How Secure is Firebase Local Database in Android?

Question

I am planning to switch to Firebase as my local and online database for my Android app. As per the docs, Firebase stores changes to the local database first and then pushed it to the online DB when network is available.

In my app, I would be putting some really sensitive data about the user in the database. So here are my questions,

1. How secure is the local Firebase database?

2. How difficult is it for a well-intentioned hacker with the right tools to hack it?

3. Is it just a simple JSON file like the online database, which anyone with root access can open?

Thanks.

Answer 1

In a general sense, Firebase Realtime Database can be used while offline. However, the expectation is that the app is supposed to be connected most of the time, and changes to the database that happen while offline will be synchronized when it has connectivity. 100% offline use is not really a supported use case, because the canonical data store is on the server.

The local copy of the database is limited to (10MB, at least on Android this is the case). If you intend to write to the database beyond this limit while offline, it will evict part of your cached data to make room for whatever you’re adding. Then, you will no longer be able to read those evicted values until the app goes back online. Worse, managing a growing list of writes to apply when back online is taxing on the app, so you don’t want to plan a lot of writes while offline.

Also, if you have permissions or validations defined for your database, these can only be checked on the server. So, if you’re doing offline writing to your local cache and you no longer have an active listener, you may never know if those writes fail.

Because of these caveats, it’s better not to think of Firebase Realtime Database as an “offline” database. It’s better to think of it as a “synchronized” database that actively syncs to the server while connectivity is present.