The title doesn't really indicates what I mean:
I am searching for a secure way to save user data (a point system for a game - under no circumstances the user should have the ability to change his amount of points). And I stumbled across firebase, which seems pretty nice and easy.
But:
If I give the app the rights to directly write the users new points to the database it is pretty insecure, right? I mean, someone could decompile the app and get the keys from firebase so that anyone could write to the database, or am I wrong?
Also, what would be the best way to save those "new point" into a firebase realtime database?
Edit: I am already securing my app with pro-guard but that just makes it more difficult for users to get the key, I guess.
The Firebase configuration data in your app is not a security concern. It is simply information that your app needs to find its Firebase project on the servers. See Is it safe to expose Firebase apiKey to the public?.
To properly secure data you write security rules, which are evaluated on the server. With these you ensure that users can only read the data you want them to and that only authorized users can make valid changes.
In cases where security rules become more complex than is feasible, you can consider proxying the read/write through Cloud Functions for Firebase. With Cloud Functions your code runs on Google's servers, so you have to worry less about user modifying the code for malicious purposes.
its secure if you use cloud code. This way everything is going through the server to save it and a user has no way to change that unless they have access to your cloud code.
Related
I've created an app, which uses the Firebase Realtime Database.
I have a pretty big problem with the security rules. My users don't need to login use the app, they can send the data to the database without any authentication.
For example: it's a simple game, they can play with each other, then they can save the scores.
I would like to create a secure database, but anyone can write & read it. What is the best solution? Anonymous authentication?
If you don't secure your database, anyone can write any score.
Worse, anyone can write their own app to use your database, and you'll then end up paying for it. If you don't want this, write rules that only allow the exact interaction that is valid for your app.
If you don't want to require (even anonymous) authentication, at the very least write validation rules that ensure the data that is written follows the business rules of your app and code. That at least makes it less interesting for others to abuse your database for their own purposes.
Anonymous auth is better than no auth at all. But you will need to take care to write rules that allow each user appropriate access to whatever parts of the database they should have access to. Simply allowing all anonymously auth'd users to read and write everything is still not really "secure" at all.
I am creating Android application with Firestore. My app does not require authentication. Is there any security rule to allows everyone read & write to firestore, but only via my app?
I have tried to find some rules, but each of them based on authentication.
Thank you for your help!
No, you can't limit access to your Cloud Firestore only to your application.
Since your application needs to know all the details that are needed to access the database, a malicious user can take those details and replicate them with code of their own.
To properly secure access to your database, you'll have to use Firebase's security rules. These are enforced on the server, so can't be by-passed by a malicious user. The logic here is that as long as the interactions with the database follow the rules you've set up, it doesn't really matter who wrote the code.
Also see:
How to enable access of firestore data to my nativescript app only?
Why is it okay to allow writes into Firebase from the client side?
Is it safe to use Firestore and its features via client only?
I have a project where one app needs to access multiple databases sharded across multiple firebase projects. Now since it's the same app, i can't use the same SHA1 across all the projects where i add the app.
I do not add any google-services.json files for any of the projects, instead i fetch the database url, the storage bucket info, the api-key and the appids for each project from my own server which keeps a track of all the sharded firebase projects.
My question is, with just this much information, can anyone just authenticate to firebase?
There's no SHA1 protection so is my db even safe even with the auth!=null rule? (since anyone can initialize FirebaseApp with this info and get a FirebaseAuth instance and sign in anonymously). In summary for this one, can anyone just make an app of their own, use the info and access/manipulate my database?
How can i secure my app if it's not secure with the current configuration
Yes, that should be enough information to create a web app that connects to your database.
But this should not be a problem if the database rules and auth providers are the right ones for your case. For example:
If you don't want anonymous Users to authenticate with your app, disable the option in the Firebase console.
If you want to give access only to a limited set of users without enabling new signups (or if you have special requirements for auth) then user a custom auth provider.
If you want to limit access to certain parts of your database (or need different user roles) adjust your database rules.
I hope that answers your question!
After a little research and a little brain storming, i came to the conclusion that Oauth domain which by default is localhost and the firebase-app domain will prevent anyone from directly authenticating to my Firebase app.
Even if the api-key and other info is exposed, as long as the service-account is hidden, the auth-domain will protect my app since the auth-domain will cause the authentication from a non-authorized domain to fail. Maybe I'll even want to remove the localhost in production :)
I understand that having security is on the top of our "TO-DO" list, we all need it and want it. But i don't understand what could happen if I don't use security rules in my Firebase database.
Currently, I'm developing an app and the way I did it, I haven't implemented security rules to work with the app, so .read and .write is just set to true. User has to log-in through Facebook though to be able to send requests.
I have tried to implement the security rules to work with the app, but I have some bugs, so does it really bother if it stays that way? Is there any way someone could send a "bad" request? What are the risks?
With write set to true anybody who finds your app URL could delete your whole database. They could change whatever they want. Android, ios or websites, nothing is safe as they will be able to find the URL easily.
In addition to Mathew's answer you'll also want to think about abuse to your database.
Any user who knows the URL of your database can:
write any data to your database. So by dumping data, they could push your database over its quota and make your app unusable for your actual users.
use your database for their own uses. They'd be eating up your bandwidth quota. Once your quota has been consumed, your app may become unusable for your actual users.
The above apply to the Spark and Flame plans. If your project is on a metered plan, malicious users can drive up your usage and thus your bill.
Your Firebase Rules generally helps you take care of Server side security. and ensures your data are secure and database protected from malicious user.
So Authenticating a user does not in anyway hep protect your database.
So if you dont have rules in place you could lose all your data. An Authenticated user can simply use a sigle line of code " ref.remove() " and viola all you data in your data base is gone so easy.
So please always ensure you write security Rules to make you firebase database secured.
I am surprised that, as I understand it, any app can potentially clone my Parse's Client KEY and App ID and act exactly as if it were my app, enabling and authenticating users on my app, having access to the same database and the same Cloud Code. So it is? Is there a way to avoid this?
EDIT:
My question is not related to privacy or data owned by the user. I read about the right way to use ACL, level permission of class, masterkey and so on.
But the question is how to prevent that another app cloning my KEY/ID can lean to the data of my app and do whatever we can make by my app, mixing its database with mine and also impacting on the request counter.
All the Parse Application and client keys (except for the master key) are considered public information and NOT secrets. This is clearly mentioned in the Parse documentation. There is no way to hide them and they will be part of your app/website and they can be easily retrieved by any user. This means any data in your classes with Public read access can be retrieved by anybody. Read Parse documentation on how to secure your app against malicious users.