I started learning about Firebase for an android, but still can't get my head around some stuff, so I have couple of questions that I would love your help to answer.
1 - Can a user (or a hacker) know my firebase link from the app?
2 - if they did, will they be able to change my stored data without knowing my google email address associated with the database?
Thanks
Unless properly secured, anyone can read or write data to your Firebase database.
To secure your Firebase database you need to write Security Rules.
Firebase Security Rules live on a Firebase server and validate whether someone can access your data.
You also might want to check out this answer too for a beginner explanation.
Related
This question already has answers here:
Is there any way to give everyone access to firestore database, but only via app?
(1 answer)
How can I set Rules in Firebase so that only my app can write on my database firestore?
(1 answer)
Closed 2 years ago.
I am currently building two apps(admin and customer) and both have added in a single firebase project. Both apps are using Firebase Auth(Phone Number) registration process. The admin app is mostly saving details in Firestore DB and the customer app is only can fetch these details for viewing purposes.
Currently, I don't define any rules for them as I am a little new in Firestore/Firebase Rules. But I am wondering to add some rules which will give permission to fetch only those apps which I have added in the same Firebase project where my admin app is. I may be wrong but I think anyone can able to access my admin data by if they will get those names or keys which I am using in my Collections.
So is there any way or rules which will give the data accessing permission to specific apps that I have added in my same firebase project?
There is no way to limit access to "just this app" in Firebase security rules. Anyone can take the configuration data from your app and use it to call the same API as you app uses.
For this reason you will need to make sure that your security rules model the logic that you want. You'll typically replicate some of the data access logic between your client-side application code, and the server-side security rules. This means that you're modeling who can take certain actions, not what code/application they use to do that.
Also see:
How can I set Rules in Firebase so that only my app can write on my database firestore?
Is there any way to give everyone access to firestore database, but only via app?
How to enable access of firestore data to my nativescript app only?
and many more from these previous questions about the topic
I am creating Android application with Firestore. My app does not require authentication. Is there any security rule to allows everyone read & write to firestore, but only via my app?
I have tried to find some rules, but each of them based on authentication.
Thank you for your help!
No, you can't limit access to your Cloud Firestore only to your application.
Since your application needs to know all the details that are needed to access the database, a malicious user can take those details and replicate them with code of their own.
To properly secure access to your database, you'll have to use Firebase's security rules. These are enforced on the server, so can't be by-passed by a malicious user. The logic here is that as long as the interactions with the database follow the rules you've set up, it doesn't really matter who wrote the code.
Also see:
How to enable access of firestore data to my nativescript app only?
Why is it okay to allow writes into Firebase from the client side?
Is it safe to use Firestore and its features via client only?
I was wondering which one would be better, Authentication with Firebase or a database in Firebase. This is the general idea of my project, and I was wondering which one would be best:
I am creating an companion to a game, and this app can be registered to users, or a Clan which is a group of users. I need to group the users into their clans if they choose to do so, so I am guessing the database is better. But, Firebase Authentication seems like an easier process. Is a database better? Also, users will register online with my website, so it can be easier without a register process in-app.
Thank you for reading my post and hopefully for answering it!
-Braythor
You can have users Register/Login using the Firebase Authentication and when they do that you add their username to the database to be able to the group them by clan under different nodes in firebase.
Not sure if this is what you were asking, but you're right that using Firebase Authentication to have users register is easy, so this implementation would allow you to do that while also grouping them by clan in the database.
The title doesn't really indicates what I mean:
I am searching for a secure way to save user data (a point system for a game - under no circumstances the user should have the ability to change his amount of points). And I stumbled across firebase, which seems pretty nice and easy.
But:
If I give the app the rights to directly write the users new points to the database it is pretty insecure, right? I mean, someone could decompile the app and get the keys from firebase so that anyone could write to the database, or am I wrong?
Also, what would be the best way to save those "new point" into a firebase realtime database?
Edit: I am already securing my app with pro-guard but that just makes it more difficult for users to get the key, I guess.
The Firebase configuration data in your app is not a security concern. It is simply information that your app needs to find its Firebase project on the servers. See Is it safe to expose Firebase apiKey to the public?.
To properly secure data you write security rules, which are evaluated on the server. With these you ensure that users can only read the data you want them to and that only authorized users can make valid changes.
In cases where security rules become more complex than is feasible, you can consider proxying the read/write through Cloud Functions for Firebase. With Cloud Functions your code runs on Google's servers, so you have to worry less about user modifying the code for malicious purposes.
its secure if you use cloud code. This way everything is going through the server to save it and a user has no way to change that unless they have access to your cloud code.
I understand that having security is on the top of our "TO-DO" list, we all need it and want it. But i don't understand what could happen if I don't use security rules in my Firebase database.
Currently, I'm developing an app and the way I did it, I haven't implemented security rules to work with the app, so .read and .write is just set to true. User has to log-in through Facebook though to be able to send requests.
I have tried to implement the security rules to work with the app, but I have some bugs, so does it really bother if it stays that way? Is there any way someone could send a "bad" request? What are the risks?
With write set to true anybody who finds your app URL could delete your whole database. They could change whatever they want. Android, ios or websites, nothing is safe as they will be able to find the URL easily.
In addition to Mathew's answer you'll also want to think about abuse to your database.
Any user who knows the URL of your database can:
write any data to your database. So by dumping data, they could push your database over its quota and make your app unusable for your actual users.
use your database for their own uses. They'd be eating up your bandwidth quota. Once your quota has been consumed, your app may become unusable for your actual users.
The above apply to the Spark and Flame plans. If your project is on a metered plan, malicious users can drive up your usage and thus your bill.
Your Firebase Rules generally helps you take care of Server side security. and ensures your data are secure and database protected from malicious user.
So Authenticating a user does not in anyway hep protect your database.
So if you dont have rules in place you could lose all your data. An Authenticated user can simply use a sigle line of code " ref.remove() " and viola all you data in your data base is gone so easy.
So please always ensure you write security Rules to make you firebase database secured.