Firebase provides database back-end so that developers can focus on the client side code.
So if someone takes my firebase uri (for example, https://firebaseinstance.firebaseio.com
) then develop on it locally.
Then, would they be able to create another app off my Firebase instance, signup and authenticate themselves to read all data of my Firebase app?
Thanks to both of you for this discussion. However, I wanted to add a detail.
@Frank van Puffelen,
You mentioned the phishing attack. There actually is a way to secure for that.
If you login to your googleAPIs API Manager console, you have an option to lock down which HTTP referrer your app will accept request from.
- visit https://console.developers.google.com/apis
- Go to your firebase project
- Go to credentials
- Under API keys, select the Browser key associated with your firebase project (should have the same key as the API key you use to initialize your firebase app.)
- Under \"Accept requests from these HTTP referrers (web sites), simply add the URL of your app.
This should only allow the whitelisted domain to use your app.
This is also described here in the firebase launch-checklist here: https://firebase.google.com/support/guides/launch-checklist
Perhaps the firebase documentation could make this more visible or automatically lock down the domain by default and require users to allow access?
Again, thanks so much!
The fact that someone knows your URL is not a security risk.
For example: I have no problem telling you that my bank hosts its web site at bankofamerica.com and it speaks the HTTP protocol there. Unless you also know the credentials I use to access that site, knowing the URL doesn\'t do you any good.
To secure your data, your database should be protected with:
- validation rules that ensure all data adheres to a structure that you want
- authorization rules to ensure that each bit of data can only be read and modified by the authorized users
This is all covered in the Firebase documentation on Security & Rules, which I highly recommend.
With these security rules in place, the only way somebody else\'s app can access the data in your database is if they copy the functionality of your application, have the users sign in to their app instead of yours and sign in/read from/write to your database; essentially a phishing attack. In that case there is no security problem in the database, although its probably time to get some authorities involved.
Regarding the Auth white-listing for mobile apps, where domain name is not applicable, Firebase have
1) SHA1 fingerprint
for Android apps and
2) App Store ID and Bundle ID and Team ID (if necessary)
for your iOS apps
which you will have to configure in Firebase console.
With this protection, since validation is not just if someone have valid API key, Auth domain, etc, but also, is it coming from our authorized apps and domain name/HTTP referrer in case
of Web.
Said that, we don\'t have to worry if these API key and other connection params are exposed to others.
Fore more info, https://firebase.google.com/support/guides/launch-checklist