Locking down Firebase DB access to specific apps

Question

I think from searching the web this is not technically possible but I want to ask again in case I'm missing something.

I have an app that uses Firebase. Reading and writing is locked down through security rules for authorised users only but there's certain information I want unauthorised users to be able to access (so I don't have to put a login wall in front of them, influencing churn).

What I want to know is, is there any way of locking down this read access that only my app can call the DB? I know I can lock down domains to prevent someone writing localhost scrapers but what's to stop someone cloning and re-skinning an app and pointing it to the same back end? Is it possible to achieve this using your certificates fingerprint?

Answer 1

There is no way to limit access to your database to just your app. That just doesn't match with the cloud-based nature of the Firebase APIs. Anyone that knows the URL of your database can in in principle access it, and security rule are the way to ensure all access is authorized.

Note that security rules are not an all-or-nothing approach: you can require sign-in for some parts of your database, while leaving other parts publicly readable. But you can't make the publicly readable parts only be readable by your own app.

Some previous questions on the same topic:

• how to make sure only my own website (clientside code) can talk to Firebase backend? (pretty much my go-to answer for this)
• How to allow only my app to access firebase without a login?
• Restrict Firebase database access to one Android app
• How to allow only my app to access firebase without a login?

Update: since May 2021 you can actually restrict access to just users of your App by implementing Firebase App Check.