How Secure is Firebase Real-time (Online) database for Android?

Question

I have just recently started using Google's firebase as an online centralized database for android apps data (migrating from using local sqlite).

Being a newbie on firebase I would like to ask how secure is the firebase online database for android?

Reading from the following threads, does it really seem like anyone who can get access to google-services.json can insert and modify online data from my firebase database?

• Should I add the google-services.json (from Firebase) to my repository?
• Is google-services.json safe from hackers?

I am concerned how anyone who can get access to a decompiled apk's configuration file (google-services.json) can use it in their android project, say, to create an android app with a similar package name and push malicious data or delete from my firebase database.

Can you give advice if there are new and clever workarounds to making the online database more secure?

So far to add security, I have tried to:

1. Edit firebase's Database Rules to:

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}

2. Add firebase Email/Password authentication to my app to control login.

   However, I find that newly-created apps even without the authentication feature can still push and modify data into the online firebase database, just by using the "hacked" google-services.json.

Thank you for your comments and suggestions!

Answer 1

Welcome to the joys of what effectively is a two tier system. You can do several things to protect your data - but not for free.

First some facts:

1. He who has the credentials to the database can access it
2. if the app can access the data, then your database credentials are effectively available to anyone who can extract it from your app

There are counter measures that can raise the bar for an attacker, but a determined (or lucky) attacker can get access. And if he has access it is very difficult to prevent him from doing damage because e.g. changing the DB credentials will also force all of your users to update.

What you could do is

1. decide that protecting the data is not worth the effort and that you/your management can live with the risk (but then you‘d have a decission and are done)

2. Use the firebase ACL as you already did. To create user specific „depots“ use per user nodes (see below, it won‘t render code here). The configuration happens in the console.

3. Build business logic on a server and place all credentials there. This will ensure that you have full control

4. prevent the apps from reading the data in plaintext. Use public key algorithms to encrypt the data. Keep the private key on the systems that has to read the data. Then the app cannot read the data in plain (but still e.g. find out how much you have and what the rate of change is). This also will not prevent manipulation or deletion of data.

Example ACL:

// These rules grant access to a node matching the authenticated
// user's ID from the Firebase auth token
{
  "rules": {
"users": {
  "$uid": {
    ".read": "$uid === auth.uid",
    ".write": "$uid === auth.uid"
      }
    }
  }