firebase on app security
66 views
Skip to first unread message
Andrés Mireles
Jan 23, 2021, 10:57:44 PM1/23/21
to Firebase Google Group
Hello,
my name is Andrés. First of all, sorry for my English, I am not a native speaker.
Currently, I am using firebase service, specifically Firebase Storage and Cloud Functions services. I am developing an app and I am worried about the security of my project. In my app, (I am using Flutter) I have the url of my firebase project where I use storage and cloud functions and I wonder if someones reads the code of the apk of my app via reverse engineering and finds the url, could that person read, write and call the functions as many times as he wanted? I am worried because that will increase the bill of my project while accessing all the information of my project.
Thanks for reading and hope you can help me.
Andrés.
onabanjo ademola
Jan 24, 2021, 11:44:51 AM1/24/21
to fireba...@googlegroups.com
Firebase database,firestore and firebase storage are all integrated with security rules. This security rules let you control who can write and read your data. It also validate your data structure by rejecting write if such write doesn't meet your standards (e.g if the write isn't a number, if the write isn't a string, if the write doesn't contain, starts with or ends with a particular string, if the write isn't a current server timestamp, prevention of delete or creation of new data e.t.c). Security rules can also validate data with regex expressions.
With all this functionality offered via security rules, your data in firebase is secured.
As for cloud functions, you can bypass this security rules by using the admin api. Cloud functions doesn't requires security rules causes your code can't be seen, edited, created, deleted.
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/17474a9b-a6a4-4813-bb30-b1fb789960e4n%40googlegroups.com.
Sam Stern
Jan 25, 2021, 5:21:55 AM1/25/21
to Firebase Google Group
Hi Andres,
If the URL in your app points to an HTTP Cloud Function then the answer is yes, that is a public HTTP resource and anyone who knows the URL can call it as much as they want. This is not specific to Firebase though, this is the case with any backend to any app! The important thing is to make sure that at the start of your function, before you do anything sensitive, you perform some kind of check to make sure the user is authenticated and exit early if not.
If your app uses Firebase Authentication (which you should!) then using Callable Functions makes this very simple:
https://firebase.google.com/docs/functions/callable
https://firebase.google.com/docs/functions/callable
- Sam
--
Reply all
Reply to author
Forward
0 new messages