Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to prevent a hacker from reading/writing on firebase database

Tags:

I have some questions about securing firebase database for mobile applications.

For example, after decompiling Android application a hacker can get firebase api key and then get access to firebase database, is this correct?

Let's assume, I added some security rules like for example an app can read/write on firebase only if auth!=null, this means that the authentication is protecting my firebase database, but this put me to ask the same question, if I configure facebook/google/ or even firebase email authentication I'm gonna need some api keys for those providers in my application, If a hacker got access to those keys, will he be able to use my authentication in his own application and get access to my firebase data?

I want to understand what to do in Android applications to make sure only my application will get access to firebase datatabase.

like image 991
Anas EL HAJJAJI Avatar asked Dec 07 '17 02:12

Anas EL HAJJAJI


1 Answers

after decompiling Android application a hacker can get firebase api key and then get access to firebase database, is this correct?

Only if your database does not use any security rules that limit access to only authenticated users.

if I configure facebook/google/ or even firebase email authentication I'm gonna need some api keys for those providers in my application, If a hacker got access to those keys, will he be able to use my authentication in his own application and get access to my firebase data?

No, it doesn't work that way.

Each user authenticated with Firebase is issued a token that's used to identify the user when they access protected services, such as Realtime Database, Firestore, or Storage. This token is valid 1 hour and must be refreshed after that, which the SDK will do automatically.

For a hacker to gain control of that user's data, they would have to obtain this token, and they would have no more than an hour to work with it. After that, they would have to obtain the next token obtained by the SDK. All this would have to happen on the user's device.

like image 88
Doug Stevenson Avatar answered Sep 22 '22 12:09

Doug Stevenson