I have just recently started using Google's firebase as an online centralized database for android apps data (migrating from using local sqlite).
Being a newbie on firebase I would like to ask how secure is the firebase online database for android?
Reading from the following threads, does it really seem like anyone who can get access to google-services.json can insert and modify online data from my firebase database?
- Should I add the google-services.json (from Firebase) to my repository?
- Is google-services.json safe from hackers?
I am concerned how anyone who can get access to a decompiled apk's configuration file (google-services.json) can use it in their android project, say, to create an android app with a similar package name and push malicious data or delete from my firebase database.
Can you give advice if there are new and clever workarounds to making the online database more secure?
So far to add security, I have tried to:
- Edit firebase's Database Rules to:
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
Add firebase Email/Password authentication to my app to control login.
However, I find that newly-created apps even without the authentication feature can still push and modify data into the online firebase database, just by using the "hacked" google-services.json.
Thank you for your comments and suggestions!
Welcome to the joys of what effectively is a two tier system. You can do several things to protect your data - but not for free.
First some facts:
- He who has the credentials to the database can access it
- if the app can access the data, then your database credentials are effectively available to anyone who can extract it from your app
There are counter measures that can raise the bar for an attacker, but a determined (or lucky) attacker can get access. And if he has access it is very difficult to prevent him from doing damage because e.g. changing the DB credentials will also force all of your users to update.
What you could do is
decide that protecting the data is not worth the effort and that you/your management can live with the risk (but then you‘d have a decission and are done)
Use the firebase ACL as you already did. To create user specific „depots“ use per user nodes (see below, it won‘t render code here). The configuration happens in the console.
Build business logic on a server and place all credentials there. This will ensure that you have full control
prevent the apps from reading the data in plaintext. Use public key algorithms to encrypt the data. Keep the private key on the systems that has to read the data. Then the app cannot read the data in plain (but still e.g. find out how much you have and what the rate of change is). This also will not prevent manipulation or deletion of data.
Example ACL:
// These rules grant access to a node matching the authenticated
// user's ID from the Firebase auth token
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
Some Firebase project approaches like the regular Android and Web (JS) quickstart projects expose the risk of sharing the firebase project's access and credentials to users. The only way to secure firebase data (if firebase credentials can't be opted to be hidden from front-facing clients) is indeed as @Jens proposed, by properly defining and structuring the Security Rules. Malicious hackers will have a tough time playing with your data, even if they can access your project credentials. More informative instructions can be found here:
- Secure Your Data
- Firebase Database Security Rules API
As a quick update to the exposure of firebase project credentials, I found that communicating to Firebase using backend scripts will eliminate this concern because the scripts and code implementation are hidden from the users. Firebase offers an excellent support for REST API's on a variety of helper libraries such as NodeJS, PHP, Python, to name a few. Usage of REST API's plus Security Rules will make our firebase credentials and data more private and secure.