I'm working on an Android app that reads from a Firebase database. App users won't be logging in or modifying the database. All app users will be looking at the same data; I'm using Firebase for its real-time update features.
Ideally, I would like to restrict access to the database so that only my app can read the data.
I am aware of a few things I could do:
1. Write security rules that allows anyone to read, that is
{
"rules": {
".read": true,
".write": false
}
}
Con: Anyone can read :(
2. Write security rules that allow authenticated users to read, then hard code the username and password into the app
{
"rules": {
"$user_id":{
".read": "auth.uid === $user_id",
".write": false
}
}
}
Con: Hard coding a username and password in an app seems very wrong. Plus, it doesn't actually lock down the database, since anyone could decompile the app, grab the google-services.json
and the hard-coded user name/password, and write their own app that shared my package name.
Googling has revealed this, which is specific to writing, and this, which says "no" but is a few years old.
What is the correct approach restricting access to the database? Am I approaching this from the wrong direction?
There is no way to limit access to your database to just your app. That just doesn't match with the cloud-based nature of the Firebase APIs. Anyone that knows the URL of your database can in in principle access it, and security rule are the way to ensure all access is authorized.
Yes, You can use the same firebase database in more than one android application as below: In the Project Overview section of Firebase Console add an android application.
The answer is anyone. Firebase doesn't require an SQL user or anything, just connect. Use firebase security rules, validation rules, and functions, to guarantee data consistency.
You can connect your Android app firebase using two methods. Open the Firebase console and go to the Real-time Database portion. You’ll be asked to choose a Firebase project that already exists. Follow the steps for creating a database.
Navigate to the Realtime Databasesection of the Firebase console. You'll be prompted to select an existing Firebase project. Follow the database creation workflow. Select a starting mode for your Firebase Security Rules:
Create a Database Navigate to the Realtime Databasesection of the Firebase console. You'll be prompted to select an existing Firebase project. Follow the database creation workflow. Select a starting mode for your Firebase Security Rules:
By using the Firebase Android BoM, your app will always use compatible versions of the Firebase Android libraries. (Alternative)Declare Firebase library dependencies withoutusing the BoM
3. Use FirebaseAuth
and signInAnonymously()
method
reference: https://firebase.google.com/docs/auth/android/anonymous-auth
Then adjust security rules:
{
"rules": {
".read": "auth != null",
...
}
}
Con: multiple accounts used only for reading the same data
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With