I have a pre-populated SQLite database for my Android app and I need to do some reads to show elements for an autoCompleteTextView and then other few operation, only reads on the database.
In the past days I've read about SQLCipher and Cloud Firestore by Firebase. SQLCipher seems what I was looking for but I read that I can't use it with a pre-populated database. I think that Firestore (or any other cloud service) it's my only other solution but I'm a little worried about the price and the possibile delay between the input on the ACTV and the server results.
The database does not contain any user information or other sensitive data, I just want to protect my work. I've no need for the strongest protection.
Can I use Firestore with my SQLite database? Are there any other solution for my problem? Thanks!
If you want to use Firebase, you need to know that there is way in which you can secure your database very simply using Firebase Database Security Rules.
Firebase Realtime Database Rules determine who has read and write access to your database, how your data is structured, and what indexes exist. These rules live on the Firebase servers and are enforced automatically at all times. Every read and write request will only be completed if your rules allow it. By default, your rules are set to allow only authenticated users full read and write access to your database. This is to protect your database from abuse until you have time to customize your rules or set up authentication.
If you want to use the new Firestore release (which is currently in beta release) please take a look at Secure Data in Cloud Firestore offical documentation for more informations.
Another thing to note is that also Firebase and Firestore can provide offline capabilities. So the pplications will work even if your app temporarily loses its network connection. So there is no need for other database in order to achieve that.
Another thing to note is that Firebase can provide Anonymously Authenticatin.
As a conclusion Firebase can provide you security, even your app does or does not contain any user information or other sensitive data.
Related
I have developed an app which uses Firebase Realtime Database and want to publish it in google play store. I set database rules as read:true; write:true.
I don't care much about my database. It has not so much important data. I think nobody will even care about accessing my database and changing it.
I think even if some hacker writes some data in my database without using my app, I will be able to see it in my console.
My only concern is: can someone hack my whole firebase account just because I set the realtime database read and write rules true ?
To rephrase this question, does setting realtime database public put only database at risk or can it put my whole firebase account at risk ?
Security rules only deal with direct access to the database. They have nothing to do with anything else about your app or any Google account. You will just be on the hook for all the billing (all the reads and writes) for that database, regardless of where the access comes from.
I've created an app, which uses the Firebase Realtime Database.
I have a pretty big problem with the security rules. My users don't need to login use the app, they can send the data to the database without any authentication.
For example: it's a simple game, they can play with each other, then they can save the scores.
I would like to create a secure database, but anyone can write & read it. What is the best solution? Anonymous authentication?
If you don't secure your database, anyone can write any score.
Worse, anyone can write their own app to use your database, and you'll then end up paying for it. If you don't want this, write rules that only allow the exact interaction that is valid for your app.
If you don't want to require (even anonymous) authentication, at the very least write validation rules that ensure the data that is written follows the business rules of your app and code. That at least makes it less interesting for others to abuse your database for their own purposes.
Anonymous auth is better than no auth at all. But you will need to take care to write rules that allow each user appropriate access to whatever parts of the database they should have access to. Simply allowing all anonymously auth'd users to read and write everything is still not really "secure" at all.
I am creating Android application with Firestore. My app does not require authentication. Is there any security rule to allows everyone read & write to firestore, but only via my app?
I have tried to find some rules, but each of them based on authentication.
Thank you for your help!
No, you can't limit access to your Cloud Firestore only to your application.
Since your application needs to know all the details that are needed to access the database, a malicious user can take those details and replicate them with code of their own.
To properly secure access to your database, you'll have to use Firebase's security rules. These are enforced on the server, so can't be by-passed by a malicious user. The logic here is that as long as the interactions with the database follow the rules you've set up, it doesn't really matter who wrote the code.
Also see:
How to enable access of firestore data to my nativescript app only?
Why is it okay to allow writes into Firebase from the client side?
Is it safe to use Firestore and its features via client only?
I am using firebase as backend for my android app. I recently came across database security rules. In my app, any user can access only some specific data to which I have created a DatabaseReference to, in the code of the app. So why do we need security rules if I specify the portions of data the user can access through the app, in the code itself?
Because your code can easily be changed to do whatever an attacker wants. The rules one the server can't be changed or circumvented in any way, except by knowing how to log in to your Google account.
I'm currently evaluating Firebase. In my application I allow users to create entities (custom exercises) which are stored in SQLite DB now. I want to move this to FB, but I have a question.
I want to allow users to authenticate to be able to sync their exercises with other devices. Fairly standard use case. But I don't want to force users to have an account with my app, so they can use it anonymously as long as they want and don't need the sync. Is there a way to disable syncing with the server when they are anonymous? This makes no sense to sync anonymous data with server, because they won't be able to pick it up anyway, so, should they change a device or factory reset, they will get a new ID and that data will become abandoned.
So what I want is while a user is anonymous - to keep his stuff local only in Firebase RTDB, but, as soon as he logs in, sync it. Is that possible?
Thanks.
The Firebase Realtime Database is a cloud-hosted database, that continues to work for brief to intermediate moments where you are not connected to the network. If you're looking for a database that works for indefinitely periods of offline, with only a potential synchronization at some point, the Firebase Database might not be a good fit at the moment.
If I understand your question correctly, you should be able to use the database rules to achieve the desired behavior.
Set read to be global, while write is restricted to authenticated users only. When an anonymous user makes an account, the user therefore gains write access and all the local data can then be pushed onto the database.