Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Firebase: Can decompiling the apk give access to my data and files?

If someone wanted to reverse engineer my android application by getting the apk file and then customising it to do other things that it shouldn't do. Keeping in mind that the apk file will have the google-services.json file that we download from firebase when we create the firebase project to link the android app.

The question is:

Even though there is security rules on the real time database or firebase storage that only allows authenticated users. Then the hacker can reverse engineer the app and makes his own application that has the same google-services.json file and then when compiling the hacker can create an account and login to the app (which makes him authenticated) and then maybe he can delete and write data to the real time database.

Can someone please explain how the security holds then?

like image 663
data Avatar asked Dec 06 '18 15:12

data


1 Answers

In general, you should assume that any code that you ship to a customer could be compromised. You should assume that the device that they're running it on is under their full control, and that they could change the way your code executes on that device. The issue isn't so much that your app gets decompiled, it's that you simply can't control the execution environment in any way (unless of course you manufacture the device and have built in your own hardware security).

The data in google-services.json is not private data. You should assume that the moment you publish an app, everyone will know all the information in that file. Think of that data as unique identifiers that tell your app where to get data. There are no passwords or credentials in that file that allow an attacker to do anything that you have not authorized them to do.

It's up to you to use security rules in conjunction with Firebase Authentication in order to control who can do what to the data hosted in Firebase. It's impossible to stop people from creating random accounts in your app, but it's possible to restrict what they can do.

If you find that your app is subject to some form of abuse, you can shut down the abuser's account, and also contact Firebase support to report abusive behavior.

like image 91
Doug Stevenson Avatar answered Oct 18 '22 10:10

Doug Stevenson