I am working on an android application connected with firebase.
As we know that the api key and database name as being stored in strings.xml in apl file so they can be easily extracted.
As I told one of my friend his email-id and password for testing purpose.
The issue is that he was able to see all the data in the firebase realtime database by using the restAPI.
I had used sha1 but since the firebase is responding to the other links.
Is there any other way in which the firebase will respond to the request generated by the android app and not any web or ios.
Credentials for accessing Firebase are not platform specific. Once you know the credentials of a user, you can access the platform as that user.
For this reason you should never share your credentials with someone else, but instead give them access to your project with their credentials.
The simplest way to fix your problem now is to change the password of your account. After doing that, the other user will lose access within an hour.
The configuration data that is added to your Android app through google-services.json is just configuration data. It is in no way meant as authentication for your app. For more on this see Is it safe to expose Firebase apiKey to the public? and How to prevent other access to my firebase.
Related
I have been trying to implement a login screen that takes a username and password.
Once the user has logged in once I want him to have the ability to login with the device owner's fingerprint.
I was wondering what would be the correct way of handling this login.
I could encrypt the username and password and save those to shared preferences and once a fingerprint that is authorized is entered I will insert the decrypted username and password (I am looking for a solution like ios keychain).
Should I go with this approach or there is a programmatic way to get the names and passwords.
I have already used a library which verifies if the fingerprint is recognized you can see it here:
https://proandroiddev.com/5-steps-to-implement-biometric-authentication-in-android-dbeb825aeee8
https://github.com/anitaa1990/Biometric-Auth-Sample
There are many way to create an authentication app. Using SharedPreference is also a way to create such apps. But, one limit of SharedPreference is it can only storage data in limited
memory space and data is offline (data is stored in local machine and can be lost if you uninstall app). There are many online library for online authentication, if you are learning or developing a small app then I recommend you to use Firebase Authentication. It can help you create user account, authenticate user by mail, phone number,...and also link to real time database, storage on cloud and many other services (if you need). Please refer following link to get more information about firebase!
https://firebase.google.com/docs/?authuser=0
I have a project where one app needs to access multiple databases sharded across multiple firebase projects. Now since it's the same app, i can't use the same SHA1 across all the projects where i add the app.
I do not add any google-services.json files for any of the projects, instead i fetch the database url, the storage bucket info, the api-key and the appids for each project from my own server which keeps a track of all the sharded firebase projects.
My question is, with just this much information, can anyone just authenticate to firebase?
There's no SHA1 protection so is my db even safe even with the auth!=null rule? (since anyone can initialize FirebaseApp with this info and get a FirebaseAuth instance and sign in anonymously). In summary for this one, can anyone just make an app of their own, use the info and access/manipulate my database?
How can i secure my app if it's not secure with the current configuration
Yes, that should be enough information to create a web app that connects to your database.
But this should not be a problem if the database rules and auth providers are the right ones for your case. For example:
If you don't want anonymous Users to authenticate with your app, disable the option in the Firebase console.
If you want to give access only to a limited set of users without enabling new signups (or if you have special requirements for auth) then user a custom auth provider.
If you want to limit access to certain parts of your database (or need different user roles) adjust your database rules.
I hope that answers your question!
After a little research and a little brain storming, i came to the conclusion that Oauth domain which by default is localhost and the firebase-app domain will prevent anyone from directly authenticating to my Firebase app.
Even if the api-key and other info is exposed, as long as the service-account is hidden, the auth-domain will protect my app since the auth-domain will cause the authentication from a non-authorized domain to fail. Maybe I'll even want to remove the localhost in production :)
I have some questions about securing firebase database for mobile applications.
For example, after decompiling Android application a hacker can get firebase api key and then get access to firebase database, is this correct?
Let's assume, I added some security rules like for example an app can read/write on firebase only if auth!=null, this means that the authentication is protecting my firebase database, but this put me to ask the same question, if I configure facebook/google/ or even firebase email authentication I'm gonna need some api keys for those providers in my application, If a hacker got access to those keys, will he be able to use my authentication in his own application and get access to my firebase data?
I want to understand what to do in Android applications to make sure only my application will get access to firebase datatabase.
after decompiling Android application a hacker can get firebase api
key and then get access to firebase database, is this correct?
Only if your database does not use any security rules that limit access to only authenticated users.
if I configure facebook/google/ or even firebase email authentication
I'm gonna need some api keys for those providers in my application, If
a hacker got access to those keys, will he be able to use my
authentication in his own application and get access to my firebase
data?
No, it doesn't work that way.
Each user authenticated with Firebase is issued a token that's used to identify the user when they access protected services, such as Realtime Database, Firestore, or Storage. This token is valid 1 hour and must be refreshed after that, which the SDK will do automatically.
For a hacker to gain control of that user's data, they would have to obtain this token, and they would have no more than an hour to work with it. After that, they would have to obtain the next token obtained by the SDK. All this would have to happen on the user's device.
I have created an Admin portal using firebase which shows the details of the users registered in my android app. As soon as they register in my app, the user is created inside the firebase Auth. Now I am concerned about the security of the site as my firebase API key is visible to everyone. So if they use that key, then they can easily access my firebase database and fetch the data using a simple javascript. So I wanted to know any solution to avoid this security problem???
Using Firebase as DB for the app only.
I would like to use Firebase to store data that is global for all users. User authentication is not required to access those data.
So, all user's will be able to access same data. For example "news articles" are same for all users. Users don't need to authenticate to access the news.
How can I setup android application to access Firebase data securely for all users?
By "securely", I mean I don't want to bundle credentials to access the DB with the app. Otherwise, anybody can access the data and wipe it or corrupt it.
Based on quick investigation, I found there might be 2 ways:
Firebase REST API
Using Firebase REST API and service account token to access the Firebase data.
Firebase Auth
Use one of the auth schema. For example use email & password auth or custom auth with custom token.
I would assume both of them require me to bundle the secret password or token with the application.
Has anybody designed app with such use-case? Any pointers would be appreciated.
Firebase Authentication doesn't require any bundling of anything. Your users provide their own credentials. Google Play services on the device provides the security that only your app signed with your signing key may receive the token that authorizes the users to perform the actions on the data that you decide through security rules.