that file that allow an attacker to do anything that you have not authorized them to do.
It's up to you to use security rules in conjunction with Firebase Authentication in order to control who can do what to the data hosted in Firebase. It's impossible to stop people from creating random accounts in your app, but it's possible to restrict what they can do.
If you find that your app is subject to some form of abuse, you can shut down the abuser's account, and also contact Firebase support to report abusive behavior.
I asked myself the same situation couple of months back.
As I understand, the moment you generate your project ( Creating it from Firebase console or Android studio) it will ask for a SHA-1 key.
This SHA-1 key is unique and serves as the authorization from your project to connect to the services of Firebase, for example, if a user has your google-services.json it will be hard to them to even log in or authenticate without a SHA-1 key that allows them to use your project.
I was also inspecting the google-services.json and there is the SHA1-1 with the package names.
"android_info": {
"package_name": "com.packagename.debug",
"certificate_hash": "SHA1-KEY"
}
If you need to add a new SHA-1 you will also need to either authenticate using Gmail to go to the Firebase console and add it yourself (in which case is nearly impossible that a hacker can access to your Gmail account) or do the same thing from Android studio and sync the project.
As I said before, this is how I understand this situation, also, little research from securing API keys told that you need to be worried about client-side APIs than public APIS in your app.
The thing is that encrypting client side your APIS exposes the encryption code and can be decoded to, this is why sometimes it will be better to run some sort of a function from Firebase and send the sensible APIS to your project.
Telling it again, I'm answering with how I understand it works from having and inspecting the projects that I have, this is not an official answer so take it with tweezers.
Related
SO I recently discovered an old discontinued application of mine and I reverse engineered the apk since I lost the code.
Progaurd wasn't enabled, and I was able to successfully reverse engineer it.
This is a Firebase application, and in the strings.xml I was able to find:
firebase_database_url, gcm_defaultSenderId, default_web_client_id, google_api_key, google_app_id.
I'm trying to read from the database.
So, using my browser, I type in my URL [URL].firebaseio.com/.json, but I need a parameter, auth, which I would think is google_api_key, which I can get from strings.xml.
But, it doesn't work, and gives me "error": "Could not parse auth token."
So I think I need a different key, but what is it? Is it possible to find it using the decompiled app? All the variables are the same name as they were.
Note that this was probably created before the May Firebase update, so it's probably still using firebase.com, because there's no google-services.json anymore.
Unless the creator of the APK put a private token or password in the app (which they would not, unless they are intentionally doing something very insecure), then you would not be able to access the parts of the database that require authentication.
The google API key you are referring to is not private, and it does not grant anyone the ability to anything special with a project. It's merely an identifier for a project.
I have an app published on the play store, I want to implement firebase in the app.
I have read all the documentation and I have two doubts:
If someone use apk decompiler with my app and get the googleservices.json, they can do whatever they want with the database?
It is possible that my database is secure without having the user logged-in?
I would appreciate any help
The fact that someone can read your googleservices.json doesn't involve security holes. If you configured your Firebase project correctly, you will notice that in the "Project Settings" panel there is a SHA-1 signature to add. If you add the signature of your debug/production keystore, only apps with the specific signature con use the data of googleservices.json to communicate with your Firebase platform. (If you decide to not provide a SHA-1, Google will use something else as identification mechanism as described here)
This question is not very clear. Your database is safe everytime. If your user is not logged in, probably he will not able to communicate with the database. Remember that a user should only be able to see it's own data, so if your app logic is correct a logged user shouldn't be able to see other peoples sensitive data. Moreover remember to not change the database/storage connection rules in the "Rules" panel like in the image below to prevent unauthorized operations:
Is there any way, to check on server if this is my application sending data or it's someone's who decompiled my app? Note that both my and fake apps may be downloaded by user from Google Play. I have only one idea - in Google Play you cant post two applications with the same package names, so maybe I can send package name to server or something like this.
It can't be done without some help from OS - because an app would not know whether it was modified (the modification check itself can be hacked).
The ways I'd go would be the following:
Excercise the options Google Play Store gives you - license check and app encryption
Add some auth data to the application itself and verify it on the server (some encryption key). The data should change with each version
Accept only 2-5 last versions (for people who haven't yet updated)
This way, any pirated version will be valid for only a week or so... And for someone wanting to use the app constantly it will be easier to buy it, than re-download it every 1-2 weeks.
It won't protect you completely, but will make thievery time-consuming and hardly worth it given the option to buy the app. Enough to convince the users who would have bought the app to buy it. Those who pirate things out of principle can not be converted in any case...
there are some points which can make your code and application more safer.
use proguard(see on android devlopment site) it offuscates(other words makes it messy at compile time) your code.
secondly you could use encryption and decryption send some secret key encrypted
Is it possible to build app whit integrated dropbox acc, and use this account for all clients? I want to upload images to dropbox, and all client apps can download it, or upload to this acc from my app?
I have read all dropbox sdk tutorial from there site, but steal not sure if this is possible.
Not really. DropBox uses OAuth for authorization to allow users to login with their own accounts. Even assuming you figured out how to log in on their behalf with your own credentials you would be handing out your credentials to anyone who wants them, allowing someone to change the password on the account, etc.
Alternatively I suppose you could generate tokens and hand those out instead, however you'd have to setup some sort of web service for this, and you'd still have problems with people being able to do stuff to your account that no doubt you don't want them to do. E.g. I could create an app that just instantly deletes everything that anyone uploads, or I could create an app that fills up your quota with files filled with zeroes.
This is not what DropBox intends you to use the API for (and in fact it may be against the ToS, you should probably read to make sure if you're going down this route despite my discouragement). You should use a more appropriate storage method.
I have a paid android application which uses the google LVL code to authenticate users.
A company would like to pay me so that their application can include a free version of my application. However, I'm not sure how to accomplish this in a way that won't result in an easily pirated version of my app. Below are some implementation options I am considering, but none of them seem like particularly good ideas. Any suggestions?
I deliver them an apk which does not use the LVL code. They could then package my apk with their app, and install it using the ACTION_VIEW intent. This seems like a bad idea because I think it wouldn't be particularly hard for some rouge user to extract my unsecured apk and distribute it.
Maybe I could build a version that checks to see if their app is installed, and if it is it queries their app for some sort of unlock code. And app will only run if this unlock code succeeds. My main concern about this is that I have no idea if "querying another app" for an unlock code is accomplishable.
This is definitely accomplishable. As already said one way to query the app is by using a content provider. If you are concerned about security you can introduce additional permission that both apps must hold to access the provider. Although since it doubtfull that both apps have the same signature it won't be as effective.
Another way would be if they had a service that you could bind to and request a code or any other authentication. In this case their service can as well validate your apps validity by querying your apps userId and checking a signature via PackageManager.
Sad news is it's alomost impossible to prevent pirating your app anyway. Even with LVL... Since all this can be decompiled and eventually broken. But at least you can make attackers life harder.
For what you are looking to do I would create a jar out of your project and mark it as a library project. That way you can give your application out to your client but they wont be able to see the actual code you have written. Using this method they will be able to call any method directly which would be easier than having to interact with an apk.