I have created an Admin portal using firebase which shows the details of the users registered in my android app. As soon as they register in my app, the user is created inside the firebase Auth. Now I am concerned about the security of the site as my firebase API key is visible to everyone. So if they use that key, then they can easily access my firebase database and fetch the data using a simple javascript. So I wanted to know any solution to avoid this security problem???
Related
I have implemented an Android application where the user can register to a webserver and log in with an e-mail address and a chosen password to the app. In the app, the user can use all the app features. One feature should be a chat application.
I thought about realizing the chat app with Firebase Realtime Database. To protect the access, I thought about authentification as an access rule for the database. In general, the registration would be linked to the Firebase authentication. As I have my own registration and login, I would like to ask if there is an option to use my own login data for authentification. And can it be linked to the Firebase Realtime Database?
As I have my own registration and login, I would like to ask if there is an option to use my own login data for authentification. And can it be linked to the Firebase Realtime Database?
You can use your own authentication, but if you want to sign in to Firebase, you need to create a custom token. Once you do that, you'll be able to write security rules.
I have an app which is already published on the play store and uses some firebase databases whose security rules are public. So in order to make the rules private and fit in the security rules. I would have to implement Firebase Auth.
So my app login flow works as in identifying the user with their phone number OTP verification.
First, I don't want the user to change their login flow. Like I don't want to integrate Social Login.
So is there a way I can use Firebase Phone Auth to my existing flow and get the uid of the user so that in the Firebase DB rules I can use that uid for my auth?
Please help me! I am stuck at this and couldn't find any solution.
If I understand correctly you use a phone number OTP system that is not Firebase Authentication to identify your users.
There is no way to tie that existing flow to Firebase's phone number authentication that I can think of.
The two options that come to mind:
Replace your existing authentication system with Firebase Authentication, and map their new (Firebase) UID to the previous ID system.
Keep using your own phone number verification, and mint a custom Firebase token for your users based on that, then use that to sign in to Firebase. Generating custom tokens can only be done in a trusted environment though.
I am working on an android application connected with firebase.
As we know that the api key and database name as being stored in strings.xml in apl file so they can be easily extracted.
As I told one of my friend his email-id and password for testing purpose.
The issue is that he was able to see all the data in the firebase realtime database by using the restAPI.
I had used sha1 but since the firebase is responding to the other links.
Is there any other way in which the firebase will respond to the request generated by the android app and not any web or ios.
Credentials for accessing Firebase are not platform specific. Once you know the credentials of a user, you can access the platform as that user.
For this reason you should never share your credentials with someone else, but instead give them access to your project with their credentials.
The simplest way to fix your problem now is to change the password of your account. After doing that, the other user will lose access within an hour.
The configuration data that is added to your Android app through google-services.json is just configuration data. It is in no way meant as authentication for your app. For more on this see Is it safe to expose Firebase apiKey to the public? and How to prevent other access to my firebase.
I want to build an Android app that uses firebase authentication google sign in. But want to use a custom database(eg MySQL) which will store some video files.
I want to keep a track of the videos that my users will be watching.
Can i connect the firebase to my custom database so that it can hold data of the user's behaviors.
If you're asking if you can use Firebase Authentication, but use your own database, that's fine. You have the option of picking and choosing which parts of Firebase meet your needs. You need not commit to any part of Firebase that does not.
If you're asking if Firebase (both Realtime Database and Firestore) can act as a proxy for other databases, that's not possible.
i'm creating an android app, which requires some authentication system. I want to have 3 options to log in users: mail&password, facebook login and anonymous access (in case of anonymous i'll create some kind of anonymous account, so user'll be able to give his credentials later and secure his account with 'normal' password).
I'll also have my own webservice for this app. Webservice is in fact the most crucial part and android app will just show data from WS and put some new data on it.
I'll be using Firebase for handling notifications.
My question is: should i use Firebase authentication in this scenario or maybe it's better to stay with own authentication system? If i use Firebase i still need to have users in my database (webservice requires some info about users).
Is firebase authentication good choice for project like that?
Even in the case of Firebase where we use firebase authentication and the firebase database together, only a few details of user(user id, login email or number, provider details etc) are available under the Authentication tab. The rest of the details we receive after login and other custom user information we collect from the app have to be saved in the Firebase database.
So even if you have another Web service instead of using Firebase Database, you can use Firebase Authentication. There are definitely great advantages if you use Firebase Authentication.
Save time on developing Webservice methods for authentication :
Instead, you can just have a method to store user information after the user authenticates with Firebase. Also, there is considerable time saved since you can avoid developing server-side methods for different kinds of token verification in case you want to add social logins like Facebook and Google.
All that will be handled efficiently with Firebase.
Detailed Analytics: Also with Firebase authentication, you can also get good analytics and demographic information of users.
You don't have to use Firebase authentication in order to use FireBase Push Notifications, Invites, etc.
That's one of the beauties of Firebase; you can choose which service to use.
Since everything is built already, I would continue to use your own Auth system
You can save all users, and you can authenticate with Google, Facebook, only email.
It's like a database online and it's easy to connect with the same at Android Studio and after you can login with the users.