Firebase Admin Security (Database Secrets)

[Steve]

Hi,

I am a big fan of Firebase, and I am really curious to ask about the security of the Firebase admin using database secrets,

first, is it true since the apk can be opened(reversed engineered, or open as zip maybe), and people can see the database secrets in the  Google-services.json, people can use it to access database as an admin which neglect any of the security and rule?

Best Regards

Steve

[Mike Mcdonald]

Hi Steve,

We don't ship the Realtime Database secret (or any other "secret" material) in the json file/plist. That file simply contains resource identifiers that allow us to know which resources (database, storage bucket, analytics, etc.) to properly authenticate to (we use Instance ID and Firebase Authentication for these purposes), and we handle server side authorization to ensure that users are properly logged in.

As for the second part, yes, if someone has your Database secret, they can access the Database as an administrator and read/write anything, mint custom tokens, etc. You can revoke a secret if it leaks, so be very careful when using them and only use them on trusted platforms (your own servers, etc.).

Thanks,

--Mike

[Steve]

Hi Mike Mcdonald,

thank you so much Mike, it really help me out, after I researched, 

I think there will be a server to server key secret, in Firebase 3.0, and the common Database Secret in Google-Services.json is only for reading and write to database based on security rule.

Best Regards

Steve