We are trying to whitelist an iOS/Android app that is built with Firebase. The goal is to identify the data that these apps use so that it will not count towards users' data usage.
In the simple scenario, just whitelisting the IP address of the Firebase database would be enough. However, I have spoken with Firebase support and they can't provide static IP addresses as they change often. The other option would be the domain name but that also can't work since the Firebase connection is established over HTTPS.
One last option is using the Server Name Indication, however Firebase responded indicating that it wouldn't be an option.
That leaves me no options so I wanted to turn to the Stackoverflow community to see if anyone was able to whitelist an Firebase app.
Thanks,
Guven.
Related
I'm, working on a security scenario for an Android Application to prevent sending unwanted/spam or multi-requests by users.
These users are unregistered and as you know one way to detect them is by checking the IP addresses but the problem is that the public IP Addresses will change. Users can turn On/Off the modem (as an example) to get the new public IP Address or can install/uninstall the app to refresh everything and start sending unwanted requests to the server.
I want to make something like a token and store it on the phone that it will send with their request and on the server-side, we can detect which these requests come from which phone/user and handle the security issues.
This token or ID must have these features:
Access to it (deleting) should be impossible or hard for normal people (not for
hackers, I know it's impossible)
If the app has been uninstalled/installed, Android OS doesn't remove
it
Is it possible?
Is there a better solution to handle this?
The Android developer docs have a good article on available user IDs. Getting the second property will be difficult because Android has been pushing for resettable IDs for user privacy. The firebase installation ID (FID) is close, but you don't get #2. You can also use SafetyNet APIs to see if the app is genuine and then build rate limiting in the client or server side.
We have built an Android app which uses Firebase for user authentication. Our (large enterprise) client is planning to deploy it behind their firewall. During initial testing, the authentication stage fails whenever we are using their network. It does work on an open network.
I am trying to find out what firewall configuration is needed to use the firebase authentication API, but I cannot find anything in the docs. I know that the firewall allows port 80 and 443 for outgoing connections. I am assuming that no specific IPs are blacklisted. Ports 5228-5230 (which would be required for FCM) are not opened yet, as we are currently not using push notifications. I am wondering if this is the issue. However, all references I can find (usually inofficial ones on stackoverflow) insist that the firebase authentification happens via https and only 443 should be needed.
Is anyone able to verify this and perhaps provide the documentation which details this?
Currently I'm working on the MQTT based Chat application where I need to assign
Unique Topics to Users dynamically.
So, I thought of using their IMEI/MobileNumber. But in iOS, we cannot get the IMEI Number so we thought of generating a random IMEI from the backend and assign it to the Users.
Now, My problem is whenever user changes his mobile, the IMEI Number changes and it will be fresh profile again to that user.
If I use based on his Mobile Number, there is a chance when the user doesn't use the sim for 3 months. The connection automatically terminates from the network provider and the same number will be assigned to another new customer(atleast here in india).
Can anyone suggest me a good approach for the Topic Generation?
BTW, I need a Web Chat also and that need to be fetched from database. that is the only reason, I'm focusing on the Topic Generation. So, I will fetch messages based on his topic and show them in the Web Chat.
Do anyone know, how whatsapp maintained their topics?
I thought of using their IMEI/MobileNumber.
Bad design. Have the user create an account (i.e. email) with a password for your service that way no matter what phone or phone number they have, they can still log in and use your app. And make sure you ENCRYPT the user credentials in your database. Start FIRST by building an app with proper security or else you will be hacked 5 minutes after you launch it.
Do anyone know, how whatsapp maintained their topics?
Just because Zuckerberg copies everyone else, doesn't mean you need to copy them. Also, I believe whatsapp created there own version of a MQTT Broker. Hence, it will have an entirely different set of functionality from a regular MQTT Broker.
Does anyone know how WhatsApp Web have done this?
They show the messages/data from the Android phone connected to the Internet.
So it seems there is no database on the server site. They get all messages directly from the mobile app and sends also the changes directly.
How can this be done?
With Firebase or any other Library?
WhatsApp created an API which is used both for mobile and web end to communicate to each other and to the main database where all the messages and user information are stored.
The fact that your phone needs to be turned on and have internet connection still doesn't really show that the website pulls the information out of the phone itself.
What it is happening, more likely, is that the web extension communicates with the mobile phone linked to it to make sure that the account is still active on the mobile device and then proceeds to pull messages and information out of the database using the API.
I'm not excluding that the web extension retrieves some information form the device but it probably constantly keeps in sync with it to make sure the account is still active and there is no ambiguity between the account on the web extension and the account currently logged in to the mobile device.
Hope this clarifies a bit but there's no public documentation that I could find online so I'm going by what I believe is the most likely scenario.
:)
P.S. You can have a look here if you haven't already tried:
WhatApp website FAQ
We are going to build Mobile apps to access the data inside of firewall for our employees to use. We have the skill to build hybrid apps. We are looking for a solution to be able to authenticate users to use the apps. Below is the ideal solution.
Can we upload our apps to a private app store to allow only our employee to download for both iOS and Android users?
How to access the database inside the intranet?
How do we authenticate our users? (use Single Sign On) either authenticated by our mobile app or 3rd party software. (like GOOD)
Does anyone here know any platform or product we can use? Any suggestions? Thank you very much.
I would also like to know the options for question #1.
As far as authentication and access to intranet data....
Something will have to be exposed to the internet that will allow access to your data. This can be accomplished by writing a node express server that acts as a proxy to your data. The node server can also handle the authentication before serving up the data using jwt (JSON Web Tokens). You can find and example here:
https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens