Sniffing Firebase network traffic with Charles on Android, not working...

1,543 views
Skip to first unread message

Kazim Baygan

unread,
Aug 3, 2015, 5:26:27 PM8/3/15
to Firebase Google Group
I have an Android app, with a Firebase backend.

I am passing sensitive data as part of the "child" path structure as follows:

Firebase ref = new Firebase("<FirebaseRootUrlForMyApp>").child("Sensitive").child("another key").setValue(whatever);

My main question is: Can someone sniff this information? Does 'sensitive' stuff become part of the URL or is it posted encrypted?

I tried to sniff it my self, using Charles proxy tool and I can not see a thing (other than auth login using SSL).

I am guessing all communication is happening at a socket level and not at http(s) level. Is this correct? If this is the case, I am guessing it is encrypted along the way.

Thanks for your help

Kaz

Jonny Dimond

unread,
Aug 4, 2015, 10:06:33 PM8/4/15
to Firebase Google Group
Hi Kaz,

Firebase uses WebSockets under the hood and the server only accepts connections using TLS/SSL. Essentially Firebase connections cannot be sniffed and can be considered as secure as TLS/SSL.

Jonny
Reply all
Reply to author
Forward
0 new messages