Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Firebase: Can decompiling the apk give access to my data and files?

Tags:

android

firebase

If someone wanted to reverse engineer my android application by getting the apk file and then customising it to do other things that it shouldn't do. Keeping in mind that the apk file will have the google-services.json file that we download from firebase when we create the firebase project to link the android app.

The question is:

Even though there is security rules on the real time database or firebase storage that only allows authenticated users. Then the hacker can reverse engineer the app and makes his own application that has the same google-services.json file and then when compiling the hacker can create an account and login to the app (which makes him authenticated) and then maybe he can delete and write data to the real time database.

Can someone please explain how the security holds then?

like image 663
data Avatar asked Dec 06 '18 15:12

data

1 Answers

In general, you should assume that any code that you ship to a customer could be compromised. You should assume that the device that they're running it on is under their full control, and that they could change the way your code executes on that device. The issue isn't so much that your app gets decompiled, it's that you simply can't control the execution environment in any way (unless of course you manufacture the device and have built in your own hardware security).

The data in google-services.json is not private data. You should assume that the moment you publish an app, everyone will know all the information in that file. Think of that data as unique identifiers that tell your app where to get data. There are no passwords or credentials in that file that allow an attacker to do anything that you have not authorized them to do.

It's up to you to use security rules in conjunction with Firebase Authentication in order to control who can do what to the data hosted in Firebase. It's impossible to stop people from creating random accounts in your app, but it's possible to restrict what they can do.

If you find that your app is subject to some form of abuse, you can shut down the abuser's account, and also contact Firebase support to report abusive behavior.

like image 91
Doug Stevenson Avatar answered Oct 18 '22 10:10

Doug Stevenson
Sign in to Comment

Related questions

Different exit/enter animations
Http failure response for (unknown url): 0 Unknown Error on android
Dynamic feature. Error: failed processing manifest
Unknown failure (cmd:Failure calling service package: Broken pipe (32))
Android source code compile: failed to build some targets (03:03 (mm:ss))
How to stop soft keyboard resizing Chrome browser window on Android mobiles?
Service has leaked IntentReceiver that was originally registered here. Are you missing a call to unregisterReceiver()?
Fragment Recyclerview onCreateView, onViewCreated or onActivityCreated?
Navigation Drawer in bottomappbar android
Which format Android Studio default code style scheme follows?
kapt An exception occurred: java.lang.OutOfMemoryError: GC overhead limit exceeded
Navigate between headings with swipe while using talkback
Cant move a simple button around a constraint layout
Superpowered: can't get TimeStretching to work correctly, the output sound is distorted
token android.os.BinderProxy@e4f4f2b is not valid; is your activity running?
ConstraintLayout Does Not Work Properly in a Bottom Sheet View
Why we use the removeClippedSubviews property in the View component in react-native?
Update single item GoolgeMap Cluster
Android Firebase ML-Kit real time Barcode Detection through Camera
How do I configure Androids sdkmanager command line tool to use custom repository?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!