I have a project where one app needs to access multiple databases sharded across multiple firebase projects. Now since it's the same app, i can't use the same SHA1 across all the projects where i add the app.
I do not add any google-services.json files for any of the projects, instead i fetch the database url, the storage bucket info, the api-key and the appids for each project from my own server which keeps a track of all the sharded firebase projects.
My question is, with just this much information, can anyone just authenticate to firebase?
There's no SHA1 protection so is my db even safe even with the auth!=null rule? (since anyone can initialize FirebaseApp with this info and get a FirebaseAuth instance and sign in anonymously). In summary for this one, can anyone just make an app of their own, use the info and access/manipulate my database?
How can i secure my app if it's not secure with the current configuration
Yes, that should be enough information to create a web app that connects to your database.
But this should not be a problem if the database rules and auth providers are the right ones for your case. For example:
If you don't want anonymous Users to authenticate with your app, disable the option in the Firebase console.
If you want to give access only to a limited set of users without enabling new signups (or if you have special requirements for auth) then user a custom auth provider.
If you want to limit access to certain parts of your database (or need different user roles) adjust your database rules.
I hope that answers your question!
After a little research and a little brain storming, i came to the conclusion that Oauth domain which by default is localhost and the firebase-app domain will prevent anyone from directly authenticating to my Firebase app.
Even if the api-key and other info is exposed, as long as the service-account is hidden, the auth-domain will protect my app since the auth-domain will cause the authentication from a non-authorized domain to fail. Maybe I'll even want to remove the localhost in production :)
Related
I wanted to know if when there's an firebase authentification, it's possible to get the source of this authentification?
To know if it's from my iphone app, android app or web app.
Why :
My web app isn't on the web, but on local server. I want to distribute this web app with server (It's for a personnal project but it could have 10 prototypes). So everybody can get my firebase config. And I don't want that someone can create account from the web firebase api because I accept google/apple and email/password auth. I can't disable email/password for my project purpose.
I hope this is clear.
To be more clear, if the email/password auth is created, is it possible to know if it's from android app or iphone app or webapp?
Thanks
The provided APIs for Firebase Auth don't give any indication which platform was used to create the account. Firebase intends for all accounts to work across all platforms using the provided SDKs and APIs accessible for each platform.
If you want to record your own per-user data in a database, you're free to do that. Note that this is not really "secure" in that each user could effectively manipulate your database or APIs to indicate whatever they want about their platform. If you do not have this sort of security in mind, then you can simply trust your own code to write, and late read, the user's platform in a database after they sign up.
To be more clear if the email/password auth is created, is it possible to know if it's from the Android app or iPhone app, or web app?
Yes, it's possible. Let's say we want to know if a user has signed in from Android. When the user creates an account from an Android device, most likely you are storing user data as objects in the database. The simplest solution I can think of is to add another property in your User class, called "platform" and set it to "Android". If the user signs up with an iPhone, then set the property to "iOS". Same thing for the web. Knowing that the user might change the device, every time the user opens the app check that value against the OS the user is using. If the OS is changed, also change the value accordingly. This way you'll always know the OS the user is using. If you allow the users to use multiple platforms, for Android, there is a function called getProviderData():
Returns a List of UserInfo objects that represents the linked identities of the user using different authentication providers that may be linked to their account.
Similar functions can be found for the other platforms as well.
I am using firebase as backend for my android app. I recently came across database security rules. In my app, any user can access only some specific data to which I have created a DatabaseReference to, in the code of the app. So why do we need security rules if I specify the portions of data the user can access through the app, in the code itself?
Because your code can easily be changed to do whatever an attacker wants. The rules one the server can't be changed or circumvented in any way, except by knowing how to log in to your Google account.
The title doesn't really indicates what I mean:
I am searching for a secure way to save user data (a point system for a game - under no circumstances the user should have the ability to change his amount of points). And I stumbled across firebase, which seems pretty nice and easy.
But:
If I give the app the rights to directly write the users new points to the database it is pretty insecure, right? I mean, someone could decompile the app and get the keys from firebase so that anyone could write to the database, or am I wrong?
Also, what would be the best way to save those "new point" into a firebase realtime database?
Edit: I am already securing my app with pro-guard but that just makes it more difficult for users to get the key, I guess.
The Firebase configuration data in your app is not a security concern. It is simply information that your app needs to find its Firebase project on the servers. See Is it safe to expose Firebase apiKey to the public?.
To properly secure data you write security rules, which are evaluated on the server. With these you ensure that users can only read the data you want them to and that only authorized users can make valid changes.
In cases where security rules become more complex than is feasible, you can consider proxying the read/write through Cloud Functions for Firebase. With Cloud Functions your code runs on Google's servers, so you have to worry less about user modifying the code for malicious purposes.
its secure if you use cloud code. This way everything is going through the server to save it and a user has no way to change that unless they have access to your cloud code.
I use Firebase Database and Storage to host some pictures for my Android app. Those pictures are only uploaded by me from the Firebase web interface. The Database and Storage have rules so only authenticated users can read and nobody is allowed to write. (So there is NO user generated content, I just need a place to host graphics for my Android app).
The reason authentication is required for read access is to make sure nobody else uses the pictures in another app (or website). For the authentication I create (only) anonymous accounts. (They are created automatically on first app start).
My question is about the anonymous user accounts: Will these ever be deleted when they aren't used anymore? Every time I clear data (or reinstall) my app, then another anonymous user account is created.
Is this something I should worry about or is this normal behaviour? Is there anything I could improve in my situation? Please note that this part of my app is not yet live for all users, so I can change stuff if needed.
Firebase Authentication does not automatically delete accounts.
But no data is maintained on the server for anonymous accounts, so effectively every time your users lose their anonymous authentication token, that account is forgotten by Firebase Authentication.
You can use Cloud Functions for Firebase along with some scheduling mechanism to periodically delete unused accounts. There is sample code on GitHub.
I am surprised that, as I understand it, any app can potentially clone my Parse's Client KEY and App ID and act exactly as if it were my app, enabling and authenticating users on my app, having access to the same database and the same Cloud Code. So it is? Is there a way to avoid this?
EDIT:
My question is not related to privacy or data owned by the user. I read about the right way to use ACL, level permission of class, masterkey and so on.
But the question is how to prevent that another app cloning my KEY/ID can lean to the data of my app and do whatever we can make by my app, mixing its database with mine and also impacting on the request counter.
All the Parse Application and client keys (except for the master key) are considered public information and NOT secrets. This is clearly mentioned in the Parse documentation. There is no way to hide them and they will be part of your app/website and they can be easily retrieved by any user. This means any data in your classes with Public read access can be retrieved by anybody. Read Parse documentation on how to secure your app against malicious users.